Hit a rate limit on my only IP

Hi All,

I have hit a rate limit on my only IP with the following error message:

too many registrations for this IP

Have read the rate limits document, the relevant section:

You can create a maximum of 10 **Accounts per IP Address** per 3 hours. You can create a maximum of 500 **Accounts per IP Range** within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design [using one account for many customers](https://letsencrypt.org/docs/integration-guide/). Exceeding these limits is reported with the error message `too many registrations for this IP` or `too many registrations for this IP range` .

The three hour period has elapsed but still getting same problem. How long do we have to wait before we can get certificates issued?

Is there a way to get this restriction lifted?

Many thanks

No, just by waiting.

Also, why are you hitting the rate limit in the first place? Hitting this rate limit is rather rare.

2 Likes

Thanks for the reply

Also, why are you hitting the rate limit in the first place? Hitting this rate limit is rather rare.

I thing the docker container was trying to restart too many times.

No, just by waiting.

How long so I have to wait?

Is there any other workaround to get the live server up and running?

That's not a very good reason. Well, it's a terrible reason to be honest. The files created and used by your ACME client should be stored on a persistant volume.

3 hours as the error message says. Maybe your Docker is still malfunctioning if you still get the error.

2 Likes

The files created and used by your ACME client should be stored on a persistant volume.

The problem was that the Docker volumes were deleted as well (stupid, I know) so had to restart from scratch, then got too many requests errors.

In any case that was yesterday, more than 12 hours ago and I'm getting pretty much the same errors as I did then. Here is part of the logs (from a fresh reinstall just now):

Sleep for 3600s
2022/01/04 11:33:16 Received event start for container 01d329b75e26
2022/01/04 11:33:21 Debounce minTimer fired
2022/01/04 11:33:21 Generated '/app/letsencrypt_service_data' from 4 containers
2022/01/04 11:33:21 Running '/app/signal_le_service'
[Tue Jan  4 11:34:22 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Jan  4 11:34:22 UTC 2022] Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
[Tue Jan  4 11:34:22 UTC 2022] Create account key ok.
[Tue Jan  4 11:34:22 UTC 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan  4 11:34:22 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Tue Jan  4 11:34:23 UTC 2022] Registered
[Tue Jan  4 11:34:23 UTC 2022] Can not find account id url.
[Tue Jan  4 11:34:23 UTC 2022]
[Tue Jan  4 11:34:23 UTC 2022] The account url is empty, please run '--update-account' first to update the account info first,
[Tue Jan  4 11:34:23 UTC 2022] Then try again.
Reloading nginx docker-gen (using separate container 1b8243cae5a0ee741200e871c0081c267a29f4fdd01bf7d828b4b3b4d048a090)...
Reloading nginx (using separate container a0c5af92c82fbda1ff3fe1e28b77fedc3d8520cccb7a9c94df03bab482f7371d)...
Creating/renewal git.example.net certificates... (git.example.net)
[Tue Jan  4 11:34:23 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan  4 11:34:23 UTC 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan  4 11:34:24 UTC 2022] Registered
[Tue Jan  4 11:34:24 UTC 2022] ACCOUNT_THUMBPRINT='ZHNmeaf4kBgS3VfLISntC_JhjfjMSAFrkYL9SVTLN6E'
[Tue Jan  4 11:34:24 UTC 2022] Creating domain key
[Tue Jan  4 11:34:25 UTC 2022] The domain key is here: /etc/acme.sh/letsencrypt@sapienplay.com/git.example.net/git.example.net.key
[Tue Jan  4 11:34:25 UTC 2022] Single domain='git.example.net'
[Tue Jan  4 11:34:25 UTC 2022] Getting domain auth token for each domain
[Tue Jan  4 11:34:26 UTC 2022] Getting webroot for domain='git.example.net'
[Tue Jan  4 11:34:26 UTC 2022] Verifying: git.example.net
[Tue Jan  4 11:34:29 UTC 2022] Pending
[Tue Jan  4 11:34:32 UTC 2022] Pending
[Tue Jan  4 11:35:34 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Jan  4 11:35:34 UTC 2022] git.example.net:Verify error:
[Tue Jan  4 11:35:34 UTC 2022] Please check log file for more details: /dev/null
Sleep for 3600s

What else could be going wrong?

