I hit the rate limits on every domain I use due to me not checking the backing store of certs for my webserver :(


#1

Hi! I’ve messed up a “little” when trying a new webserver.

I was getting Traefik working this past week with a load of containers.

I assumed (to my mistake) it had stored all the certs into acme.json…

I restarted Traefik for the 5th time to test stuff, and suddenly all my domains stopped having a valid cert.

In the end, Traefik doesn’t say anything about acme.json not being the ideal permissions, and instead just stores everything in memory… so once I restarted Traefik 5 times, any new certs got denied (understandably, and that’s not LE’s fault at all)

Turns out that file was chmodded 655, when it should be 600. Once I fixed that the self-signed certs (that Traefik defaults to if it can’t renew) started being stored. Up until that point, the file was empty.

What I’m hoping is, can the domains listed above have the rate limits reset? I would appreciate this a lot…
I’ve fixed the underlying issue so it shouldn’t happen again.

I will submit an issue to the Traefik developers and see if they can make Traefik abort instead of store-in-memory if the file isn’t the write mask.

Sorry if this causes any trouble…

Thanks.

My domains are:

I ran this command:

[automatic renewal using Traefik]

It produced this output:

time="2019-02-17T17:10:24Z" level=error msg="Unable to obtain ACME certificate for domains \"www.apertron.com,apertron.com,xorkle.com,zack-piper.com\" detected thanks to rule \"Host:www.apertron
.com,apertron.com,xorkle.com,zack-piper.com\" : unable to generate a certificate for the domains [www.apertron.com apertron.com xorkle.com zack-piper.com]: acme: Error -> One or more domains had
 a problem:\n[apertron.com] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/finalize/51680121/319508345 :: urn:ietf:params:acme:error:rateLimited :: Error finalizing order
:: too many certificates already issued for exact set of domains: apertron.com,www.apertron.com,xorkle.com,zack-piper.com: see https://letsencrypt.org/docs/rate-limits/, url: \n[www.apertron.com
] acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/finalize/51680121/319508345 :: urn:ietf:params:acme:error:rateLimited :: Error finalizing order :: too many certificates a
lready issued for exact set of domains: apertron.com,www.apertron.com,xorkle.com,zack-piper.com: see https://letsencrypt.org/docs/rate-limits/, url: \n[xorkle.com] acme: error: 429 :: POST :: ht
tps://acme-v02.api.letsencrypt.org/acme/finalize/51680121/319508345 :: urn:ietf:params:acme:error:rateLimited :: Error finalizing order :: too many certificates already issued for exact set of d
omains: apertron.com,www.apertron.com,xorkle.com,zack-piper.com: see https://letsencrypt.org/docs/rate-limits/, url: \n[zack-piper.com] acme: error: 429 :: POST :: https://acme-v02.api.letsencry
pt.org/acme/finalize/51680121/319508345 :: urn:ietf:params:acme:error:rateLimited :: Error finalizing order :: too many certificates already issued for exact set of domains: apertron.com,www.ape
rtron.com,xorkle.com,zack-piper.com: see https://letsencrypt.org/docs/rate-limits/, url: \n"     

My web server is (include version):

Traefik 1.7.9

The operating system my web server runs on is (include version):

Arch Linux

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

The rate limits can’t be reset.

You can work around the duplicate certificate rate limit by using different sets of names – for example, adding a useless subdomain, or splitting a "a.example.com, b.example.com" certificate into two “a.example.com” and “b.example.com” certificates.

I don’t know how flexible Traefik is, but adding useless (sub)domains should be possible.

You might want to add www.xorkle.com and www.zack-piper.com anyway.


#3

Why not? Are these not artificial rate limits?

I’ve observed other people having them reset.


#4

Artificial, software rate limits, but the software doesn’t have a “limit reset” interface/option.

I would very much like to see proof of this. When rate limits apply, one just has to wait for the set amount of time for the rate limit to be lifted, depending on the specific rate limit. See the documentation provided above.


#5

Oh, I guess I was wrong about the other people having it reset then, sorry.

Is there plans for a reset function to be implemented?


#6

No, there are not. Rate limits are there for a reason: limiting the stress on the systems of Let’s Encrypt (mainly the HSMs). If you’ve hit the rate limits, you’ve exhausted a lot of resources of Let’s Encrypt. You’ll just have to wait your time until you get “fresh” resources, just like anybody else.


#7

I appreciate the hostility. Really helps everyone.

This is not a rate limit at all seemingly.

I just got a new cert for all of them by simply adding www. to the beginning, as an additional domain, thereby obtaining a cert for the “ratelimited” domain also.

So… please tell me how the above doesn’t increase the amount of resources used? As opposed to just renewing the standalone cert.

Not only that but a week seems like a long time… but also useless given it can be evaded trivially.

just like anybody else

I don’t believe I was being entitled, I was simply asking for help and what options I have.

Your wording seems very patronizing, and seems like I’m a malicious user somehow.

I wasn’t intending to cause any issue, clearly I have given your response.

Either way, it seems the rate limit isn’t limiting much…


#8

Just stating some facts, nothing personal.

It does. This new cert counts to the total of 20 certificates per domain per week. It’s just the limit of 5 identical certificates per domain per week is a lower limit.


#9

The whole point of the “exact set of names limit” is to stop runaway systems.
The whole point of allowing any new set of names is to ensure that once a change has been made (presumably by a human), the counter is then virtually “reset”.

The evasion you conducted was exactly what was recommended to you do to:

We are trying to do our best to get you to where you want to be.
NOT:

I don’t know why you took it that way.

In fact, it was you who said some unfounded statements.


#10

Understood, sorry.

Also understood, thanks for clarifying.

I misused “evasion”, my bad

Sorry, personal stuff was happening at the same time.

Thank you for the help all (genuinely), the issue is resolved.


#11

People in the future might read your question, so I thought I’d just lay out the reasons for the rate limits as plain as it gets, so nobody can get confused :wink: Sorry if it sounded rude.


#12

All’s well that ends well :slight_smile:


#13

No no it’s fine, my fault. :slight_smile:


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.