Lets encrypt refusing to connect to my domain on renew , and now it is saying limit reached

ondr@ondr:/etc/nginx/sites-enabled⟫ dig chat.ondr.co type257 @chat.ondr.co

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257 @chat.ondr.co
;; global options: +cmd
;; connection timed out; no servers could be reached

I would highlight @mnordhoff's response for you:

Your DNS provider isn't Cloudflare, it's Digital Ocean, and you should inquire with their support as to why these queries are failing.

Ahh … so it seems domain was transferred to Digital Ocean and i was never known about that.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27682
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;chat.ondr.co.                  IN      CAA

ondr.co.                1796    IN      SOA     ns1.digitalocean.com. hostmaster.ondr.co. 1497507243 10800 3600 604800 1800

;; Query time: 3174 msec
;; WHEN: Tue Jun 20 15:58:36 UTC 2017
;; MSG SIZE  rcvd: 108

I had submitted to DO ,
with --staging , only one failed is
Challenge failed for domain updates-1.chat.ondr.co

But without staging , many are failing … i tried twice so only 3 tries left for this week ?
thanks a lot for patience @mnordhoff and @cpu

@v3ss0n, when you don’t successfully receive a certificate, the limit is 5 attempts per hour, not per week.

Thanks a lot , the last attempt luckily got 5 domains working : chat.ondr.co , updates-0.chat.ondr.co to updates-4chat…ondr.co and now our service is back online.

I hope next renewal do not have problem like this. it was nightmare …

I thought that Certbot was set up to try and renew certificates well in advance of when they expire.

@schoen Do you know any reason why this wouldn’t have happened in this case? I can’t recall how Certbot sets up cron (or does it use a systemd timer?)

i had to remove auto renewal , if problem like this occours it will block out of renewal when limit reached.

certbot-auto doesn’t automatically set up a job. The Certbot Ubuntu packages, for example, automatically set up a cron job or systemd timer that runs every 12 hours (randomly delayed up to 1 hour). I assume most other packages do something similar.

That’s not an issue. The failed validation rate limit is 5 per account per hostname per hour. A typical cron job runs 1 or 2 times per day. And unless the client is managing several duplicate certificates, it would only try to validate each hostname once.

Also, even if it fails, you would typically have almost a month to fix the problem.


so there is another renewal in systemd? i found one in corontab and disabled, it was from letsencrypt.
Now i updated with certbot , it is ubuntu certbot package

Digital ocean confirmed they are aware and working on with DNS issues.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.