Once again : Error creating new authz :: too many currently pending authorizations

My certificate for chat.ondr.co is expiring soon again.
This time i tried to renew , but unfortunately , the certbot installed auto-renew script seems to making it reached the limit again.
certbot auto-installed crontab
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
Issued On Tuesday, June 20, 2017 at 10:09:00 PM
Expires On Monday, September 18, 2017 at 10:09:00 PM

i have disabled the script for two days but Rate limit is still there. What should i do? I would lose client if i can’t renew in time. Please help.

Hi @v3ss0n,

On clearing pending authorizations, please see

In terms of the underlying problem, do you have a log in /var/log/letsencrypt showing what happened before this error appeared? There would have been several times where the renewal was attempted before the rate limit was reached, and it would have failed for a different reason (which might turn out to be a Certbot bug of some kind, which we might be able to diagnose using these log files).

Thank you , should i attach? it will be very long ago. may be since jun 20 , coz cert was not renew since then.

I’d like to see a log file from a failed renewal that failed for a reason other than this rate limit. A log from a successful renewal won’t show what the problem was. :slight_smile:

It’s actually a little strange to think that renewal attempts are happening now at all, because normally certbot renew won’t even try to renew until 30 days prior to the cert’s expiry. That would be on August 19. Since it’s not August 19, I’m not sure why certbot renew has been doing anything at all.

If you run certbot certificates, do you see any duplicative certificates that cover this domain name and that you didn’t intend to have? That wouldn’t explain the too many currently pending authorizations error itself but it could explain why certbot renew was trying to renew your certificate recently.

Found the following certs:
Certificate Name: chat.ondr.co
Domains: chat.ondr.co updates-0.chat.ondr.co updates-1.chat.ondr.co updates-2.chat.ondr.co updates-3.chat.ondr.co updates-4.chat.ondr.co
Expiry Date: 2017-09-18 15:39:00+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/chat.ondr.co/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chat.ondr.co/privkey.pem

thats all.

That’s weird! Can you post the contents of /etc/letsencrypt/renewal/chat.ondr.co.conf?

I’m still interested in log files if you can find one that shows a failed renewal for a different reason than too many currently pending authorizations, but I’m confused about why certbot renew is trying to renew at all, so I’m no longer sure exactly when those failures would have happened.

only fail renew was back in jun 20 (which i reported , and it was due to digital ocean DNS problems , which later resolved)
After that , all files are 6.1KB only which is not seems to be siginficant , only debug messages showing.
There are two files each days.
here is the config

version = 0.14.2
archive_dir = /etc/letsencrypt/archive/chat.ondr.co
cert = /etc/letsencrypt/live/chat.ondr.co/cert.pem
privkey = /etc/letsencrypt/live/chat.ondr.co/privkey.pem
chain = /etc/letsencrypt/live/chat.ondr.co/chain.pem
fullchain = /etc/letsencrypt/live/chat.ondr.co/fullchain.pem

# Options used in the renewal process
account = 7f8dc8661c26652feec6818b3365da12
allow_subset_of_names = True
authenticator = webroot
installer = None
webroot_path = /var/www/html,
updates-1.chat.ondr.co = /var/www/html
chat.ondr.co = /var/www/html
updates-0.chat.ondr.co = /var/www/html
updates-4.chat.ondr.co = /var/www/html
updates-3.chat.ondr.co = /var/www/html
updates-2.chat.ondr.co = /var/www/html

@cpu, could you determine how recent the relevant authzs actually are?

gives me this

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/chat.ondr.co.conf
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/chat.ondr.co/fullchain.pem (skipped)
No renewals were attempted.

error occours when i do this

sudo certbot certonly --webroot --webroot-path /var/www/html/  -d chat.ondr.co -d  updates-0.chat.ondr.co -d  updates-1.chat.ondr.co -d  updates-2.chat.ondr.co -d  updates-3.chat.ondr.co -d  updates-4.chat.ondr.co --allow-subset-of-names

I think we might have seen an issue about --allow-subset-of-names and pending authorizations, before but I don’t remember if that’s the exact context where it arises.

Is the webroot /var/www/html the same for all of these sites? Don’t these sites have different content, so shouldn’t they have distinct webroots?

For example, if you create a file /var/www/html/hello.txt, is that really going to appear on all of http://chat.ondr.co/hello.txt, http://updates-0.chat.ondr.co/hello.txt, and http://updates-1.chat.ondr.co/hello.txt simultaneously?

Also. how did you choose to use --allow-subset-of-names? This is a relatively esoteric and sometimes risky option. (I’m not positive that it’s the reason for this problem, though.)

–allow-subset-of-names was necessary , back in the time where DO’s DNS problems are hitting. causing 6 out of 10 requests to fail.
all webroots are same because : i am using the subdomains to increase number of concurrent connections for long standing connections (Event source /SSE)

OK, thanks for those answers. So, you can try to use the tool that I linked to to clear pending authorizations, or find a log file from a time when it failed for a different reason, or wait perhaps another week or so to try again.

this file ? https://github.com/ahaw021/LE_FIND_PENDING_AUTHZ/blob/master/LE_FIND_PENDING_AUTHZ.py

Which are the relevant authzs? I haven't been keeping up with this thread.

Some that cover chat.ondr.co. @v3sson supposedly has no particular reason to have pending authorizations but apparently has them anyway, so I’m wondering when and why this happened.

Hmm. I'll see what I can get out of the DB. I don't see an immediate explanation from the logs.

I stand corrected, there is an immediate explanation.

There are a number of pending authorizations for this account, just none for specifically chat.ondr.co. Recall that the pending authorization limit is applied per-account, not per-domain.

As one quick example, there are a large number of pending authorizations for domains of the form “updates-0.chat.ondr.co” where updates-0 goes from 0 to ~50. There are also some other domains of the form 5.chat.ondr.co with differing numeric prefixes.

I recommend you finalize the outstanding pending authorizations and switch to the staging environment for further testing.

Hope that helps!

@cpu how can i do that? It is expiring in 10 days and not allowing me to renew till now.
I will need to run from chat.ondr.co and from 0-50 .

The script doesn’t work , it is complaining missing log file (altough it exists)

Traceback (most recent call last): =
File “LE_FIND_PENDING_AUTHZ.py”, line 98, in
if(FirstFilePass(files)): =
File “LE_FIND_PENDING_AUTHZ.py”, line 36, in FirstFilePass =
fileTimeStamp = dt.date.fromtimestamp(os.path.getmtime(file))
File “/usr/lib/python2.7/genericpath.py”, line 62, in getmtime
OSError: [Errno 2] No such file or directory: ‘letsencrypt.log.226’

Hi @v3ss0n,

Copy the python script directly in /var/log/letsencrypt/ and execute it from there.

Remember to define the following variables with the right data:

PATH = r"/var/log/letsencrypt"
KEY_FOLDER = r"/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/xxxxxxxxxxxxxxxxxxxxxxxxx"