This is my live server and I'm getting rather desperate.

I am also trying some very basic website deployments which I know from experience that they just work without hassles and I think that the static IP address we're using has been blocked for longer than the 3 hours. 3 hours has elapsed a long time ago...

Can someone, please, check if that's the case? And give us a time period that we need to wait before coming back online?

And if at all possible, help us lift the ban, that would be highly appreciated.

Thanks

Hard to say with such a log. What ACME client are you using anyway? I'm seeing CURL errors, I'm seeing something about a log file being "written" to /dev/null... Doesn't look very good to me.

If the error message says 3 hours, it's 3 hours. The code isn't that ingenious.

It's not possible to manually lift rate limits, as stated earlier. Also, it seems the ban was lifted anyway:

That your ACME client has other difficulties is probably not related to your earlier rate limit, but something else. Seems to me your ACME client is terrible at best.

3 Likes

You need to fix the problem not increase the amount of mistakes it is allowed to make.

There must be something in the process that keeps creating new accounts (and certs).

4 Likes

Have noticed that our domain registrar doesn't support CAA records.

Can anyone confirm that a CAA record is a must have to get things working properly?

It is not required

2 Likes

CAA is not required, but your DNS server needs to successfully return that there aren't any records rather than returning an error.

4 Likes

Thanks for the confirmation.

Even though things are partially back up, we're still getting errors in the logs:

It's possible that the helper framework we're using is responsible for the generated errors

nginx-proxy / acme-companion

Creating/renewal www.example.com certificates... (www.example.com)
[Tue Jan  4 21:05:09 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan  4 21:05:09 UTC 2022] Creating domain key
[Tue Jan  4 21:05:10 UTC 2022] The domain key is here: /etc/acme.sh/letsencrypt@example.com/www.example.com/www.example.com.key
[Tue Jan  4 21:05:10 UTC 2022] Single domain='www.example.com'
[Tue Jan  4 21:05:10 UTC 2022] Getting domain auth token for each domain
[Tue Jan  4 21:05:11 UTC 2022] Getting webroot for domain='www.example.com'
[Tue Jan  4 21:05:12 UTC 2022] Verifying: www.example.com
[Tue Jan  4 21:05:14 UTC 2022] Pending
[Tue Jan  4 21:05:17 UTC 2022] Pending
[Tue Jan  4 21:05:19 UTC 2022] Pending
[Tue Jan  4 21:05:22 UTC 2022] Pending
[Tue Jan  4 21:05:24 UTC 2022] Pending
[Tue Jan  4 21:05:27 UTC 2022] Pending
[Tue Jan  4 21:05:29 UTC 2022] Pending
[Tue Jan  4 21:05:32 UTC 2022] Pending
[Tue Jan  4 21:05:34 UTC 2022] Pending
[Tue Jan  4 21:05:37 UTC 2022] Pending
[Tue Jan  4 21:06:39 UTC 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Jan  4 21:06:39 UTC 2022] www.example.com:Verify error:

Any further input is welcomed.

Thanks

35 SSL connect error. The SSL handshaking failed.

It's not clear if you are actually trying to get a cert for "www.example.com" OR you simply replaced your real domain with that "example".

1 Like

Must have redacted. Connections to www.example.com would succeed :slight_smile:

3 Likes

Of course it's redacted... :slightly_smiling_face:

Now things seem to be stabilising. But the funny thing is, every time we add a new domain the same routine plays out, namely a few errors for a while then the certs are generated.

Is this normal that there is a delay in generating the certs with errors as shown above?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.