Hi guys, I'm new around here. Thank you for accepting me on the forum.
I'm facing a challenge and I've already searched the forum, but I found little useful information for my case.
I just created a brand new server and registered a subdomain which is linked to your new IP address.
Despite having configured all the DNS correctly, I am in no way able to issue an SSL certificate for this subdomain.
I have a new email address with an SSL certificate, and I currently only own three domains with SSL, so I haven't reached the letsencrypt limit yet.
DNS "A" - pointed, IPV6 too.
Http working fine on port 80.
I already checked the firewall.
Erro
An error has occurred, error message: An error occurred while requesting an order, error message: Client error: `POST https://acme-v02.api.letsencrypt.org/acme/new-order` resulted in a `429 Too Many Requests` response: { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authoriza (truncated...)
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
You are probably hitting the Failed Authorization limit, linked to by @Bruce5051 above. That happens once you have 5 failures per hostname, per account, per hour.
Some typical causes of this are:
DNS misconfiguration. You should ensure the public internet can access this.
Client or Networking misconfiguration. This can usually be worked out without using an ACME client, and then using the staging environment.
Another (likely decommissioned) machine is still running in your cloud and trying to renew Certificates with your account. Because DNS does not point to that machine any longer, the requests are ensured to fail.
A broken Client.
Some things that may work:
Ensure no other machines are configured in your organization for this domain.
Try to access the domain/subdomain from an external network – e.g. at home, or another cloud service. You can use letsdebug to help iron out some of these issues
But, your server is not using it but instead using a self-signed cert. Use a site like this SSL Checker to view the cert being used (this site only uses IPv4 so can't check if same cert on your IPv6 address but I can confirm they are both the self-signed cert)
I know this doesn't explain your 429 too many failed authorizations. But, it proves you could get a cert for the subdomain.
I don't know CloudPanel but maybe you could find a log that shows when it makes requests. Let's Encrypt won't say "too many" without there being too many
More importantly, how do you have both an A record and a CNAME? No other record types (except DNSSEC) are permitted to share the same name as a CNAME. That name is also too deep to work with Cloudflare Universal SSL and will need to either remain set to DNS Only or add Advanced Certificate Management to cover that deep of a subdomain.
It appears that the DNS Hero Android app shows the resolved A record of the canonical name. I'll have to keep that in mind when operating away from the console.
Your DNS looks good now. Your academy and www.academy names have the same two IP addresses (one A and one AAAA)
But, I cannot get a response from your www domain. And, your root name still uses a self-signed cert and not a valid Let's Encrypt cert that you got.
Do you configure nginx yourself or is that part of CloudPanel?
Getting the www domain to respond same as academy is a key step. Note this has nothing to do with Let's Encrypt. These are requests for your "home page"
curl -I http://www.academy.emgrupo.pro
curl: (52) Empty reply from server
curl -I http://academy.emgrupo.pro
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 13 Jul 2023 14:40:46 GMT
Location: https://academy.emgrupo.pro/