Error creating new order :: too many failed authorizations recently


#1

I am migrating a website from one service provider to another (from Linode to Google Cloud). I require wildcard support, and, if I still understand correctly, Certbot and certbot-auto still do not provide support for DNS challenges (is this still true?)

So, I use acme.sh located at https://github.com/Neilpang/acme.sh

I just tried to create a new certificate, and I got the below error. So I have 2 questions:

  1. I have valid certificates on the old server, but I’ll be deleting that server. Is it ok to just create new certificates on this new server, or could this be the issue?

  2. As I type this, there is a huge RED Error at the top of the website saying “Service Disruption” - Could this be the issue? Could my new IP address for my google cloud instance have already issued certificates related to the same IP Address range?

I only tried to do this once, so it seems strange that this would happen unless its related to activity on the old server.

My domain is:
gastonia.com

I ran this command:
sudo ./.acme.sh/acme.sh --issue --nginx -d gastonia.com -d ‘*.gastonia.com’ --dns dns_cf

It produced this output:
[Mon Jul 30 22:34:09 UTC 2018] Multi domain=‘DNS:gastonia.com,DNS:*.gastonia.com’
[Mon Jul 30 22:34:09 UTC 2018] Getting domain auth token for each domain
[Mon Jul 30 22:34:10 UTC 2018] Create new order error. Le_OrderFinalize not found. {“type”:“urn
:ietf:params:acme:error:rateLimited”,“detail”:“Error creating new order :: too many failed auth
orizations recently: see https://letsencrypt.org/docs/rate-limits/","status”: 429}
[Mon Jul 30 22:34:10 UTC 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Mon Jul 30 22:34:10 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.
sh

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

My hosting provider, if applicable, is:
Google Cloud Platform

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no, command line only / ssh


#2

certbot-auto doesn’t include the DNS plugins – yet – but you can just “apt install certbot python3-certbot-dns-cloudflare”. :slightly_smiling_face:

It’s okay.

Probably not. As it says, it’s been fixed – barring unusual caching – and your DNS resolver is apparently able to resolve letsencrypt.org.

That issue is specifically that you’ve tried to validate it 5 times in the last hour and it’s failed every time.

Do you have logs of what went wrong before?

You can wait until you’re no longer rate limited, or use “--staging” to test against Let’s Encrypt’s staging environment (which issues test certificates that don’t work, but has high rate limits).

I’m not sure what acme.sh does if you pass both --nginx and --dns dns_cf like that.


#3

I’m not sure what acme.sh does if you pass both --nginx and --dns dns_cf like that.

I was worried about that too. What I was wanting was for the script to write to my nginx files for me as well as copy my files automatically to /etc/letsencrypt/…/…

Please please elaborate more about this. This has to be the hardest info to find on the net - how to use the official certbot software and verify via DNS.

Can you provide an up to date link to instructions on how to do that (or if it’s short enough even write them here?) I would much rather use the official.

In the meantime, checking the logs now for more details.


#4

I don’t think acme.sh can automatically configure Nginx to use a certificate.

If you’re using DNS validation, you don’t need to pass --nginx to --issue.

You need to run --install-cert and configure Nginx manually.

Don’t have acme.sh put files in /etc/letsencrypt/; that’s specifically for Certbot, and having other programs modifying it will cause problems.

FWIW, there isn’t really an official client anymore. Certbot and acme.sh are both good.

As for instructions, there isn’t anything special.

  1. (Optional) Enable the PPA:
    $ sudo add-apt-repository ppa:certbot/certbot
    $ sudo apt-get update
  2. Install Certbot:
    $ sudo apt-get install certbot python3-certbot-dns-cloudflare
  3. Use it:
    https://certbot-dns-cloudflare.readthedocs.io/en/latest/

You can combine authenticator and installer plugins like “certbot -a dns-cloudflare -i nginx”: https://certbot.eff.org/docs/using.html#combining-plugins


#5

The tricky thing overall is that it depends on how people install Certbot, and it depends on who their DNS provider is. A thing that people like quite a lot about acme.sh is that not only does it support more DNS providers, but it supports all of them in every installation scenario.

However, Certbot is steadily getting better on this point. :slight_smile:


#6

Could you elaborate a bit more about this please? I followed the instructions from @mnordhoff and it worked like a charm on Ubuntu 18.04. I went back to some client sites on Ubuntu 17.10 and it tells me the install python3-certbot-dns-cloudflare package can’t be found.

Would access to that package be OS Version dependent?


#7

The dns-cloudflare plugin was first packaged by Ubuntu in 18.04.

It’s available in the Certbot PPA for 14.04, 16.04 and 18.04, but not 17.10, probably because 17.10 is EOL.

You should upgrade.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.