Had issues renewing using acme.sh, now too many failed authorizations

Hello,
Summary:

  1. As I had issues typing ./acme.sh --renew-all I typed it several times now I get "too many failed authorizations recently" How long should I wait before trying again?
  2. How to debug the initial issue?

My domain is: slint.fr

I first ran this command:
/acme.sh --renew-all

While gave this output:
[Mon Dec 4 11:07:10 CET 2023] Renew: 'slint.fr'
[Mon Dec 4 11:07:11 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:07:11 CET 2023] Checking if there is an error in the apache config file before starting.
[Mon Dec 4 11:07:11 CET 2023] OK
[Mon Dec 4 11:07:11 CET 2023] JFYI, Config file /etc/httpd/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Mon Dec 4 11:07:11 CET 2023] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Mon Dec 4 11:07:12 CET 2023] The backup file will be deleted on success, just forget it.
[Mon Dec 4 11:07:12 CET 2023] Single domain='slint.fr'
[Mon Dec 4 11:07:12 CET 2023] Getting domain auth token for each domain
[Mon Dec 4 11:07:14 CET 2023] Getting webroot for domain='slint.fr'
[Mon Dec 4 11:07:15 CET 2023] Verifying: slint.fr
[Mon Dec 4 11:07:15 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Dec 4 11:07:18 CET 2023] Pending, The CA is processing your order, please just wait. (2/30)
[Mon Dec 4 11:07:21 CET 2023] Pending, The CA is processing your order, please just wait. (3/30)
[Mon Dec 4 11:07:23 CET 2023] Pending, The CA is processing your order, please just wait. (4/30)
[Mon Dec 4 11:07:26 CET 2023] Pending, The CA is processing your order, please just wait. (5/30)
[Mon Dec 4 11:07:29 CET 2023] Pending, The CA is processing your order, please just wait. (6/30)
[Mon Dec 4 11:07:31 CET 2023] Pending, The CA is processing your order, please just wait. (7/30)
[Mon Dec 4 11:07:34 CET 2023] Pending, The CA is processing your order, please just wait. (8/30)
[Mon Dec 4 11:07:37 CET 2023] slint.fr:Verify error:172.105.89.79: Fetching https://slint.fr/.well-known/acme-challenge/eAFtR6hXjVDh7LdCvbf6O7fg5cATjG4LLcflxq0tA9Y: Timeout during connect (likely firewall problem)
[Mon Dec 4 11:07:37 CET 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Mon Dec 4 11:07:38 CET 2023] Error renew slint.fr

After several attempts I ran this commandagin
/acme.sh --renew-all

which produced this output:
[Mon Dec 4 11:41:56 CET 2023] Renew: 'slint.fr'
[Mon Dec 4 11:41:56 CET 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:41:57 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Dec 4 11:41:57 CET 2023] Checking if there is an error in the apache config file before starting.
Syntax OK
[Mon Dec 4 11:41:58 CET 2023] OK
[Mon Dec 4 11:41:58 CET 2023] JFYI, Config file /etc/httpd/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Mon Dec 4 11:41:58 CET 2023] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Mon Dec 4 11:41:58 CET 2023] The backup file will be deleted on success, just forget it.
[Mon Dec 4 11:41:58 CET 2023] Single domain='slint.fr'
[Mon Dec 4 11:41:58 CET 2023] Getting domain auth token for each domain
[Mon Dec 4 11:42:00 CET 2023] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt",
"status": 429
}
Syntax OK
[Mon Dec 4 11:42:00 CET 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Mon Dec 4 11:42:00 CET 2023] Error renew slint.fr.

My web server is (include version):
httpd-2.4.57

The operating system my web server runs on is (include version):
slackware 15.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I
'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v3.0.7

I'm curious. There's a link in the error message:

What wasn't clear exactly in the linked documentation to answer your question? :slight_smile:

It looks like you have a HTTP to HTTPS redirect in place, which is fine. But Let's Encrypt could not connect to your HTTPS port 443 from their validation server.

From my point of view I can reach your HTTPS server. Did you perhaps change anything in the mean time? Or perhaps you might have some geoblocking firewall, only allowing requests from certain locations?

1 Like

Thanks Osiris for your fast answer and for the heads-up about how long I should wait (so, one hour)

I confirm that the port 443 is open and i have no geoblocking firewall so, still puzzled.

I realize that I have two folders .acme.sh: one under /home/didier and the other under /root.. Can this cause an issue and then how to fix it, please? This is not new but I don't remember from which I typed the command last time it succeeded.

1 Like

I don't see how that would affect your port 443 being accessible or not. A timeout is usually caused by a firewall or sometimes, in home hosted servers, an incorrectly configured NAT router. We've seen multiple occasions of geoblocking even when one did not know about it beforehand.

I do not think there be any geoblocking, but just in case how can I check?

More generally, what information should I provide to help debugging?

PS I didn't find how to quote your previous answers in mine, sorry.

Hm, nevermind geoblocking, it's your IPv6: Let's Debug

This is the strange behaviour that the LE validation server will fallback to IPv4 for the first connection attempt, but if it needs to make a second connection (due to the HTTP to HTTPS redirection), it will NOT fallback to IPv4. And if your IPv6 is not working, you'll end up with a timeout on the https:// protocol.

Make sure your IPv6 connectivity is working properly and try again.

4 Likes

Thanks. I have posted as support ticket @ Linode and will let you know the outcome.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.