Rate Limit on a Hosting provider

Hi,

We have received the following on one of our servers today :

"2024/02/29 09:05:34 [INFO] ["domain names"] acme: Obtaining SAN certificate
2024/02/29 09:05:34 Could not obtain certificates:
acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt
Failed to issue new certificate

After checking on the website it only gives about 300 new order per 3 hours.
We have a lot more than 500 domains on this specific server, not to mention our other servers that might in the later stage run into the same issue.

Putting in a request per ID is not going to be helpful as you will need to do this almost over 500 times for them to push the limit up and only by 1 week.

Is there no other way to increase the per-hour limit on a single IP/server?
Keep in mind that we are a hosting provider, so it will fluctuate daily.

Also, CPanel is replacing Sectigo with LetsEncrypt within a few months if I am not mistaken.
This will then force most of the CPanel providers to most likely run into this current issue.

" Sectigo AutoSSL provider We automatically switch Sectigo AutoSSL users to Let’s Encrypt. The Sectigo provider remains accessible in the Manage AutoSSL interface (WHM » SSL-TLS » Manage AutoSSL). You can choose to go back to using Sectigo AutoSSL in this interface, but Sectigo will eventually cease functioning in cPanel."

If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit.

4 Likes

I did go through it but it asks for an ID that is linked to each and every domain.
Each domain has a unique ID on that server.

How do I request an increase on the entire server?

If you have 500 domains on your server, why is 300 per hour not enough? It should theoretically be enough to manage 216000 certificates if the renewals are spread out evenly across any given 90 day period, unless you are trying to create them all at once.

3 Likes

Hmm, I'm not too familiar with cPanel, but I hope this isn't the case. Your server's ACME registration ID should be in WHM -> SSL/TLS -> Manage AutoSSL and is labeled as the "Provider Account ID." Is that not what you're seeing?

4 Likes

This specific server is running DirectAdmin, apologies for not clearing that up.
We have multiple other servers running either DirectAdmin or CPanel.

@Justin88 , welcome to the community!

That kind of rate-limit is per ID (ACME account).

So there may be just one or a handful of runaway ID(s) create(s) that many orders?

3 Likes

Hi,

You might be right about the runaway ID's as I see one of our domains on that server has over
52 ID's which should not be the case.

1 Like

I have checked on my end and cannot see what it is duplicating.
Are there any settings that I can amend to not create duplicates?

So I dug deeper into the duplication and am not sure why I am getting the same ID logs on all my domains with this :

[14/Mar/2024:09:01:51 +0200] "GET /.well-known/acme-challenge/letsencrypt_1710399001 HTTP/1.1" 200 287 "-" "curl/7.61.1"
[14/Mar/2024:09:01:51 +0200] "GET /.well-known/acme-challenge/letsencrypt_1710399001 HTTP/1.1" 200 287 "-" "curl/7.61.1"
[14/Mar/2024:09:01:51 +0200] "GET /.well-known/acme-challenge/letsencrypt_1710399001 HTTP/1.1" 200 276 "-" "curl/7.61.1"

There are basically thousands being generated in the logs per minute.

What is the source IP of these web requests?

3 Likes

This I cannot say in public as this will most likely cause an attack on my server.

Why are you afraid of that? I think it is just a runaway script, and I am not even asking you server's IP address. Even disclosing your own public IP would not trigger any attack.

By the way, if you open an issue in the help section there is a questioner. Could you answer those questions, please?

3 Likes

If your server is connected to the internet, you can expect attacks on your server anyway, with or without disclosing the hostname and/or IP address. Security by obscurity is NOT security at all.

3 Likes

Did you read that question correctly?
It asked for the SOURCE IP, not your IP.

3 Likes