--dry-run stopped working, though no error

My domain is: australianassetaggregation.com.au

I ran this command:
/home/ubuntu/letsencrypt/letsencrypt-auto certonly --dry-run --manual
–manual-public-ip-logging-ok
–manual-auth-hook /home/ubuntu/.bin/authenticator.sh
–manual-cleanup-hook /home/ubuntu/.bin/cleanup.sh
–agree-tos
–domain australianassetaggregation.com.au
–rsa-key-size 2048

It produced this output:
The dry run was successful

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu 16

My hosting provider, if applicable, is: AWS ubuntu

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

After several tries on one domain, --dry-run stopped doing anything without any error? Switching to new domain thing will be back to normal but it stops again after few runs?
Wondering if --dry-run flag has hidden limit as I checked the rate-limit which says staging env provides a very generous limit for testing.

Hi @hoandang

the stage system has a limit.

I don't know the exact value, but it's not unlimited. Looks like you have hitted that limit.

Hmm, I doubt that I have hit the limit as I’ve run only a few times. Would you mind giving me instruction on how to I check my limit on a particular domain under staging env?

I’ve found the limit here https://letsencrypt.org/docs/staging-environment/ ? Is that the limits we are talking about?

The Certificates per Registered Domain limit is 30,000 per week.
The Duplicate Certificate limit is 30,000 per week.
The Failed Validations limit is 60 per hour.
The Accounts per IP Address limit is 50 accounts per 3 hour period per IP.
For ACME v2, the New Orders limit is 1,500 new orders per 3 hour period per account.

What says your log:

/var/log/letsencrypt/letsencrypt.log

Hi @hoandang,

Were you able to figure out your problem? I see in the staging environment logs that there was successful certificate issuance for this domain in the past 3d.

It looked like previous to the successful attempts there were some HTTP-01 challenge failure errors related to your server returning an HTML document instead of the expected HTTP-01 challenge response.

Hmm, I couldn’t run --dry-run so I tried prod anyway and it worked. But it’s scary that I couldn’t test it properly before hand. Don’t know if my command is somehow wrong as right after one success of --dry-run, I can’t rerun the same command again. It keeps showing dry-run was successful although I expect my authenticator.sh script to be triggered.

/home/ubuntu/letsencrypt/letsencrypt-auto certonly --manual --manual-public-ip-logging-ok --manual-auth-hook /home/ubuntu/.bin/authenticator.sh --agree-tos --keep-until- expiring --domain $DOMAIN --rsa-key-size 2048 >> /tmp/letsencrypt.log 2>&1

Your hook won’t be triggered if your ACME account already has a valid authorization for the name. (Valid authorizations are currently cached for 30 days.)

This is a somewhat recent change in Certbot – it used to execute the hook even when there was no need to.

(The Let’s Encrypt production and staging environments have separate accounts and separate challenges and authorizations.)

The certbot team is also working on fixing this "gotcha" so it will be easier to test reliably with --dry-run without encountering authorization re-use. Interested people can follow that work here: Prevent authorization re-use for --dry-run/--staging/--deactivate-authorizations (#5116) by alexzorin · Pull Request #7266 · certbot/certbot · GitHub

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.