Rate limit on staging server?

lziegenhals · February 20, 2016, 6:54pm

I’ve been working on a hook script using nsupdate for use with letsencrypt.sh and dns-01 authorization. I’m using the staging server rather than the production server. At least, I think I am; this is all new to me, but I’ve set “CA=https://acme-staging.api.letsencrypt.org/directory” in config.sh

The problem is that after several unsuccessful runs where the server was unable to authenticate due to problems on my end, I’ve run into a rate limit:

` + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 429)

Details:
{“type”:“urn:acme:error:rateLimited”,“detail”:“Error creating new authz :: Too many currently pending authorizations.”,“status”:429}
`

Am I doing something wrong? All the docs and FAQs I’ve read say to use the staging server during client development to avoid the rate limit problem, which I thought I was doing, so this was a surprise to me. Is there any way to clear the pending authorizations?

Thanks,
Lee

weppos · February 20, 2016, 7:12pm

This error is new to me (in the sense that it’s the first time I read about it in the forum). However, I’d guess a possible response based on the source code of boulder.

The rate limit check is defined at:

github.com

letsencrypt/boulder/blob/c8c82fb9539f9c8737bdc87c010a64f61b093cdf/ra/registration-authority.go#L279-L297


func (ra *RegistrationAuthorityImpl) checkPendingAuthorizationLimit(regID int64) error {
	limit := ra.rlPolicies.PendingAuthorizationsPerAccount
	if limit.Enabled() {
		count, err := ra.SA.CountPendingAuthorizations(regID)
		if err != nil {
			return err
		}
		// Most rate limits have a key for overrides, but there is no meaningful key
		// here.
		noKey := ""
		if count >= limit.GetThreshold(noKey, regID) {
			ra.pendAuthByRegIDStats.Inc("Exceeded", 1)
			ra.log.Info(fmt.Sprintf("Rate limit exceeded, PendingAuthorizationsByRegID, regID: %d", regID))
			return core.RateLimitedError("Too many currently pending authorizations.")
		}
		ra.pendAuthByRegIDStats.Inc("Pass", 1)
	}
	return nil
}

and this is the implementation of the CountPendingAuthorizations method:

github.com

letsencrypt/boulder/blob/ee26b8b6dea39d199ed7806fd25e2a702d9245b1/sa/storage-authority.go#L816-L828


// CountPendingAuthorizations returns the number of pending, unexpired
// authorizations for the give registration.
func (ssa *SQLStorageAuthority) CountPendingAuthorizations(regID int64) (count int, err error) {
	err = ssa.dbMap.SelectOne(&count,
		`SELECT count(1) FROM pendingAuthorizations
		 WHERE registrationID = :regID AND
				expires > :now`,
		map[string]interface{}{
			"regID": regID,
			"now":   ssa.clk.Now(),
		})
	return
}

It seems that you generated number of authorization requests larger than the allowed limit. The authorization is used to validate the ownership of a specific domain.

You may fix the issue by validating one of the pending authorizations or waiting for the rate-limit window to expire. I have no idea what is the window as this is a configuration that can be loaded via YAML and it doesn’t seem to be in boulder. It may probably be environment specific.

jsha · February 21, 2016, 7:29am

You’re doing the right thing to use staging for your client development. The rate limit will clear up in a few hours. If you want maximum flexibility or are doing a large volume of testing, you may want to check out the Boulder repository and run a local instance of Boulder.