How long before I can try again

Hi all.

My domain is: alistairscloud.org

I have Nextcloud on a raspberry pi and have been trying for 2 days to get Letsencrypt to give me a certificate.
I now find that after so many attempts using the Nextcloud Letsencrypt app, I'm now locked out and cannot try again.

[ letsencrypt ] (Mon Jan 9 19:05:25 GMT 2023)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for alistairscloud.org
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
Please see the logfiles in /var/log/letsencrypt for more details.

I then found Letsdebug. org:


All OK!
No issues were found with alistairscloud.org. If you are having problems 
with creating an SSL certificate, please visit the Let's Encrypt Community forums
and post a question there.

I can login to a root shell on my machine and on my desktop via the browser

Does this mean I actually fixed it, but ran out of tries that one too early?
How long before I can try again?

Cheers!
Alistair (You may have guessed).

1 Like

Hello @Alistair, welcome to the Let's Encrypt community. :slightly_smiling_face:

From here Rate Limits - Let's Encrypt
" You can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently ."
and
" There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently ."

Testing and debugging are best done using the Staging Environment and to assist with debugging there is a great place to start is Let's Debug.

1 Like

Hi

As reported Lets Debug gives the all clear.
I don't understand

I just want to know how long I have to wait to try again.
Thanks.

1 Like

I think that wait is an hour.
But if you don't fix the problem, you will continue to exceed that limit and wait [over and over].
What you are essentially doing is TESTING.
You should do that on the testing/staging environment.

It seems you have not provided the correct web root path.
OR
Apache has failed you.

3 Likes

Also here is a list of issued certificates crt.sh | alistairscloud.org, the latest being 2022-10-17.
What has happened since 2022-10-17?

Let's Debug is a third party debugging tool to check a few things. It's meant as a tool, not as an ultimate answer to everything.

As the rate limit you're seeing is connected to your account, Let's Debug will never get the same error message, as it's using its own account.

It says so in the line you've quoted by Bruce.

Also, please use the staging environment if you're not doing so already (which seems to be the case if you're still seeing this specific error). First fix the actual problem which is preventing you from getting a certificate (which is not the "too many failed authorizations recently", but the error you were getting before that one) and only when you fixed that issue, continue on the production environment.

5 Likes

That was the day Nextcloud automatically upgraded, and everything stopped working.
I could SSH from my desktop, but that was all.
The cloud was lost, so I took the plunge yesterday, wiped the SD card and started again with the latest version.
All was going well, until I tried to connect it to the outside world.

I don't think I can use the staging environment as it's a raspberry pi with no browser.
Unless it can be done via the command line.
Let's Debug says "OK", but that's on my desktop.

1 Like

No, it is not yet fixed:
[condensed output - for clarity]

curl -Ii http://alistairscloud.org/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Location: https://alistairscloud.org/.well-known/acme-challenge/Test_File-1234
curl -Iik https://alistairscloud.org/.well-known/acme-challenge/Test_File-1234
HTTP/2 302
location: https://alistairscloud.org/index.php/login

All HTTP challenge requests are redirected to HTTPS and those are sent to the login page.
That's a fail.

2 Likes

Can restore the wiped SD card from its backup?
So that its configurations can be used as a working reference.

First thing I tried, but the fault was an upgrade failure, which wiped files in the root.
One of which was the config file to the USB, so no backups were made.
The new version couldn't see the USB, so No joy.

Are you saying I should use only http?

HTTP is much simpler, you already heard the request... why redirect it back to yourself [if to make the reply secure, the contents of those challenges (and replies) can be made public without concern]?

So, yes, dealing with the challenge request in HTTP is preferred.

That said, and reading that you were using --webroot and Apache ...
I would start by looking at this output:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes
*:80                   localhost (/etc/apache2/sites-enabled/000-default.conf:1)
*:4443                 localhost (/etc/apache2/sites-enabled/ncp.conf:2)
*:443                  localhost (/etc/apache2/sites-enabled/nextcloud.conf:4)

oooh!

Is 4443 correct?
Certainly if I want to go to the nextcloud admin page, its https://192.168.1.80:4443

I don't know... is it doing something for you?

I can say that using "localhost" is not a well-defined system.
What shows?:
grep -i root /etc/apache2/sites-enabled/000-default.conf

2 Likes

DocumentRoot /var/www/nextcloud

What was the complete command used when you last tried to get a cert?

2 Likes

Thank you.
I think it's worked...

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for alistairscloud.org
Performing the following challenges:
http-01 challenge for alistairscloud.org
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/alistairscloud.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/alistairscloud.org/privkey.pem
   Your certificate will expire on 2023-04-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Installing template 'nextcloud.conf.sh'...
INFO: Letsencrypt domain is alistairscloud.org
INFO: Metrics enabled: no
Apache self check:
Syntax OK
System config value trusted_domains => 11 set to string alistairscloud.org
System config value trusted_domains => 3 set to string alistairscloud.org
System config value overwrite.cli.url set to string https://alistairscloud.org/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string alistairscloud.org
System config value trusted_proxies => 14 set to string 192.168.1.80
Setup notify_push (attempt 1/3)
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
Setup notify_push (attempt 2/3)
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
Setup notify_push (attempt 3/3)
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved

1 Like

SSL Labs agrees:
https://www.ssllabs.com/ssltest/analyze.html?d=alistairscloud.org

2 Likes