Hi, im currently writing a tool to manage certificates and generate our certificates, unfortunateley i seem to be hitting an issue here:
[...]
File "/home/deploy/ZenZeug/venv/local/lib/python2.7/site-packages/acme/client.py", line 210, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File "/home/deploy/ZenZeug/venv/local/lib/python2.7/site-packages/acme/client.py", line 190, in request_challenges
new_authz)
File "/home/deploy/ZenZeug/venv/local/lib/python2.7/site-packages/acme/client.py", line 649, in post
return self._check_response(response, content_type=content_type)
File "/home/deploy/ZenZeug/venv/local/lib/python2.7/site-packages/acme/client.py", line 565, in _check_response
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many currently pending authorizations.
I understand the error and the reason, but Im wondering if there is a better way to handle a situation like this where i already requested the authorization and for some reason they are lost or something and i need to re request them.
Also, this is “pneding authorizaitons” specific to the domain im trying to authorize or its a “account” limit
First of all, thanks for the reply. Well I started developing against staging environment, but this issue is using production now.
I hit the issue while bulk issuing some certificates, normally i would do 1 or 2 at a time and it would be fine. In this case i issued like 10 at the same time.
Shouldnt, the.request_domain_challanges` function work by just retrieving the authorizations that were previously generated? I believe this is where the issue resides.
To be honest, the docs for the ACME library are not that complete, maybe Im missing something here.
I'm not familiar with the Certbot ACME module. Maybe @jsha would know? Alternatively I would recommend you follow up with an issue on the Certbot repo.
If I remember correctly, boulder (the CA server) currently doesn't have an endpoint that returns a list of authorizations for an account/registration (as specified in the earlier ACME drafts), so that's probably why it doesn't work like that. You'll have to manage that state on the client side.
(Things have been moved around quite a bit in the latest ACME drafts, so this might eventually change and be something the ACME module could handle behind the scenes, but that's not a short-term change I'd guess).
I understand, but wouldt this be something that needs to be added. In a situation like the one im currently on, i cant really do anything to fix it, as I cant invalidate previous authorizations and i cant retrieve the old ones.
Maybe a way of canceling pending authorizations at least, would be the way to go.
PS: Does the rate limit expire after 3h? (As i have read somewhere else on this community) Im still getting the error, today.
My recommendation would be to switch to a new account key, as these limits are per account.
The rate limit expires once the pending authorizations expire. I’m not 100% certain what the current lifetime for pending authorizations is, but I think it might be 7 days. That’s at least the current value in the sample configuration.
I imagine the authorizations will be added to the API once the final ACME standard (which is still a work in progress) is implemented, but I’m guessing they won’t be added to the current implementation.
Thanks, i think i will do that for now. Do you know any refs for the current limits for this scenario ? I guess its the nr of authrz with status pending.