Lets encrypt refusing to connect to my domain on renew , and now it is saying limit reached

Hello , i need help , can i get direct customer support? I need urgent help.
I am trying to renew lets-encrypt but it is failing at first . and now it is refusing to let me try.
I was using letsencrypt renew
it is casuing this error:

Attempting to renew cert from /etc/letsencrypt/renewal/updates-0.chat.ondr.co.conf produced an unexpected error: Failed authorization procedure. updates-41.chat.ondr.co (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout,

I did it without webroot and by disabling Nginx.

Now i updated to certbot and tried with webroot but it causes new error :

Attempting to renew cert from /etc/letsencrypt/renewal/chat.ondr.co.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.. Skipping.                                                                                                                                                                     

It is a production system of a startup with thousands of active users and i need urgent help. Please…

HI @v3ss0n,

Please fill out the new Help topic template questions:

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Have you seen the rate limit documentation? The pending authorization rate limit is explained there. It is applied across a 7 day window and a process for deactivating pending authorizations is listed. This limit is also applied per-account so switching to a new account would resolve this as a hacky workaround. You should investigate why your ACME client is leaking pending authorizations as this is typically the result of a bug. Are you using the latest version of whichever client you’re running?

Rate limit is now expired so i am using staging. Progress so far.

  • My Domain is : chat.ondr.co
  • My WEbserver is Nginx
  • The OS is Ubuntu 16.04
  • Hosted on : Digital Ocean
  • Root : yes
  • CP : No
  • certbot 0.14.2

here is what i found out .

  • the main domain chat.ondr.co is fine
  • other domains are randomly failing , which is a wildcard record in DNS
sudo certbot --staging certonly --webroot --webroot-path /var/www/html/  -d chat.ondr.co -d  updates-0.chat.ondr.co -d  updates-1.chat.ondr.co -d  updates-2.chat.ondr.co -d  updates-3.chat.ondr.co -d  updates-4.chat.ondr.co -d  updates-5.chat.ondr.co -d  updates-6.chat.ondr.co -d  updates-7.chat.ondr.co -d  updates-8.chat.ondr.co -d  updates-9.chat.ondr.co -d  updates-10.chat.ondr.co   --allow-subset-of-names

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chat.ondr.co
http-01 challenge for updates-0.chat.ondr.co
http-01 challenge for updates-1.chat.ondr.co
http-01 challenge for updates-2.chat.ondr.co
http-01 challenge for updates-3.chat.ondr.co
http-01 challenge for updates-4.chat.ondr.co
http-01 challenge for updates-5.chat.ondr.co
http-01 challenge for updates-6.chat.ondr.co
http-01 challenge for updates-7.chat.ondr.co
http-01 challenge for updates-8.chat.ondr.co
http-01 challenge for updates-9.chat.ondr.co
http-01 challenge for updates-10.chat.ondr.co
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain updates-1.chat.ondr.co
Challenge failed for domain updates-2.chat.ondr.co
Challenge failed for domain updates-6.chat.ondr.co
Cleaning up challenges

Do you have a detailed log from a failing domain?

      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "DNS problem: SERVFAIL looking up CAA for updates-1.chat.ondr.co",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/yHzixedSnuoazxRy1YkrUh9O-9J3Wn7ppfmyUax0_ew/44892565",
      "token": "LkbLI5cjuvlyPgqIU1yH4pR_ajp0J6WOc1swL2ZyWdQ",
      "keyAuthorization": "LkbLI5cjuvlyPgqIU1yH4pR_ajp0J6WOc1swL2ZyWdQ.M_RdIJiDHD-qnX3vtPye1X7i1M2UdwhU7QppCeQnk4Y",
      "validationRecord": [
        {
          "url": "http://updates-1.chat.ondr.co/.well-known/acme-challenge/LkbLI5cjuvlyPgqIU1yH4pR_ajp0J6WOc1swL2ZyWdQ",
          "hostname": "updates-1.chat.ondr.co",
          "port": "80",
          "addressesResolved": [
            "188.166.216.59"
          ],
          "addressUsed": "188.166.216.59",

At least for this authorization the problem was the CAA response. Who is your DNS provider? They shouldn’t return a SERVFAIL for CAA record types. If you search the forum you should be able to find other instances where this has been a problem for users.

Let’s Encrypt doesn’t mandate that you have a CAA record, but we do require that your authoritative DNS server(s) support being asked about CAA records.

DNS Provider is cloudflare – which i do not have control.

What weird is it is happening randomly each run.
Sometimes those failed are now succeeded again and those succeeded are now failing.
Also there are A Record errors and some with IP not returning , i am digging logs.

I would recommend opening a support ticket with Cloudflare to address this issue - my understanding is that they should support CAA and this behaviour may be the result of a bug. It won’t be resolvable from the Let’s Encrypt side.

That definitely makes me feel like Cloudflare’s DNS is acting up. Let’s Encrypt chooses an authoritative DNS server at random for each authorization so its possible only a subset of Cloudflare’s DNS servers are faulty and returning SERVFAIL for CAA record types.

Ah , that gonna be hard. But all those domain resolves properly in my local nslookups and … nslookups from Digital Ocean servers.
Also am i hitting weekly limit even if cert fails?

They only hit the failed validations limit, which only lasts an hour. You can still switch accounts to bypass it, but waiting is probably fine.

Weekly limit is not hitting yet , if it fails , right?

Oops! Good catch. I thought it was the pending authorizations rate limit. My mistake! Please listen to @mnordhoff in regards to the rate limit error :slight_smile:

So should i try now without staging?? … i am scared…

Both the “Certificates per Registered Domain” and “Duplicate Certificate” limits only count successful issuances, not failures.

Are you querying all of the authoritative domain servers explicitly for the CAA record type? That’s the issue, not generic domain resolution.

i only did nslookup chat.ondr.co nslookup updates-1.chat.ondr.co , etc

I still recommend:

This is not testing the CAA resolution or using all of the authoritative DNS servers.

https://www.cloudflarestatus.com/ seems there are problems with SSL Provisioning but not sure due to that.
I will file support.

By the way… The DNS provider isn’t Cloudflare, or at least not Cloudflare’s hosted DNS service.

It’s DigitalOcean, which uses Cloudflare DNS Firewall.

Trying myself, i think the DNS service is having trouble right now. Some queries work, some queries return SERVFAIL, regardless of record type.

I’d guess it’s a problem with DigitalOcean, or maybe Cloudflare’s DNS Firewall, but who knows.

Edit:

DigitalOcean status doesn’t show any problems right now, but they did have a similar-sounding DNS outage a week ago.

1 Like

Try:
DOMAIN=sometestdomain.com for server in $(dig +short ns $DOMAIN); do dig $DOMAIN type257 @$server; done

Make sure to change DOMAIN to a domain you are seeing fail.