Rate Limit Duration due to Validation Failure

Thank you for such a wonderful service, first and foremost.

But we mucked up. Someone added a redirection inside default.asp to the IIS server and not being aware I watched the renewal process fail several times. I worked out what the issue was, but when I next attempted the renewal I received the response with:
error code 429, urn:acme:error:rateLimited, Error creating new authz:: too many invalid authorisations recently

Now I know why it failed (default was redirecting to a folder where it couldn’t validate from) so I’ll work a process around that at some point, but my question today is:
how long until the rate limiting restriction is lifted?

The documentation (https://letsencrypt.org/docs/rate-limits/) says that the validation rate limiting is hit for Failed Validation at 5 failures per account/per hostname/per hour. Obviously I hit the 5th failure - am I right in interpreting from the bottom of the rate limits doc that regardless of the trigger for the rate limiting, the restriction applies for 1 week?
“You’ll need to wait until the rate limit expires after a week.”

Nope, that part in the overrides section is referring specifically to an example about issuing too many certs in a week. Each rate limit is a sliding window for that specific limit’s timeframe, so 5 failures per hour means you can start trying again 1 hour after the first failure, and so on from there.

Also, bear in mind for any issues in the future that using the --dry-run flag with certbot will use staging, which has separate and higher rate limits so you can make sure everything works before burning up that limit.


Brilliant, good to know.

Thanks Jared.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.