Getting Error finalizing order :: too many certificates already issued after limits were raised

SamirNassar-idealo · January 28, 2019, 8:55am

My domain is: idealo.com (https://crt.sh/?q=%eu.idealo.com)

I ran this command:

Ansible ACME module

It produced this output:

2019-01-28 08:24:07,102 p=5063 u=root | TASK [idealo.notaryclient : Let the challenge be validated and retrieve the cert and intermediate certificate]
2019-01-28 08:24:12,616 p=5063 u=root | fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “Error new cert: CODE: 429 RESULT: {‘detail’: ‘Error finalizing order :: too many certificates already issued for: idealo.com: see https://letsencrypt.org/docs/rate-limits/’, ‘status’: 429, ‘type’: ‘urn:ietf:params:acme:error:rateLimited’}”, “other”: {}}

My web server is (include version):

Diverse

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Ansible 2.7

mnordhoff · January 28, 2019, 2:20pm

For what it’s worth, at the moment, your domain is below even the default rate limits:

Rate Limit	Current Status	Domain
50 Certificates per Registered Domain per week	OK (42 / 50 this week.)	idealo.com

Summary generated at https://tools.letsdebug.net/cert-search?m=domain&q=idealo.com&d=168 .

rg305 · January 29, 2019, 12:40am

It may be possible that your doing force renewals (even thou certs haven’t expired).

schoen · January 29, 2019, 5:34am

@mnordhoff, I think you forgot to look at subdomains:

https://crt.sh/?Identity=%idealo.com&iCAID=16418

@SamirNassar-idealo, have you confirmed with Let’s Encrypt staff that your rate limit was increased? Is it possible that your rate limit increase applies only to one specific ACME account, which might not be used by this particular client instance? Sometimes Let’s Encrypt rate limit increases are tied to accounts, not just domains.

_az · January 29, 2019, 5:42am

:\ cert-search should show all the certificates for the Registered Domain within the 7 day window, subdomain or not. If it isn't, I need to know about it, but I can't see an obvious omission (yet).

FWIW sahsanu's perl script agrees that the current count is 35. So either there have been new certificates created not yet logged, OP's rate limit result is stale (i.e the window is lapsing, which I find to be likely since in the last couple of posts it's gone down from 42->35) or OP's rate limit got accidentally lowered to 35.

rg305 · January 29, 2019, 5:50am

THIS:

AND THIS:

ARE NOT SIMILAR.

I can't see exactly why though.

_az · January 29, 2019, 5:53am

For one, the %domain pattern can result in false matches. e.g. it matches crt.sh | 1148815275 because of:

DNS:aidealo.com

The better pattern would be domain.com || %.domain.com but crt.sh's web interface doesn't permit that query.

cert-search also uses %domain but it then also parses the certificate DER to confirm that each certificate actually features that Registered Domain, according to PSL rules.

rg305 · January 29, 2019, 5:56am

Can you separate the query in two and then "merge" the results?

SamirNassar-idealo · February 1, 2019, 8:12am

Thank you @schoen : we were told the limits were raised, but apparently the limits are not raised. Getting further confirmation has been difficult.

schoen · February 1, 2019, 5:06pm

@lestaff could anyone with access to it tell @SamirNassar-idealo the current status of this request?

jple · February 1, 2019, 5:33pm

Hi @SamirNassar-idealo we did indeed raise your limits for the ACME account ID you requested (plus a little more per the confirmation e-mail!). I sent you an e-mail back - do you think perhaps we have the wrong ACME account ID? Here’s more information on how to find that: https://letsencrypt.org/docs/account-id/

Also suggested to make the limit a lot higher than you originally thought you would need for the ACME account ID that you previously gave. Happy to do that as well.

Best,
JP

SamirNassar-idealo · February 4, 2019, 8:47am

Hello @jple, between your response and the weekend I started thinking that there is something wrong on our end. It appears that I had the account-ID from a previous start and not the consolidated account-ID. I will verify this on our side and send you an update today.

Higher limits are always nice, but I don’t believe we need them at this stage and I want to solve the problem first before LE staff have to be involved.

I will also be filing a Ticket internally to make sure we track the account number in our logs, this would have been a good idea to have from the get-go.

SamirNassar-idealo · February 11, 2019, 11:00am

Hello @jple and @lestaff we are still hitting the API limits of 50 new certificates per week. We thought we would have the limit raised by Friday and it has not happened.

SamirNassar-idealo · February 11, 2019, 11:03am

To be clear to others, we communicated the new account ID to LE already but are not seeing the effects.

system · March 13, 2019, 11:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.