Client error: `POST https://acme-v02.api.letsencrypt.org/acme/new-order

Hi guys, I'm new around here. Thank you for accepting me on the forum.

I'm facing a challenge and I've already searched the forum, but I found little useful information for my case.

I just created a brand new server and registered a subdomain which is linked to your new IP address.

Despite having configured all the DNS correctly, I am in no way able to issue an SSL certificate for this subdomain.

I have a new email address with an SSL certificate, and I currently only own three domains with SSL, so I haven't reached the letsencrypt limit yet.

DNS "A" - pointed, IPV6 too.
Http working fine on port 80.
I already checked the firewall.

Erro

An error has occurred, error message: An error occurred while requesting an order, error message: Client error: `POST https://acme-v02.api.letsencrypt.org/acme/new-order` resulted in a `429 Too Many Requests` response: { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authoriza (truncated...)

Help!

Hello @denverfix, welcome to the Let's Encrypt community. :slightly_smiling_face:

See Rate Limits - Let's Encrypt and Failed Validation Limit - Let's Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

4 Likes

Also, such testing is best done on the LE staging environment.

3 Likes

Sorry guys, I'll try to detail as much as possible!

The subdomain I want to issue the SSL is:

https://academy.emgrupo.pro/

And I'm using CloudPanel in its latest version to manage the website and issue the SSL.

And I host my server at Hetzner.

On my main domain, I can issue SSL normally, emgrupo.pro

But in the subdomain I can't.

An important detail...

...In the main domain I'm using a different server and io address than the subdomain, does it have something to do with that?

Sorry for my English, I'm not 100% fluent and sometimes I resort to the translator.

Thanks to everyone who can help!

1 Like

You are probably hitting the Failed Authorization limit, linked to by @Bruce5051 above. That happens once you have 5 failures per hostname, per account, per hour.

Some typical causes of this are:

  • DNS misconfiguration. You should ensure the public internet can access this.
  • Client or Networking misconfiguration. This can usually be worked out without using an ACME client, and then using the staging environment.
  • Another (likely decommissioned) machine is still running in your cloud and trying to renew Certificates with your account. Because DNS does not point to that machine any longer, the requests are ensured to fail.
  • A broken Client.

Some things that may work:

  • Ensure no other machines are configured in your organization for this domain.
  • Try to access the domain/subdomain from an external network – e.g. at home, or another cloud service. You can use letsdebug to help iron out some of these issues
5 Likes

If you put the website https://academy.emgrupo.pro/ in https://letsdebug.net/, you will verify that the website has no http problem.

And I don't have a DNS problem either, just put my domain at DNS Checker - DNS Check Propagation Tool.

It is propagated in several regions of the world, that means it is working well!

Also, I didn't exceed letsencrypt's limit., it's weird to say the least.

I cannot identify any error on my side.

I can not verify that, because I don't know where that domain name is supposed to point to.

You received a ratelimit error, so you did exceed a ratelimit.

5 Likes

You got a cert for that subdomain yesterday

But, your server is not using it but instead using a self-signed cert. Use a site like this SSL Checker to view the cert being used (this site only uses IPv4 so can't check if same cert on your IPv6 address but I can confirm they are both the self-signed cert)

I know this doesn't explain your 429 too many failed authorizations. But, it proves you could get a cert for the subdomain.

I don't know CloudPanel but maybe you could find a log that shows when it makes requests. Let's Encrypt won't say "too many" without there being too many :slight_smile:

4 Likes

So that we might see the previous error(s), can you show that entire log file?

2 Likes

I find it funny how I manage to issue the SSL only for academy.emgrupo.pro, without the www.

I just can't send with www, see the links with www and without www.

Com www

www.academy.emgrupo.pro/

no www

academy.emgrupo.pro

See my DNS record, is there really something wrong?

https://uploaddeimagens.com.br/imagens/1T6eV90

Thanks everyone for trying to help!

why www.academy.emrupo.pro have cname to emgrupo.pro, not academy.emrupo.pro?

3 Likes

More importantly, how do you have both an A record and a CNAME? No other record types (except DNSSEC) are permitted to share the same name as a CNAME. That name is also too deep to work with Cloudflare Universal SSL and will need to either remain set to DNS Only or add Advanced Certificate Management to cover that deep of a subdomain.

3 Likes

it's a on academy and came on www.academy so that's not a problem

3 Likes

It appears that the DNS Hero Android app shows the resolved A record of the canonical name. I'll have to keep that in mind when operating away from the console.

3 Likes

I've already made several attempts, using different approaches, to issue SSL for the www, however, I still haven't been successful.

I can't do it without www, I can't do it with www, I've never been through that.

It makes no sense,

You have gotten two certs for academy.emgrupo.pro in the past two days.

It looks like you are in middle of changing your DNS or server config. I see you have added AAAA records for IPv6

Let us know when you have a stable setup you want us to look at

4 Likes

I can issue the certificate for academy.emgroup.pro, without the www.

With www.academy.emgrupo.pro, I cannot resolve the ssl.

I am changing the DNS and performing tests, but still, I can not solve the problem.

What do you have in mind, what settings do you think I should do in DNS.

Remembering that academy.emgrupo.pro is one IP address and emgrupo.pro is another different ip address.

:smiley:

Your DNS looks good now. Your academy and www.academy names have the same two IP addresses (one A and one AAAA)

But, I cannot get a response from your www domain. And, your root name still uses a self-signed cert and not a valid Let's Encrypt cert that you got.

Do you configure nginx yourself or is that part of CloudPanel?

Getting the www domain to respond same as academy is a key step. Note this has nothing to do with Let's Encrypt. These are requests for your "home page"

curl -I  http://www.academy.emgrupo.pro
curl: (52) Empty reply from server

curl -I  http://academy.emgrupo.pro
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 13 Jul 2023 14:40:46 GMT
Location: https://academy.emgrupo.pro/
4 Likes

I don't configure Nginx, it's part of CloudPanel.

I will try to use another panel.

Maybe it's problem in cloudpanel itself.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.