Since the Boulder update this morning (+360b474) we’ve started getting a bunch ‘urn:acme:error:rateLimited’ errors (‘Error creating new registration :: too many registrations for this IP’). This started just after the update at about 2017-06-29 17:45 UTC.
Was there a change in the allowed rate limits, or the rate limiting algorithm? I don’t think we’ve changed our load pattern particularly.
Sorry we forgot to communicate this clearly. We did in fact update the rate limits, and we should have update the rate limits page / posted on API announcements first. In short: The “registrations per IP address” limit is now 10 per 3 hours. There’s a new limit, “registrations per IP range”, that applies to IPv6 /48 ranges and is 500 per 3 hours.
Can I ask what your use case is that you need to create large numbers of registrations?
Thanks, @jsha. We run a hosting platform, so we manage many customer’s domains. For simplicity and statelessness, our cert management processes ends up creating a new registration each time it tries to generate a cert.
This was working fine until the recent update, but with this new rate limit it sounds like this is no longer a good pattern for us to use. We’re looking at refactoring our code to share a single registration now.
A couple questions to help us with this refactor:
is the limit on new keys, or the agree registration call? That is, if we use the same key instead of generating a new one each time, but still call agree registration each time, will this trigger the rate limit?
If we’re reusing the same account each time, we now need to pay attention to other rate limits, such as “300 Pending Authorizations on your account”. Do pending authorizations ever expire? That is: if our process occasionally crashes and leaks a registration, will this build up forever until we run out? Any other stateful limits we need to consider?
@cpu@jsha Apparently these limits also apply to staging. During testing I’ve hit this limit pretty soon.
I don’t have the exact count but I guess it wasn’t more than cca. 20 attempts in couple of hours.
Is this as intended or should this limit be more relaxed on staging?
2017-06-30 15:43:05,762:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 429 144
2017-06-30 15:43:05,763:DEBUG:acme.client:Received response:
Expires: Fri, 30 Jun 2017 15:43:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Fri, 30 Jun 2017 15:43:05 GMT
"detail": "Error creating new registration :: too many registrations for this IP",
Thanks all! We reworked our code to avoid creating many new accounts and now use one account for all requests. Things seem to be working OK – we’ve still got a little clean up to do as we’re hitting a couple new rate limit issues, mostly we just need to tweak some retry backoffs.
This will hit a different error, as we don’t allow the same account key to be used across multiple accounts.