Getting Error finalizing order :: too many certificates already issued after limits were raised


#1

My domain is: idealo.com (https://crt.sh/?q=%eu.idealo.com)

I ran this command:

Ansible ACME module

It produced this output:

2019-01-28 08:24:07,102 p=5063 u=root | TASK [idealo.notaryclient : Let the challenge be validated and retrieve the cert and intermediate certificate]
2019-01-28 08:24:12,616 p=5063 u=root | fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “Error new cert: CODE: 429 RESULT: {‘detail’: ‘Error finalizing order :: too many certificates already issued for: idealo.com: see https://letsencrypt.org/docs/rate-limits/’, ‘status’: 429, ‘type’: ‘urn:ietf:params:acme:error:rateLimited’}”, “other”: {}}

My web server is (include version):

Diverse

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Ansible 2.7


#2

For what it’s worth, at the moment, your domain is below even the default rate limits:

Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (42 / 50 this week.) idealo.com

Summary generated at https://tools.letsdebug.net/cert-search?m=domain&q=idealo.com&d=168 .


#3

It may be possible that your doing force renewals (even thou certs haven’t expired).


#4

@mnordhoff, I think you forgot to look at subdomains:

https://crt.sh/?Identity=%idealo.com&iCAID=16418

@SamirNassar-idealo, have you confirmed with Let’s Encrypt staff that your rate limit was increased? Is it possible that your rate limit increase applies only to one specific ACME account, which might not be used by this particular client instance? Sometimes Let’s Encrypt rate limit increases are tied to accounts, not just domains.


#5

:\ cert-search should show all the certificates for the Registered Domain within the 7 day window, subdomain or not. If it isn’t, I need to know about it, but I can’t see an obvious omission (yet).

FWIW sahsanu’s perl script agrees that the current count is 35. So either there have been new certificates created not yet logged, OP’s rate limit result is stale (i.e the window is lapsing, which I find to be likely since in the last couple of posts it’s gone down from 42->35) or OP’s rate limit got accidentally lowered to 35.


#6

THIS:

AND THIS:

ARE NOT SIMILAR.

I can’t see exactly why though.


#7

For one, the %domain pattern can result in false matches. e.g. it matches https://crt.sh/?id=1148815275 because of:

DNS:aidealo.com

The better pattern would be domain.com || %.domain.com but crt.sh’s web interface doesn’t permit that query.

cert-search also uses %domain but it then also parses the certificate DER to confirm that each certificate actually features that Registered Domain, according to PSL rules.


#8

Can you separate the query in two and then “merge” the results?


#9

Thank you @schoen : we were told the limits were raised, but apparently the limits are not raised. Getting further confirmation has been difficult.


#10

@lestaff could anyone with access to it tell @SamirNassar-idealo the current status of this request?


#11

Hi @SamirNassar-idealo we did indeed raise your limits for the ACME account ID you requested (plus a little more per the confirmation e-mail!). I sent you an e-mail back - do you think perhaps we have the wrong ACME account ID? Here’s more information on how to find that: https://letsencrypt.org/docs/account-id/

Also suggested to make the limit a lot higher than you originally thought you would need for the ACME account ID that you previously gave. Happy to do that as well.

Best,
JP


#12

Hello @jple, between your response and the weekend I started thinking that there is something wrong on our end. It appears that I had the account-ID from a previous start and not the consolidated account-ID. I will verify this on our side and send you an update today.

Higher limits are always nice, but I don’t believe we need them at this stage and I want to solve the problem first before LE staff have to be involved.

I will also be filing a Ticket internally to make sure we track the account number in our logs, this would have been a good idea to have from the get-go.


#13

Hello @jple and @lestaff we are still hitting the API limits of 50 new certificates per week. We thought we would have the limit raised by Friday and it has not happened.


#14

To be clear to others, we communicated the new account ID to LE already but are not seeing the effects.