Error creating new order :: too many failed authorizations recently

ThierryVerreyt · October 31, 2020, 9:15am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot renew -q
It produced this output:

Attempting to renew cert (sypa-hd.dd-dns.de) from /etc/letsencrypt/renewal/sypa-hd.dd-dns.de.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sypa-hd.dd-dns.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

apache

The operating system my web server runs on is (include version):

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
$ certbot --version
certbot 1.7.0

Osiris · October 31, 2020, 9:18am

I'm sorry to be blunt, but what isn't clear about the error presented by the server when you look it up in the link about the rate limits also presented by the server?

_az · October 31, 2020, 9:26am

Try use a dry-run, it will show you what any underlying errors are (unrelated to rate limits):

certbot renew --dry-run

griffin · October 31, 2020, 9:44am

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.

You won't have to wait long, but appending --dry-run to your certbot command as @_az has suggested will use the staging servers, which have much higher rate limits.

After doing an analysis of sypa-hd.dd-dns.de, it appears that port 80 (http) does not respond, which will make http-01 challenges impossible. It also appears that port 443 (https) is serving the valid certificate cited below, yet there is no redirect from http to https

Complete Certificate History

https://crt.sh/?Identity=sypa-hd.dd-dns.de&deduplicate=Y

ThierryVerreyt · October 31, 2020, 10:30am

Hi thanks for this help. We close the port 80 for security reason. Let me re-open it and check again

Osiris · October 31, 2020, 10:35am

Closing port 80 doesn't actually improve security. See also: https://letsencrypt.org/docs/allow-port-80/

rg305 · October 31, 2020, 8:01pm

Using -q ("quiet") suppresses important messages. Like when things error out.
When troubleshooting, you want the exact opposite of that:

system · November 30, 2020, 8:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.