Rate Limit Duration due to Validation Failure

Thank you for such a wonderful service, first and foremost.

But we mucked up. Someone added a redirection inside default.asp to the IIS server and not being aware I watched the renewal process fail several times. I worked out what the issue was, but when I next attempted the renewal I received the response with:
error code 429, urn:acme:error:rateLimited, Error creating new authz:: too many invalid authorisations recently

Now I know why it failed (default was redirecting to a folder where it couldn’t validate from) so I’ll work a process around that at some point, but my question today is:
how long until the rate limiting restriction is lifted?

The documentation (https://letsencrypt.org/docs/rate-limits/) says that the validation rate limiting is hit for Failed Validation at 5 failures per account/per hostname/per hour. Obviously I hit the 5th failure - am I right in interpreting from the bottom of the rate limits doc that regardless of the trigger for the rate limiting, the restriction applies for 1 week?
“You’ll need to wait until the rate limit expires after a week.”

Nope, that part in the overrides section is referring specifically to an example about issuing too many certs in a week. Each rate limit is a sliding window for that specific limit’s timeframe, so 5 failures per hour means you can start trying again 1 hour after the first failure, and so on from there.

Also, bear in mind for any issues in the future that using the --dry-run flag with certbot will use staging, which has separate and higher rate limits so you can make sure everything works before burning up that limit.

2 Likes

Brilliant, good to know.

Thanks Jared.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.