Hitting the rate limit because of a bug, but which one?


#1

I’m getting the error
2018-10-09 14:03:53,540:INFO:main:1211: Generating new account key

ACME server returned an error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/

The reason for the issue is that a bug in the software prevented the renewal complete successfully. Because of this, after SSL expiry no the /.well-known requests were being redirected incorrectly.
This was prob compounded by CloudFlare being set to strict, not allowing the server being reachable anymore on port 443. What I would like to know is if the error above is the “you’re blocked for 1 hour rate limit”, or the “you’re blocked for a week rate limit”. In which case, obviously, we have a more serious problem.

Also, how can I test it so we don’t “try our way into a rate limit issue” again.

My domain is:
bitesdaretoshare.com

I ran this command:
dokku letsencrypt

It produced this output:
2018-10-09 14:03:53,540:INFO:main:1211: Generating new account key

ACME server returned an error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/
My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version):
ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

Cheers,
Marc


#2

Hi @mschipperheyn

I’m not familiar with this dokku ACME client. It seems like it is creating a new account every time it issues a certificate, which is why its hitting the registration rate limit.

Is there a way you can configure the client to create an account once, and then re-use it for subsequent issuances? We strongly recommend using one account for all of your certificates.

This is none of the above, it is specifically the " Accounts per IP Address" rate limit (that is applied over a 3 hour period), not the “Failed Validation” rate limit or the “Certificates per Registered Domain” rate limit.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.