Assume I’m sending new-authz that ends up with “Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/” XX times.
Does that count as new authorization and is counted as new request in rate limit engine? Or is is simply returning error but doesn’t increase authorization limit counter?
Pending authzs aren't related to orders - they can build up over a significantly longer period. Waiting 3 hours won't help, since they stay pending for much longer.
If your ACME client logs the authz URLs, you can try use Let's Debug Toolkit to clear them out.
Even though that authz is pending, it is expired, so it doesn’t actually count. It can’t be “failed” precisely because it is already expired.
~100k authzs on a single ACME account is quite a lot … I imagine that 300 authzs could have easily gotten lost in the mix somehow (network timeouts when talking to the ACME service or whatever). What type of service are you running?
Hosting, so ton of domains and subdomains (not using wildcards yet). Software here synchronizes authorization statuses that are pending. I guess we need to adjust it to stop synchronizing for old ones regardless of their status since it seems acme server doesn’t change status like in this case.
Uf. Found “lost” authorizations and invalidated these.
clear-authz tool was useful (would be nice if it could find authorizations based on /acme/challenge/IDENTIFIER URLs, too because here somehow /acme/authz/ urls were not logged while /acme/challenge/ were).