Is new-authz that ends with rate limit error is counted against rate limit?

Hi.

Assume I’m sending new-authz that ends up with “Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/” XX times.

Does that count as new authorization and is counted as new request in rate limit engine? Or is is simply returning error but doesn’t increase authorization limit counter?

Hi @arek

no, it's not. But why do you create so much - 300 - new orders in 3 hours?

Normally, that should not happen. Looks like your client is very buggy.

Pending authzs aren't related to orders - they can build up over a significantly longer period. Waiting 3 hours won't help, since they stay pending for much longer.

If your ACME client logs the authz URLs, you can try use Let's Debug Toolkit to clear them out.

Checked ~100 000 /acme/authz from few days before the problem and only 1 was pending. Checking earlier days.

Q:
https://acme-v01.api.letsencrypt.org/acme/authz/MimT6mE9nTTUk8K9gm78kDqkW2v71O40SRDcrA3tbr4

past expiration date, yet “pending”, why? And clear-authz cannot fail it.

Even though that authz is pending, it is expired, so it doesn’t actually count. It can’t be “failed” precisely because it is already expired.

~100k authzs on a single ACME account is quite a lot … I imagine that 300 authzs could have easily gotten lost in the mix somehow (network timeouts when talking to the ACME service or whatever). What type of service are you running?

(For what it’s worth I had the exact same question about pending expired authzs …).

Hosting, so ton of domains and subdomains (not using wildcards yet). Software here synchronizes authorization statuses that are pending. I guess we need to adjust it to stop synchronizing for old ones regardless of their status since it seems acme server doesn’t change status like in this case.

Yeah, I had to make the same fix. I think it’s probably a side effect of

because other expired authzs are not available …

Uf. Found “lost” authorizations and invalidated these.

clear-authz tool was useful (would be nice if it could find authorizations based on /acme/challenge/IDENTIFIER URLs, too because here somehow /acme/authz/ urls were not logged while /acme/challenge/ were).

The order-url (location-header of an order-response) should be logged.

Looks like

https://acme-staging-v02.api.letsencrypt.org/acme/order/yourAccountId/newOrderId

There you can find the /acme/authz/ - Urls.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.