[Docker-Traefik] SSL certificates generation error (rateLimited)

Rathorian · February 19, 2018, 2:47pm

My domain is: rathorian.fr

Hello,

I use Docker (version 17.12.0-ce) and Traefik (1.5-alpine).
I am trying to generate a new certificate with Traefik but it is impossible because I have a rateLimited error on my domain.

Here is my traefik.toml file:

traefik.toml

defaultEntryPoints = ["https","http"]

[api]
entryPoint = "traefik"
dashboard = true

[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["Admin:$2y$10$lSc7dsfUIGhgtgeq76768M4/JgqojrgUIGYIFszezgerfqQa"]

[acme]
email = "contact@rathorian.fr"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onHostRule = false
acmeLogging = true
onDemand = false
[acme.httpChallenge]
entryPoint = "http"

[[acme.domains]]
main = "mail.rathorian.fr"
sans = ["spam.rathorian.fr", "postfixadmin.rathorian.fr", "webmail.rathorian.fr"]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "rathorian.fr"
watch = true
exposedbydefault = false

Here is the return of the Traefik logs:

docker logs -f traefik

Sorry, I was forced to use a pasteBin because as a new user, I could post up to 20 links.

https://paste.mondedie.fr/?e467e22766c6201f#dxXxZ5rtMWo0brCfVIsmHPHOABxo4fXsvIw1g1RVZNE=

However, since yesterday morning, impossible to create a new certificate.

The documentation says:

The Certificates per Registered Domain limit is 30,000 per week.
The Duplicate Certificate limit is 30,000 per week.
The Failed Validations limit is 60 per hour.
The Accounts per IP Address is 50 accounts per 3 hour per IP.

I have not reached the 30,000 per week because it is impossible.
For the 60 validations per hour or the accounts per 3 hour since yesterday morning, the time is largely exceeded.

I do not understand this blockage.
Would you have an idea please?

Thank you

mnordhoff · February 19, 2018, 3:52pm

Those are the rate limits for the staging environment. The production API’s rate limits are much lower:

In particular, the Certificates per Registered Domain limit is 20 per week.

Rathorian · February 19, 2018, 4:06pm

So seeing this: https://crt.sh/?Identity=%rathorian.fr

I could not create a certificate before February 22?
I’m disgusted, how am I going to do until the setting aside

jple · February 21, 2018, 6:47am

Hi Rathorian!

Check out the full text of this doc for a few tips on how to use the rate limit:

You may find a few helpful pieces of information there. But from the looks of your crt.sh, you will be able to issue more certificates tomorrow.

Also if it’s beneficial, the staging environment (like you mentioned) does not have the same rate limits: https://letsencrypt.org/docs/staging-environment/

Thanks for using Let’s Encrypt!

system · March 23, 2018, 6:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.