Had issues renewing using acme.sh, now too many failed authorizations

Hello,
Summary:

1. As I had issues typing ./acme.sh --renew-all I typed it several times now I get "too many failed authorizations recently" How long should I wait before trying again?
2. How to debug the initial issue?

My domain is: slint.fr

I first ran this command:
/acme.sh --renew-all

While gave this output:
[Mon Dec 4 11:07:10 CET 2023] Renew: 'slint.fr'
[Mon Dec 4 11:07:11 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:07:11 CET 2023] Checking if there is an error in the apache config file before starting.
[Mon Dec 4 11:07:11 CET 2023] OK
[Mon Dec 4 11:07:11 CET 2023] JFYI, Config file /etc/httpd/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Mon Dec 4 11:07:11 CET 2023] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Mon Dec 4 11:07:12 CET 2023] The backup file will be deleted on success, just forget it.
[Mon Dec 4 11:07:12 CET 2023] Single domain='slint.fr'
[Mon Dec 4 11:07:12 CET 2023] Getting domain auth token for each domain
[Mon Dec 4 11:07:14 CET 2023] Getting webroot for domain='slint.fr'
[Mon Dec 4 11:07:15 CET 2023] Verifying: slint.fr
[Mon Dec 4 11:07:15 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Dec 4 11:07:18 CET 2023] Pending, The CA is processing your order, please just wait. (2/30)
[Mon Dec 4 11:07:21 CET 2023] Pending, The CA is processing your order, please just wait. (3/30)
[Mon Dec 4 11:07:23 CET 2023] Pending, The CA is processing your order, please just wait. (4/30)
[Mon Dec 4 11:07:26 CET 2023] Pending, The CA is processing your order, please just wait. (5/30)
[Mon Dec 4 11:07:29 CET 2023] Pending, The CA is processing your order, please just wait. (6/30)
[Mon Dec 4 11:07:31 CET 2023] Pending, The CA is processing your order, please just wait. (7/30)
[Mon Dec 4 11:07:34 CET 2023] Pending, The CA is processing your order, please just wait. (8/30)
[Mon Dec 4 11:07:37 CET 2023] slint.fr:Verify error:172.105.89.79: Fetching https://slint.fr/.well-known/acme-challenge/eAFtR6hXjVDh7LdCvbf6O7fg5cATjG4LLcflxq0tA9Y: Timeout during connect (likely firewall problem)
[Mon Dec 4 11:07:37 CET 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Mon Dec 4 11:07:38 CET 2023] Error renew slint.fr

After several attempts I ran this commandagin
/acme.sh --renew-all

which produced this output:
[Mon Dec 4 11:41:56 CET 2023] Renew: 'slint.fr'
[Mon Dec 4 11:41:56 CET 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:41:57 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:41:57 CET 2023] Checking if there is an error in the apache config file before starting.
Syntax OK
[Mon Dec 4 11:41:58 CET 2023] OK
[Mon Dec 4 11:41:58 CET 2023] JFYI, Config file /etc/httpd/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Mon Dec 4 11:41:58 CET 2023] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Mon Dec 4 11:41:58 CET 2023] The backup file will be deleted on success, just forget it.
[Mon Dec 4 11:41:58 CET 2023] Single domain='slint.fr'
[Mon Dec 4 11:41:58 CET 2023] Getting domain auth token for each domain
[Mon Dec 4 11:42:00 CET 2023] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt",
"status": 429
}
Syntax OK
[Mon Dec 4 11:42:00 CET 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Mon Dec 4 11:42:00 CET 2023] Error renew slint.fr.

My web server is (include version):
httpd-2.4.57

The operating system my web server runs on is (include version):
slackware 15.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I
'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v3.0.7

I'm curious. There's a link in the error message:

What wasn't clear exactly in the linked documentation to answer your question?

It looks like you have a HTTP to HTTPS redirect in place, which is fine. But Let's Encrypt could not connect to your HTTPS port 443 from their validation server.

From my point of view I can reach your HTTPS server. Did you perhaps change anything in the mean time? Or perhaps you might have some geoblocking firewall, only allowing requests from certain locations?

Thanks Osiris for your fast answer and for the heads-up about how long I should wait (so, one hour)

I confirm that the port 443 is open and i have no geoblocking firewall so, still puzzled.

I realize that I have two folders .acme.sh: one under /home/didier and the other under /root.. Can this cause an issue and then how to fix it, please? This is not new but I don't remember from which I typed the command last time it succeeded.

I don't see how that would affect your port 443 being accessible or not. A timeout is usually caused by a firewall or sometimes, in home hosted servers, an incorrectly configured NAT router. We've seen multiple occasions of geoblocking even when one did not know about it beforehand.

I do not think there be any geoblocking, but just in case how can I check?

More generally, what information should I provide to help debugging?

PS I didn't find how to quote your previous answers in mine, sorry.

Hm, nevermind geoblocking, it's your IPv6: Let's Debug

This is the strange behaviour that the LE validation server will fallback to IPv4 for the first connection attempt, but if it needs to make a second connection (due to the HTTP to HTTPS redirection), it will NOT fallback to IPv4. And if your IPv6 is not working, you'll end up with a timeout on the https:// protocol.

Make sure your IPv6 connectivity is working properly and try again.

Thanks. I have posted as support ticket @ Linode and will let you know the outcome.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.