Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

oss.umiuni.com

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/oss.umiuni.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (oss.umiuni.com) from /etc/letsencrypt/renewal/oss.umiuni.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oss.umiuni.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oss.umiuni.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
|Distributor ID:|Ubuntu|
|---|---|
|Description:|Ubuntu 16.04.6 LTS|
|Release:|16.04|
|Codename:|xenial|

My hosting provider, if applicable, is:
Godaddy, Ubuntu server

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

The error that you’ve written about is you hitting the limit for failed renewal attempts. You get 5 attempts per hour.

Luckily, you can use --dry-run to do a “test run” of your renewal without hitting this limit.

Could you please provide the output of:

certbot renew --dry-run

Hi @superchaoran

checking your domain there is something I don’t see that it may work.

You have a lot of older Letsencrypt certificates, first from 2018-01-14 13:09:09 ( https://check-your-website.server-daten.de/?q=oss.umiuni.com#ct-logs ).

The last three:

Issuer not before not after Domain names LE-Duplicate next LE
Encryption Everywhere DV TLS CA - G1 2019-06-05 2020-06-05 oss.umiuni.com
1 entries
Let’s Encrypt Authority X3 2019-04-18 2019-07-17 api.umiuni.cn, api.umiuni.com, google-analytics.umiuni.cn, oss.umiuni.com, test.umiuni.com, umiuni.com, www.umiuni.com, wx.umiuni.cn
8 entries
Let’s Encrypt Authority X3 2019-02-17 2019-05-17 api.umiuni.cn, api.umiuni.com, google-analytics.umiuni.cn, oss.umiuni.com, test.umiuni.com, umiuni.com, www.umiuni.com, wx.umiuni.cn
8 entries

One from Encryption Everywhere, two expired Letsencrypt certificates with a lot of domain names.

But your Server says:

Server: Tengine

not nginx. So using --nginx may not work.

And oss.umiuni.com/.well-known/acme-challenge/random-filename sends Xml:

<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><RequestId>5D301DCE94A4524A362CD06F</RequestId><HostId>umiuni-vir.oss-us-east-1.aliyuncs.com</HostId><Key>.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de</Key></Error>

So using --webroot may not work.

Next problem: Your oss subdomain has another ip address, in NL:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
oss.umiuni.com C oss.umiuni.com.w.cdngslb.com yes 1 0
A 213.244.178.158 Amsterdam/North Holland/Netherlands (NL) - Level 3 Communications, Inc. No Hostname found yes
www.oss.umiuni.com Name Error yes 1 0

Your main domain is US-hosted:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
umiuni.com A 47.90.247.97 Washington D.C./District of Columbia/United States (US) - Alibaba.com LLC No Hostname found yes 2 0
AAAA yes
www.umiuni.com C umiuni.com yes 1 0
A 47.90.247.97 Washington D.C./District of Columbia/United States (US) - Alibaba.com LLC No Hostname found yes

So the renew of the certificate with 8 domain names can’t work.

What’s this “Tengine”? Where do you run your Certbot?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.