Multiple accounts to temporarily get around new authz limit?

Hi friends.

I'm using certbot certonly --webroot. I have thousands of domains to secure. It equates to roughly 100 SSL SAN certs to generate. While getting my process working, I used CTRL + C to cancel the certbot command a couple times. This left hanging requests, so now I get this error:

"Error creating new authz :: Too many currently pending authorizations"

A little research shows this might last as long as a week? It's already been several days. To get around this issue, I'm considering using a new LE account. I'm considering doing something like this guy:

mv /etc/letsencrypt/accounts /etc/letsencrypt/accounts.off

and then provide a new account... Is there any issue with this? Keep in mind that certbot is NOT managing the certs after creating them - I have automated node.js scripts which take the certs when certbot is done, moves them into new directory structure, and manages and renews them there. This is because I need to use my own private key, which forced me to provide my own CSR, which causes certbot to NOT manage certs itself - it just outputs certs into the current working directory so my node scripts move the from there.

Anyhow, so that's my setup, and I'm just wondering if I'm safe to switch between two accounts to temporarily get around this new authz 300 limit??

Hi @lancedolan,

I would definitely encourage you to use the staging server while you get your process worked out! It will help you avoid this problem.

The pending authorizations expire 7 days after being created. Another option is to clear pending authorizations (I'm not sure how to do this with Certbot off hand).

I think you're ok in this circumstance but I would encourage you to try and solidify your process against the staging server to avoid needing to rotate accounts with frequency in the future.

Good luck!

1 Like

Anybody know how to do this with certbot? This is definitely the cleanest solution! Thank you cpu for pointing this out! :slight_smile:

I've been using only the staging server for the portion of development where that was an option. I have a fairly complex system going (certs aren't installed on the same server they're generated) and so there's a piece of the architecture that must be done with production certs or production customers will be hitting fake certs.

I expect everything to work fine on my next try.

@schoen, @bmw, @erica - do any of you folks happen to know if its possible to deactivate or POST an update to a pending authorization given its URL using Certbot?

I believe it’s not possible to do this in any version of Certbot. I don’t see a command-line feature for it, and even acme/acme/client.py doesn’t seem to provide a feature for this, which then makes it very unlikely that Certbot can do it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.