Order failed due to failed dns challenge

jmoxley · November 22, 2021, 8:39pm

So over the weekend one of our customers signed up for a cert for wakaasianfusion.co.uk and www.wakaasianfusion.co.uk, they shouldn't have signed up for www. version as we do that automatically, it was a bug our side. Our system will clear the dns if there is a match so essentially the dns TXT record was there for one challenge and not the other. So this set the order to invalid as the dns entry was missing. If I request validation on the dns challenge, it will come back saying "Unable to update challenge :: authorization must be pending", so if I go to create a new order now, we are getting too many certificates already issued, do we really have to wait a week to create a new order so that we can get a cert for wakaasianfusion.co.uk ?

My domain is: wakaasianfusion.co.uk

Client: GitHub - unixcharles/acme-client: A Ruby client for the letsencrypt's ACME protocol.

I ran this command:

order = client.new_order(identifiers: ["www.wakaasianfusion.co.uk, "wakaasianfusion.co.uk"])

It produced this output:

Acme::Client::Error::RateLimited (Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: wakaasianfusion.co.uk,www.wakaasianfusion.co.uk: see Rate Limits - Let's Encrypt)

Osiris · November 22, 2021, 8:51pm

Please use one of the 5 certificates you've generated on November 20th. For testing purposes, please use the staging environment.

jmoxley · November 22, 2021, 9:00pm

Is there a way to look up certificates by domain, I only have the order url and status is invalid.

Osiris · November 22, 2021, 9:05pm

You can find a list of issued certificates on certificate transparancy log aggregators like "crt.sh": crt.sh | wakaasianfusion.co.uk

jmoxley · November 22, 2021, 11:20pm

Thanks for sending that page, I didn't know about it.
I think what might have happened is they tried to get a Let's Encrypt cert using another client, then they tried to use our system which then failed due to the 5 limit, and now they have a zerossl cert instead. Which explains a lot as I just have two order_urls on our system, both which are invalid. It would be interesting to know which account created those previous orders, but I am assuming Let's Encrypt just stores the domain name to check against.

system · December 22, 2021, 11:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.