Welcome to the Let’s Encrypt Community
You pose a great question.
You can have a maximum of 300 Pending Authorizations on your account. Hitting this rate limit is rare, and happens most often when developing ACME clients. It usually means that your client is creating authorizations and not fulfilling them. Please utilize our staging environment if you’re developing an ACME client. Exceeding the Pending Authorizations limit is reported with the error message
too many currently pending authorizations .
I feel like there are three steps to the process you are requesting, given that you know your account url (or JWK), which you must if you’re asking the question that you are:
- Query for unfulfilled (not yet valid / no cert link) orders. (i.e. sift all orders for an account)
- Query for pending authorizations for each unfulfilled order. (i.e. sift authorizations for pending)
- Authorize a challenge for each pending authorization to get it to change state.
The first step I am searching for. The second step follows easily from the first. The third step is straightforwardly documented below. Accomplishing the first step might avoid the bold part below.
If you happen to know the combinations of domain names you were trying to certify, but never completed, you could submit “new” orders for them, which would result in “hooking into” your pending orders. You could then let them fail (or succeed), which would clear the pending authorizations.
Clearing Pending Authorizations
If you have a large number of pending authorization objects and are getting a Pending Authorizations rate limiting error, you can trigger a validation attempt for those authorization objects by submitting a JWS-signed POST to one of its challenges, as described in the ACME spec. The pending authorization objects are represented by URLs of the form https://acme-v02.api.letsencrypt.org/acme/authz/XYZ, and should show up in your client logs. Note that it doesn’t matter whether validation succeeds or fails. Either will take the authorization out of ‘pending’ state. If you do not have logs containing the relevant authorization URLs, you need to wait for the rate limit to expire. As described above, there is a sliding window, so this may take less than a week depending on your pattern of issuance.
Note that having a large number of pending authorizations is generally the result of a buggy client. If you’re hitting this rate limit frequently you should double-check your client code.