Pending authorization - Ratelimit

pragnesh-gohighlevel · December 19, 2023, 5:12am

We are hitting rate-limit of pending authorization with below message. The other problem here is they are not getting successful or fail too soon.

Error creating new order :: too many currently pending authorizations

Because of many of the domain staying in the pending state we are hitting rate-limit here.

Below two things will help here.

How we can find out root cause why they are stuck in pending state?
Is there any way to remove them manually from pending state?

We tried following steps from below document but we were getting error which is asking googleaccessId.

orangepizza · December 19, 2023, 5:34am

LE doesn't ask googleaccessID: what client you are using?

pragnesh-gohighlevel · December 19, 2023, 5:48am

We are using Lua Resty Auto SSL https://github.com/auto-ssl/lua-resty-auto-ssl.

orangepizza · December 19, 2023, 6:08am

looks like that client isn't able to handle that ratelimit, and breaks if you ask too many certs by it

aarongable · December 19, 2023, 6:52am

You can read more about the pending authorizations rate limit here: Rate Limits - Let's Encrypt

You hit the Pending Authorizations limit when you have many authorizations still pending at the time you try to create new ones. You probably have many authorizations pending because you're creating many New Orders, and then not fulfilling the challenges for those orders. This might be because you've written your client to place many orders in parallel, or it might because your client is failing somewhere along the way and leaving old orders behind.

You can fix this in two ways:

make sure your client actually attempts to fulfill every authorization/challenge it creates, and doesn't leave them hanging around.
make your client delete old pending authorizations by deactivating them. Not all clients have the ability to do this built in, but it is supported by some.

Osiris · December 19, 2023, 8:51am

It does and is different from the too many new orders recently rate limit.

orangepizza · December 19, 2023, 9:03am

I was thinking about googleaccessID but screw the wording (it doesn't appear in RFC8555 so have no idea where it got from)

Osiris · December 19, 2023, 9:38am

Ah, indeed, no clue how googleaccessID fits in this all.

system · January 18, 2024, 9:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.