IP Blocked for 7 Days

We run into this issue occasionally and it can be a larger issue due to the time between retries. Are we able to get our IP unblocked so we are able to renew. We are working to stop this issue happening in the future.

My domain is: denovans.3cx.com.au

My web server is (include version): nginx

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): 3cx control panel

Hi @jaredmicroed, welcome to the LE community forum :slight_smile:

LetsDebug shows:

You would have to ask for a rate limit increase.
EDIT: After rereading this... That FQDN should be allowed to renew. Please show the full error message recieved.
But if the rate is being hit because of faulty client or using the production system for testing, I don't think the request would be granted.
[Note: I have nothing to do with any such decision - feel free to ask for it]

If you don't mind me asking:

  • What is causing the problem?
  • What is being done to correct/overcome the problem?

[there may be other (future) readers that could benefit from any insight on this issue]

Here is something that might get you through this tight spot right away:
[and may be useful in spreading the load and reducing the chance of hitting rate limits]
[and seeing as the domain isn't using CAA records to force the use of LE only]

  • Try using another ACME enabled free cert CA service.
    Like: BuyPass or ZeroSSL
    To that end, which ACME client are you using?

Here is something to consider in order to keep from getting into this situation in the future:
[provided you aren't able to get a domain or account rate limit exception]

  • Try using shared wildcard certs wherever it makes sense.
    Like: Combining systems that are under the same administrative control onto the same wildcard.

Thank you for your reply it has been super helpful so far!

The problem is these domains are not ours and are issued through the 3cx pbx company so we may need to speak to them about perhaps using a different ssl provider as there are literally thousands of sudomains on 3cx.com.au.

So generally we have a restart of the server setup, at the wrong time which we are changing, that happens when the certificate tries to renew which causes another attempt which usually leads to a 7 day block.

We are going to retry the renewal once the 35 minutes expires and hopefully we will be okay.

1 Like

Which ACME client are you using?
And how is it configured to renew?

Note: Renewals should not be affected at all by this rate limit.
So I can only think that the renewal is somehow starting from scratch and asking for a whole new account and cert (BAD practice).
Which implies that NONE of the certs are being renewed - they are all been reissued as new.

I'm going to have to research as it's done as part of a tool that comes packaged with the pbx software. I'll see if I can find something in the logs that show the command and response.

1 Like

Someone needs to find the actual "renewal" code being applied and verify its' correctness.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.