Got myself into rate-limit by google page blacklist — is there a way out?


#1

Hi dear Help-Forum,

i’m using lets-encrypt on a dedicated root-server for generating certificates for HTTP, Jabber, E-Mail and a few other services, for my domains ghostdub.de and kanojo.de, as well as a few subdomains. Until last renew-time, i renewed manually because my set of cron-scripts were still not fully developed yet.

Also, about 2 months ago, i had a problem with one of my wordpress sites getting owned (… typical wordpress thing -.-) despite regular updates — and started distributing malware, which luckily got placed on Google’s StopBadWare-list. Now, i resolved the issue quickly, reinstalled wordpress, hardened the installation quite a bit more this time, and just hoped that google would whitelist me again. This also happened for my main sites, but not my (now-offline because i haven’t had time to migrate yet) secondary ones.

Forward a bit, i tried my cron scripts for the first time to renew … getting a quite unexpected error about „one of your domains is reported unsafe by 3rd party API“ (haven’t gotten the verbatim quote anymore). Now, that caused my script to go havoc (i only very quickly wrote them because i was very tired at the time … baaad idea, way beyond ballmer-peak!) because it thought that in my domain-list i’d added a new domain … throwing away the old certs and re-requesting a new one with the supposedly-changed list of SANs. After seeing this in my emails in the morning, i’ve promptly requested a whitelisting at Google webmaster-tools, and got whitelisted a few hours later with these domains …

Now … as you can imagine this placed me on the „urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many currently pending authorizations.“-Ratelimit. Now, as i’m now with a bad situation — not only a old certificate, but worse: NO certificate at all (because of my bad scripting).

While i realize this is 100% my fault, i’m still desperate enough to ask whether it’s somehow possible to request or trick around the rate limit to issue my certificate again. Again, i still think this request is morally … questionable at best, i’m desperate enough with crying users because of red SSL-locks :’(.

Thank for your great service, and sorry to be one of the „spamming“ Users!
Best
-NebuK


#2

The specific rate limit you ran into is per-account, so the most straightforward way to bypass it is to create a new account. You could do this by registering a new account using the certbot register command and then telling certbot to use this account via --account when you run the other command to get the certificate.

If you’re willing to start from scratch, deleting (or moving) /etc/letsencrypt should also force a new account creation.


#3

Hi pfg,

thanks for the tip, it proved extremely helpful! It worked!

One thing i had to do was to temporarily move the /etc/letsencrypt/accounts// directory aside so certbot would allow me to create another account even though one existed — then i could move my existing account dir back, and can now switch between both using the --account flag as you suggested.

Now, one question remains for me: What’s better style going forward from here, i.e. after another week when i’ll be allowed to re-request my cert from my original account, should i do so? Or should i keep using both accounts? What’s more letsencrypt~y?

Best, and thank you so much!
-NebuK!


#4

Glad it worked!

I suppose sticking to one account key might be a bit tidier, and since the new account key definitely doesn’t have any rate limiting going on at the moment, I’d probably stick with that. Not really all that important, though. :smile:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.