Could not get nonce, let's try again. has been blocked due to ridiculously excessive traffic

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

visualyont.tk

I ran this command:
acme.sh --issue -d visualyont.tk -w /var/www/acme-challenge

It produced this output:
Could not get nonce, let's try again.
[Mon Nov 16 02:35:45 PM UTC 2020] GET
[Mon Nov 16 02:35:45 PM UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Nov 16 02:35:45 PM UTC 2020] timeout=
[Mon Nov 16 02:35:45 PM UTC 2020] _CURL='curl -L --silent --dump-header /home/acme/.acme.sh/http.header -g '
[Mon Nov 16 02:35:45 PM UTC 2020] ret='0'
[Mon Nov 16 02:35:45 PM UTC 2020] Could not get nonce, let's try again.
[Mon Nov 16 02:35:48 PM UTC 2020] GET
[Mon Nov 16 02:35:48 PM UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Nov 16 02:35:48 PM UTC 2020] timeout=
[Mon Nov 16 02:35:48 PM UTC 2020] _CURL='curl -L --silent --dump-header /home/acme/.acme.sh/http.header -g '
[Mon Nov 16 02:35:48 PM UTC 2020] ret='0'
[Mon Nov 16 02:35:48 PM UTC 2020] Could not get nonce, let's try again.
[Mon Nov 16 02:35:51 PM UTC 2020] GET
[Mon Nov 16 02:35:51 PM UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Nov 16 02:35:51 PM UTC 2020] timeout=
[Mon Nov 16 02:35:51 PM UTC 2020] _CURL='curl -L --silent --dump-header /home/acme/.acme.sh/http.header -g '
[Mon Nov 16 02:35:52 PM UTC 2020] ret='0'
[Mon Nov 16 02:35:52 PM UTC 2020] Could not get nonce, let's try again.
[Mon Nov 16 02:35:55 PM UTC 2020] Giving up sending to CA server after 20 retries.
[Mon Nov 16 02:35:55 PM UTC 2020] Register account Error: {"type": "urn:ietf:params:acme:error:rateLimited", "detail": "Your IP, 45.77.190.231, has been blocked due to ridiculously excessive traffic. Once corrected, request a review by emailing unblock-request@letsencrypt.org"}
[Mon Nov 16 02:35:55 PM UTC 2020] _on_issue_err
[Mon Nov 16 02:35:55 PM UTC 2020] Please check log file for more details: /home/acme/.acme.sh/acme.sh.log

My web server is (include version):

The operating system my web server runs on is (include version):
Unbuntu 20
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

It's been a while since I see that !

1 Like

Holy $#!+!
:astonished:

@jsha

Is that the actual wording coming from Boulder!?

2 Likes

Yep! This is the message you get when we've manually blocked an IP address for - you guessed it - ridiculously excessive traffic. :slight_smile: @kyon12345 can you send mail to that address with info about your setup and steps you've taken to fix the excessive traffic? That's the process to get unblocked.

4 Likes

Also worth noting: It's possible, with cloud providers, that you've inherited an IP address that someone else was using previously and got blocked. If you've only had this IP address for a short while, that is also useful to convey in your email.

3 Likes

It looks like they're trying to get a nonce from the directory endpoint. That won't work to my knowledge. They need to hit the newNonce endpoint. Or maybe it's just a linear process restarting over and over again and failing at different points.

1 Like

Looks to be a memoryless script.

1 Like

It's a holdover from ACMEv1, but you can still get a nonce by sending a HEAD request to any resource, including the directory.

Edit: on second review, I don't think that's what's happening anyway, it's probably first trying to find the newNonce URL in the first place by downloading the directory!

2 Likes

I agree. I'm just out of edits again and couldn't update my initial response. :pensive: My last response about memoryless script is most likely accurate.

1 Like

Are you sure about the directory having a nonce? If so, I need to update my client.

1 Like

You should still get the first nonce from sending a HEAD to newNonce. That's what RFC8555 says you should do.

It's just that Boulder sends nonces from the directory as well, e.g.:

$ curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
date: Mon, 16 Nov 2020 20:24:51 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 01048w9X1dW7lUVvYwG1rcO5oIsYoU1E6L9cuUtIE_E6d-Y
x-frame-options: DENY
strict-transport-security: max-age=604800
4 Likes

Ah. Good to know. Thanks for that. :blush:

1 Like

thanks for replying ,i will send the mail

4 Likes