How to Protect Against Invalid Third-Party Domain Requests in Certbot?

In Certbot, it's possible for a third party to send multiple requests to any given domain, and by sending more than five requests, they can limit the domain requests for that domain. This can interfere with the certificate requests of legitimate developers. Are there any effective measures against this?

My domain is: (dummy)

I ran this command:
johndoe@ubuntu:~$ sudo certbot certonly --manual --server -d -m --agree-tos

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 22.04

Where did you get this information from?

Did you read the information on the linked page? Note the “per account” bit in the first sentence.

Switch to the staging environment by employing --dry-run flag, while issues persist.


The "Failed Authorizations" ratelimit is applied to the combination of a Hostname AND Account per hour. Including the Account in the limit protects the legitimate usage, as the illegitimate actor's actions will only affect their rate-limit, not yours.

You can also use CAA records to lock your domain to only allow specific CAs (like LetsEncrypt) and accounts (like yours) to process requests for a domain. See Enabling ACME CAA Account and Method Binding for some information and links to the RFCs


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.