Hello , i need help , can i get direct customer support? I need urgent help.
I am trying to renew lets-encrypt but it is failing at first . and now it is refusing to let me try.
I was using letsencrypt renew
it is casuing this error:
Attempting to renew cert from /etc/letsencrypt/renewal/updates-0.chat.ondr.co.conf produced an unexpected error: Failed authorization procedure. updates-41.chat.ondr.co (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout,
I did it without webroot and by disabling Nginx.
Now i updated to certbot and tried with webroot but it causes new error :
Attempting to renew cert from /etc/letsencrypt/renewal/chat.ondr.co.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.. Skipping.
It is a production system of a startup with thousands of active users and i need urgent help. Please…
Please fill out the new Help topic template questions:
Please fill out the fields below so we can help you better.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Have you seen the rate limit documentation? The pending authorization rate limit is explained there. It is applied across a 7 day window and a process for deactivating pending authorizations is listed. This limit is also applied per-account so switching to a new account would resolve this as a hacky workaround. You should investigate why your ACME client is leaking pending authorizations as this is typically the result of a bug. Are you using the latest version of whichever client you're running?
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chat.ondr.co
http-01 challenge for updates-0.chat.ondr.co
http-01 challenge for updates-1.chat.ondr.co
http-01 challenge for updates-2.chat.ondr.co
http-01 challenge for updates-3.chat.ondr.co
http-01 challenge for updates-4.chat.ondr.co
http-01 challenge for updates-5.chat.ondr.co
http-01 challenge for updates-6.chat.ondr.co
http-01 challenge for updates-7.chat.ondr.co
http-01 challenge for updates-8.chat.ondr.co
http-01 challenge for updates-9.chat.ondr.co
http-01 challenge for updates-10.chat.ondr.co
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain updates-1.chat.ondr.co
Challenge failed for domain updates-2.chat.ondr.co
Challenge failed for domain updates-6.chat.ondr.co
Cleaning up challenges
At least for this authorization the problem was the CAA response. Who is your DNS provider? They shouldn't return a SERVFAIL for CAA record types. If you search the forum you should be able to find other instances where this has been a problem for users.
Let's Encrypt doesn't mandate that you have a CAA record, but we do require that your authoritative DNS server(s) support being asked about CAA records.
What weird is it is happening randomly each run.
Sometimes those failed are now succeeded again and those succeeded are now failing.
Also there are A Record errors and some with IP not returning , i am digging logs.
I would recommend opening a support ticket with Cloudflare to address this issue - my understanding is that they should support CAA and this behaviour may be the result of a bug. It won't be resolvable from the Let's Encrypt side.
That definitely makes me feel like Cloudflare's DNS is acting up. Let's Encrypt chooses an authoritative DNS server at random for each authorization so its possible only a subset of Cloudflare's DNS servers are faulty and returning SERVFAIL for CAA record types.
Ah , that gonna be hard. But all those domain resolves properly in my local nslookups and … nslookups from Digital Ocean servers.
Also am i hitting weekly limit even if cert fails?