LetsEncrypt staff recently posted Automatic Pausing of Zombie Clients
I have a question, I am sure others do as well:
Would it be possible to have a sample error shared? i.e. What will this look like? Does this have it's own error code?
This is something I'd like to ensure gets caught ASAP, so I will want to be on the lookout for it.
Details about this, including a sample error message, have been previously shared here:
Specifically the error log comes from boulder/wfe2/wfe.go at d64132eebcad22f8f68f1b4f541b7a5f85609159 · letsencrypt/boulder · GitHub
Since my question is directly part of OP's quoted text block above from the recent email, I'm wondering if the "automated" certificate renewal is now going away? I have my servers automated to renew their certs every 3 months via the LE64.exe client in batch files running under Windows, I can't afford to be required to touch the server every time...or am I not understanding something basic?
@mushu If your renewals are successful, you're not a "zombie client", so you're not affected. This measure is only for these failing clients that are NOT actually issuing certificates, but are only flooding the ACME server with requests that will fail.
Obviously Let's Encrypt wouldn't mess up automated issuance/renewals, as that wouldn't work with 5+ million issued certs daily.
Thank you for the clarification, it's appreciated.
This was already enabled on production though and this announcement is just for staging right? I'm sure I've seen production status reports to that effect a while ago.
Not sure if I'm understanding you correctly, @webprofusion, but the linked API announcement says this:
Yeah I was clarifying that this announcement was specifically about Staging because it's already happening in Production (no idea if it's fully enabled or just past a certain threshold). Users with lots of failures already get paused in Production: urn:ietf:params:acme:error:rateLimited :: Your account is temporarily prevented from requesting certificates..
Hmm... wasn't aware of this. 
Also didn't find anything about it on the rate limits page.
What’s new is automatic pausing. All previous pausing was done in a single manual batch.
Ah, so it's essentially the same scenario to Subscribers/Clients - you're just doing this automatically. Great! No changes likely needed to clients that handle this already!
I'll go clarify that in the original post.
We'll be sure to update this prior to the production deploy. Or else.
...somebody gonna sleep with the fishes?
Straight to the end of the naughty list. By the time Santa gets there, the coal will have long run out.
That would be when Krampus comes to town.
No coal for me: Rate Limits - Let's Encrypt
Another has escaped by making good! 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.