Rate limit incorrect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.fink.org

I ran this command: ask for cert in Kerio mail client

It produced this output:
[02/Jun/2022 10:58:13] CertificateManFacade.cpp: Operation failed, internal error: Failed to issue Let's Encrypt certificate: Response code of 429 contacting https://acme-v02.api.letsencrypt.org/acme/new-order with response of:
[02/Jun/2022 10:58:13] {
[02/Jun/2022 10:58:13] "type": "urn:ietf:params:acme:error:rateLimited",
[02/Jun/2022 10:58:13] "detail": "Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt",
[02/Jun/2022 10:58:13] "status": 429
[02/Jun/2022 10:58:13] }.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): kerio

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

The problem comes from the fact that port 80 was closed down on my firewall.
However this is now fixed and above error message does not appear anymore.

Now I only see
[06/Jun/2022 11:18:01] CertificateManFacade.cpp: Operation failed, internal error: Failed to issue Let's Encrypt certificate: Failure / timeout verifying challenge passed.

This means Im now blocked by rate limit. So I tried one day later. same. 3 days later. Same

I tried to get a new cert mabye less than 10 times in total.
the webpage says its blocking for 24h but that has long passed.

Whats wrong here??

This is not a rate limit error as far as I can tell.

Please consider using the staging environment for testing/debugging, both to not increase load on the production system and to make sure rate limits aren't an issue.


I cant modify Kerio for this. Its a production mailserver and I have used LetsEncrypt before on other installs without a problem.

Your Kerio is redirecting port 80 to port 444, which is not allowed according to the CA/Browser Forum Baseline Requirements. Let's Encrypt is only allowed to use specific ports, which are port 80 (HTTP) and port 443 (HTTPS) for the http-01 challenge.


One of the side effects of the 60 day renewal intervals:
Someone changed something weeks ago and now this is breaking.

curl -Ii http://mail.fink.org/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301
Connection: close
Location: https://mail.fink.org:444/.well-known/acme-challenge/Test_File-1234

As @Osiris pointed out:

That redirection could NOT have been there during the last renewal.
So, apparently, someone can, and has, modified the production system (since the last renewal).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.