I’ve built a tool to help people on GoDaddy shared hosting to get an SSL certificate for free, just by filling a few things on my website. Here is the tool: https://punchsalad.com/ssl-certificate-generator/
This tool is built on top of https://github.com/afosto/yaac Acme client, which works great. Once I went live with the tool I started to have issues where people are not able to get verification files for http-01 although their details (domains & email) are correct. I’m also able to reproduce the issue from time to time.
It seems the issues happens when a new client is created in the code, that’s where it fails.
Then after 30-60 mins, it works again. Without any issue. Also, it seems to happen more often when there are many users using the tool in short period of time (within 30mins or so).
I’m not able to debug this as I’m not sure which rate limit I’m hitting. I think it’s either “too many failed authorizations recently” or “too many registrations for this IP”. For the second I’m not sure I’m hitting that limit of 10 accounts per 3 hours. But also I have no way of validating this.
I tried to use Let’s Debug (Useful tool by the way!), but I’m kinda stuck.
I would appreciate any tips or help on how to solve this issue?
My website is with HostPapa web hosting and the shared IP address is: 69.90.163.80
Server is on Apache Version 2.4.43
This information ought to be returned by your Let’s Encrypt client (in this case yaac). Have you inspected the error object that’s returned, or are you just calling yaac as a standalone tool and getting an overall success or failure back from it?
From what I understand it’s just overall success or failure. Actually my the code returns a status 500 if this happens. So it might be that yaac just doesn’t know what to do with it.
I was wondering if there is some way I can check manually what’s blocking the request?
The information about what’s blocking it is communicated in the ACME protocol between yaac and the CA, but I don’t think it’s available via any other web site or API. You can try to diagnose some rate limit issues with certificate transparency logs (which publicly show certificates that have been issued by CAs), but this won’t cover all of the cases. So I’m afraid you’re going to need to dig inside of yaac or at least parse text output from yaac or something (or use a different client which shows you the associated error information more explicitly). If yaac is just crashing when the error is received and not displaying or logging the error message anywhere, I think you’ll have to modify the yaac code or switch to a different ACME client in order to get access to this information.