New certs failed with "A rate limit prevents DCV"

Help
1

I've been using Lets Encrypt certs on this server for years. This morning when the certs were renewed, one of the domains failed to install the new cert with this message

Analyzing “tinyislekauai.com”’s DCV results …
 9:15:05 AM Trying 1 wildcard domain (*.tinyislekauai.com) to maximize coverage …
 9:15:06 AM WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account (https://acme-v02.api.letsencrypt.org/acme/acct/81296988) has reached a rate limit. (urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Rate limit for '/directory' reached)) You may contact Let’s Encrypt to request a change to this rate limit.
 ERROR “Let’s Encrypt™” general error (tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (*.tinyislekauai.com): A rate limit prevents DCV.
 Retrying DCV without the failed wildcard domain …
 WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account (https://acme-v02.api.letsencrypt.org/acme/acct/81296988) has reached a rate limit. (urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Rate limit for '/directory' reached)) You may contact Let’s Encrypt to request a change to this rate limit.
 ERROR “Let’s Encrypt™” general error (www.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (mail.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (webmail.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (cpanel.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (autodiscover.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (webdisk.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (cpcontacts.tinyislekauai.com): A rate limit prevents DCV.
 ERROR “Let’s Encrypt™” general error (cpcalendars.tinyislekauai.com): A rate limit prevents DCV.
 ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.

Of course, I tried renewing manually (that's where this error message came from) so I'm not sure what to do next.

Any thoughts? Do I need to increase the rate limit (even though have been getting all the certs renewed on this server for years).

My domain is: tinyislekauai.com

My web server is (include version): CENTOS 7.9 kvm cPanel [v98.0.8]

The operating system my web server runs on is (include version): Apache/2.4.46

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 98.0.8

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.8.1

2

This means your server is hammering the ACME endpoint with 40 requests per second. Please don't do that. See Rate Limits - Let's Encrypt for more info.

1 Like
3

You may be hitting a temporary rate limit that we've put in place because of how CPanel is mishandling an expired certificate chain. Please bear with us and keep an eye on this forum and our status page, and also apply updates from CPanel once available.

4 Likes
4

also suffering from this, went in and disabled the 600+ cpanel webdisk autodiscover etc etc i do not have dns entries for.

1 Like
5

We’ve now relaxed this temporary rate limit. It’s still in place, but is much more forgiving and should allow you to obtain certificates. Thanks for your patience!

4 Likes
6

thank you, it worked, I got the certs renewed.

1 Like
7

I have this problem too
On more than 5 different servers my different domains are disabled
What is the solution to this problem?

8

I had this problem and managed to get round it by using the cPanel by Sectigo provider. Now it's fixed I want to go back to using Lets Encrypt but trying to change provider I get this message:

API failure: Net::ACME2::x::HTTP::Protocol: The response to the HTTP “HEAD” request from “https://acme-v02.api.letsencrypt.org/acme/new-nonce” indicated an error (429, Too Many Requests): “”

Any idea how to reactivate Lets Encrypt?

9

I have same problem!

10

Me also, same issue

11

The same issue exists on all my servers and the updates cPanel released have been applied. I can't get new SSL certificate for any site.

12

Probably best to complain at cPanel/AutoSSL.

13

Our company hosts about 56,000 domains that use letsencrypt SSL certs. We've never had an issue. As of yesterday all cert renewals are failing and we cannot generate new certs. We just get "429, Too Many Requests" error. We've not changed anything on our end. Our request rates have not changed. We do not use CPanel. We make the request with a perl script only when a new domain is added to one of our servers. We've shut off our cert renewal daemon for the time being. Edit: The odd cert may be succeeding, but we are predominantly being rejected.

1 Like
14

The problem isn't with cPanel/AutoSSL, it's with Let's Encrypt servers. Most of the requests we make give error 429, Too Many Requests. However, we rarely get new certificates. So some requests can succeed (the rate is very low).

15

Up until now, we've used the same private key with letsencrypt on all of our servers. We tried using a new private key to register with letsencrypt and the first request we sent failed with "429, Too Many Requests". Are we being limited by IP then? We are not sending a whole lot of requests from any of these servers.

16

All of our servers with different keys and IP addresses have the same issue. I think it's all about the intensity of Let's Encrypt. But they need to come up with a solution to this.

17

The main issue is with cPanel/AutoSSL, which prompted to Let's Encrypt to take measurements. Please read this post from above again:

You can't blame Let's Encrypt to take measurements against one misbehaving ACME client, so at least the API remains available for others..

Please refer to cPanel so you can fix your ACME client so Let's Encrypt doesn't need to take actions against it.

2 Likes
18

I've written this many times. We have already implemented all the solutions cPanel has published. Can you try setting up a new server and choosing AutoSSL Let's Encrypt over WHM right now? You will encounter error 429 Many Requests.

19

Why are our requests limited by server owners who do not implement cPanel's solution?

20

So you are somehow targeting and limiting use of Net::ACME2 perl client? Unlike CPanel, we keep track of when our domains need renewal in a table, so that we do not have to check every cert on our servers, so we are not affected by the same bug affecting CPanel and our request rate has not increased. Now we are being punished for a bug in CPanel....