Lets encrypt refusing to connect to my domain on renew , and now it is saying limit reached

Oops! Good catch. I thought it was the pending authorizations rate limit. My mistake! Please listen to @mnordhoff in regards to the rate limit error :slight_smile:

So should i try now without staging?? … i am scared…

Both the "Certificates per Registered Domain" and "Duplicate Certificate" limits only count successful issuances, not failures.

Are you querying all of the authoritative domain servers explicitly for the CAA record type? That's the issue, not generic domain resolution.

i only did nslookup chat.ondr.co nslookup updates-1.chat.ondr.co , etc

I still recommend:

This is not testing the CAA resolution or using all of the authoritative DNS servers.

https://www.cloudflarestatus.com/ seems there are problems with SSL Provisioning but not sure due to that.
I will file support.

By the way… The DNS provider isn’t Cloudflare, or at least not Cloudflare’s hosted DNS service.

It’s DigitalOcean, which uses Cloudflare DNS Firewall.

Trying myself, i think the DNS service is having trouble right now. Some queries work, some queries return SERVFAIL, regardless of record type.

I’d guess it’s a problem with DigitalOcean, or maybe Cloudflare’s DNS Firewall, but who knows.

Edit:

DigitalOcean status doesn’t show any problems right now, but they did have a similar-sounding DNS outage a week ago.

1 Like

Try:
DOMAIN=sometestdomain.com for server in $(dig +short ns $DOMAIN); do dig $DOMAIN type257 @$server; done

Make sure to change DOMAIN to a domain you are seeing fail.

ondr@ondr:/etc/nginx/sites-enabled⟫ dig chat.ondr.co type257 @chat.ondr.co

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257 @chat.ondr.co
;; global options: +cmd
;; connection timed out; no servers could be reached

I would highlight @mnordhoff's response for you:

Your DNS provider isn't Cloudflare, it's Digital Ocean, and you should inquire with their support as to why these queries are failing.

Ahh … so it seems domain was transferred to Digital Ocean and i was never known about that.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27682
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;chat.ondr.co.                  IN      CAA

;; AUTHORITY SECTION:
ondr.co.                1796    IN      SOA     ns1.digitalocean.com. hostmaster.ondr.co. 1497507243 10800 3600 604800 1800

;; Query time: 3174 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 20 15:58:36 UTC 2017
;; MSG SIZE  rcvd: 108

I had submitted to DO ,
with --staging , only one failed is
Challenge failed for domain updates-1.chat.ondr.co

But without staging , many are failing … i tried twice so only 3 tries left for this week ?
thanks a lot for patience @mnordhoff and @cpu

@v3ss0n, when you don't successfully receive a certificate, the limit is 5 attempts per hour, not per week.

Thanks a lot , the last attempt luckily got 5 domains working : chat.ondr.co , updates-0.chat.ondr.co to updates-4chat…ondr.co and now our service is back online.

I hope next renewal do not have problem like this. it was nightmare …

I thought that Certbot was set up to try and renew certificates well in advance of when they expire.

@schoen Do you know any reason why this wouldn't have happened in this case? I can't recall how Certbot sets up cron (or does it use a systemd timer?)

i had to remove auto renewal , if problem like this occours it will block out of renewal when limit reached.

certbot-auto doesn't automatically set up a job. The Certbot Ubuntu packages, for example, automatically set up a cron job or systemd timer that runs every 12 hours (randomly delayed up to 1 hour). I assume most other packages do something similar.

That's not an issue. The failed validation rate limit is 5 per account per hostname per hour. A typical cron job runs 1 or 2 times per day. And unless the client is managing several duplicate certificates, it would only try to validate each hostname once.

Also, even if it fails, you would typically have almost a month to fix the problem.

2 Likes

so there is another renewal in systemd? i found one in corontab and disabled, it was from letsencrypt.
Now i updated with certbot , it is ubuntu certbot package

Digital ocean confirmed they are aware and working on with DNS issues.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.