We have received the following on one of our servers today :
"2024/02/29 09:05:34 [INFO] ["domain names"] acme: Obtaining SAN certificate
2024/02/29 09:05:34 Could not obtain certificates:
acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt
Failed to issue new certificate
After checking on the website it only gives about 300 new order per 3 hours.
We have a lot more than 500 domains on this specific server, not to mention our other servers that might in the later stage run into the same issue.
Putting in a request per ID is not going to be helpful as you will need to do this almost over 500 times for them to push the limit up and only by 1 week.
Is there no other way to increase the per-hour limit on a single IP/server?
Keep in mind that we are a hosting provider, so it will fluctuate daily.
Also, CPanel is replacing Sectigo with LetsEncrypt within a few months if I am not mistaken.
This will then force most of the CPanel providers to most likely run into this current issue.
" Sectigo AutoSSL provider We automatically switch Sectigo AutoSSL users to Let’s Encrypt. The Sectigo provider remains accessible in the Manage AutoSSL interface (WHM » SSL-TLS » Manage AutoSSL). You can choose to go back to using Sectigo AutoSSL in this interface, but Sectigo will eventually cease functioning in cPanel."
If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit.
If you have 500 domains on your server, why is 300 per hour not enough? It should theoretically be enough to manage 216000 certificates if the renewals are spread out evenly across any given 90 day period, unless you are trying to create them all at once.
Hmm, I'm not too familiar with cPanel, but I hope this isn't the case. Your server's ACME registration ID should be in WHM -> SSL/TLS -> Manage AutoSSL and is labeled as the "Provider Account ID." Is that not what you're seeing?
Why are you afraid of that? I think it is just a runaway script, and I am not even asking you server's IP address. Even disclosing your own public IP would not trigger any attack.
By the way, if you open an issue in the help section there is a questioner. Could you answer those questions, please?
If your server is connected to the internet, you can expect attacks on your server anyway, with or without disclosing the hostname and/or IP address. Security by obscurity is NOT security at all.