Is it possible to reset rate limiting?

zukeru · December 18, 2018, 10:59pm

My domain is: dev.nebula.care

I ran this command:

I run the docker image certbot/route-53 and I had to renew my certs, the automation broke again because something changed in the docker image. While trying to fix it I was rate limited. I issue new certs everytime they expire because its a disposable docker image that runs and generates the certs.

I stupidly didn’t change the domain I was testing against and became rate limited. Is it possible to get the rate-limiting reset for my domain so I can re-generate new certs?

_az · December 18, 2018, 11:01pm

Nope.

Your only option is to evade the rate limit, for example, by using a unique set of domains on a certificate.

You can get the next time at which you can issue new certificates here.

zukeru · December 18, 2018, 11:03pm

awesome, not.

Is it possible to renew my existing ones if I change the code to copy them from s3 to the docker file?

What command would I run to renew them if I copy them back down to the docker file?

_az · December 18, 2018, 11:04pm

I'm not sure what you mean. Do you have your previous private keys and certificates in S3?

zukeru · December 18, 2018, 11:07pm

yes they are stored in s3. My jenkins jobs utilize s3 as a key storage with encrypted bucket. Before I deploy my web proxy into kubernetes it creates kubernetes secret with the cert…

    stage('Docker: Cert Generation') {
  steps {
    withCredentials([usernamePassword(credentialsId: 'aws.creds', passwordVariable: 'AWS_SECRET_KEY', usernameVariable: 'AWS_ACCESS_KEY')]) {
        sh """#!/usr/bin/env bash
            echo "FROM certbot/dns-route53" > Dockerfile
            echo "\nENV AWS_ACCESS_KEY_ID $AWS_ACCESS_KEY" >> Dockerfile
            echo "\nENV AWS_SECRET_ACCESS_KEY $AWS_SECRET_KEY" >> Dockerfile
            echo "\nENV AWS_DEFAULT_REGION $EC2_REGION" >> Dockerfile
            echo "\nRUN pip install awscli && certbot certonly -n --agree-tos --email $DOCKER_EMAIL --dns-route53 -d $DOMAIN && aws s3 cp /etc/letsencrypt/live/$DOMAIN/ s3://s3bucket/$TARGET_ENV/$DOMAIN --recursive" >> Dockerfile
            cat Dockerfile
            docker build .
            #docker rm -v `docker ps --filter status=exited -q 2>/dev/null` 2>/dev/null
            #docker rmi `docker images --filter dangling=true -q 2>/dev/null` 2>/dev/null
        """
    }
  }
}

if I download the certs back to

/etc/letsencrypt/live/$DOMAIN/

what command would I run to renew them instead of generating new ones for certs that exist?

zukeru · December 18, 2018, 11:08pm

I have changed it to this to download the certs into the same folder it generates them but I’m trying to find the command to renew instead of generate if they exist.

    stage('Docker: Cert Generation') {
  steps {
    withCredentials([usernamePassword(credentialsId: 'aws.creds', passwordVariable: 'AWS_SECRET_KEY', usernameVariable: 'AWS_ACCESS_KEY')]) {
        sh """#!/usr/bin/env bash
            echo "FROM certbot/dns-route53" > Dockerfile
            echo "\nENV AWS_ACCESS_KEY_ID $AWS_ACCESS_KEY" >> Dockerfile
            echo "\nENV AWS_SECRET_ACCESS_KEY $AWS_SECRET_KEY" >> Dockerfile
            echo "\nENV AWS_DEFAULT_REGION $EC2_REGION" >> Dockerfile
            echo "\nRUN mkdir -p /etc/letsencrypt/live/$DOMAIN/ && aws s3 cp s3://s3bucket/$TARGET_ENV/$DOMAIN /etc/letsencrypt/live/$DOMAIN/ --recursive && pip install awscli && certbot certonly -n --agree-tos --email $DOCKER_EMAIL --dns-route53 -d $DOMAIN && aws s3 cp /etc/letsencrypt/live/$DOMAIN/ s3://s3bucket/$TARGET_ENV/$DOMAIN --recursive" >> Dockerfile
            cat Dockerfile
            docker build .
            #docker rm -v `docker ps --filter status=exited -q 2>/dev/null` 2>/dev/null
            #docker rmi `docker images --filter dangling=true -q 2>/dev/null` 2>/dev/null
        """
    }
  }
}

_az · December 18, 2018, 11:16pm

I am somewhat skeptical about this approach to certificate management, but if you want Certbot to “remember” previous certificates, you need to store the entire /etc/letsencrypt/ directory (preserving symlinks), as its needs more than just the live directory to track its state.

You might do that, and then adjust the certbot command to do an “issue, renew, or do nothing” workflow.

And you’d have to re-persist the state directory after Certbot runs, of course.

zukeru · December 18, 2018, 11:23pm

Ahh alright, well I’m not sure I’m going to be able to do that today. If the automation wouldn’t keep breaking because your docker image keeps changing it wouldn’t be an issue. The pattern of just creating new certs automatically when they expire has worked so far, but I’m stupid and forgot to add --dry-run or change the domain when trying to fix it this time. last time pip install failed for awscli this time, it changed from having the certs in /etc/letsencrypt/live to /etc/letsencrypt/live/domain and I ran it to many times before I caught it.

Thanks for your help not sure what I’m going to do for the domain for right now maybe I’ll just generate the cert somewhere else for now until my limit is up.

Thanks.

system · January 17, 2019, 11:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.