Getting Rate Limits but no obvious reason

Help
1

We use an automated process that hooks into Docker and generates a certificate when new containers come up. Now whenever we bring up a new container we get “too many registrations for this IP”.

Looking at https://crt.sh/?q=%.skysquirrel.xyz, I can see we’ve gotten 0 certificates in the past week.

My domain is: grafana.skysquirrel.xyz

I ran this command:

simp_le \
        -f account_key.json -f key.pem -f fullchain.pem \
        -d grafana.skysquirrel.xyz \
        --email "${LETSENCRYPT_EMAIL}" \
        --server https://acme-v01.api.letsencrypt.org/directory \
        --default_root /usr/share/nginx/html/

It produced this output:

ACME server returned an error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP

My web server is (include version): nginx

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

Hi @mikew,

The rate limit error you're seeing is about registrations - you're being rate limited before you can get as far as creating a certificate.

I don't have enough information to check the server logs to identify your client. Can you share the external source IP that you're running simpl_le from?

Based on the rate limit error and the defined rate limits for the prod environment I would suspect that your container/simp_le usage is creating more than 10 new accounts/registrations in an hour.

3

Hi @mikew,

Are you randomly generating a new account_key.json each time? Or do you have a separate simp_le command that performs a registration with the ACME server?

4

Currently it's 142.176.28.61, but it's a dynamic IP.

Hm, that I'm actually not sure of. It looks like it's creating a new account_key.json each time.

Also, since I've posted this, the certificate was generated by our cron job. The cron job runs the same thing as when a new container comes up. So I'm not sure why it worked then but not before.

5

Thanks for sharing @mikew,

I was able to see in the server-side logs that your client at that IP has sent 30 successful new-registration requests in the past 24 hours. It looks like the result of a cron task because for the most part every successful request happens at exactly 20 minutes after the hour.

I suspect the rate limit period flipped over, or perhaps its a different source IP. I bet you will start seeing the error again unless the run-away registration problem that is causing all of the new-reg requests is fixed.

That would likely match up with all of these new-reg requests. We definitely recommend using one ACME account across all of your issuances.

6

Ah, so even though no certs are being created / renewed, that still counts towards this rate limit?

Will gladly fix this, is anyone here familiar with simp_le or should I take this to Github now?

7

Yup! There are many rate limits. Not all of them are specific to certificate issuance. # of account registrations, # of pending authorizations, # of failed authorization attempts and # of API requests per second all have some form of rate limit that would be separate from the # of certificates issued.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.