I recently moved from a VPS (WHM/cPanel) with approx 100 accounts. The new VPS is the same setup, so all cPanel accounts were migrated. I have a situation where any attempt to create a new domain or subdomain and run auto SSL results in:
WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account (https://acme-v02.api.letsencrypt.org/acme/acct/1273947476) has reached a rate limit. (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many currently pending authorizations: 308
It's been this way for a couple of weeks and I really need to be able to apply SSL to new accounts! It doesn't appear that simply waiting is working.
I shouldn't be close to any rate limits on the new VPS, but wonder if requests are still running on the old one which is doubling things up (or more).
Is there anyway anyone can pull up some information which would guide me in the right direction? The host isn't being too helpful.
A very many thanks in advance,
Phil
My web server is (include version):
Linux 5.14.0-284.25.1.el9_2.x86_64
The operating system my web server runs on is (include version):
AlmaLinux v9.3.0 STANDARD kvm
My hosting provider, if applicable, is:
Godaddy
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
cPanel & WHM v118.0.4
You can go through your client's logs to find the pending authorization urls. Several clients support revoking pending authorizations. There were some tools to do this, but most have been deprecated due to a lack of maintenance.
Thanks @MikeMcQ. I suspected that, but can't find any logs specific to this in cPanel. WHM has AutoSSL logs but it only gives the info in my original post.
As it seems to give the account number, is there some way a LetsEncrypt engineer could check and give some info on this?
I don't know. You will have to wait to see if any of them respond.
I don't know what info they could give you that would be helpful. I doubt the LE Servers are mis-counting your pending auths. So, you need to identify what's going wrong with your ACME Client.
I would try asking your cPanel support or hosting service to see what logs or issues they can identify. Something has gone wrong if you haven't been able to request certs for weeks.
When you say there are "100 accounts" do you mean 100 ACME Accounts? Because the pending auth limit is per that account. I'm guessing they are all under one ACME Account so the failures are building. Have you tried making a new ACME Account? Do you have a rate limit exemption or ECDSA allow-list for your account that would make that impractical?
Did you ever get any new certs issued on the system you migrated to?
From the Let's Encrypt Rate Limit page
You can have a maximum of 300 Pending Authorizations on your account. Hitting this rate limit is rare, and happens most often when developing ACME clients. It usually means that your client is creating authorizations and not fulfilling them. Please utilize our staging environment if you’re developing an ACME client. Exceeding the Pending Authorizations limit is reported with the error message too many currently pending authorizations.
Can't look at logs to determine what's gone wrong, but I suspect that yes, you left the old VPS's client in a bad state and as a result there are a bunch of unfulfilled authorizations hanging around. You have three options:
Wait. The pending authorizations will expire after 7 days. As long as your setup isn't continuously trying to create (and then never fulfill) new ones, the issue will go away soon. But if some system you can't stop is still creating but not fulfilling authorizations, then...
Deactivate the authorizations. Unfortunately I don't think cPanel AutoSSL supports the ACME decativate-registration API, and getting your account key out of cPanel and into some other ACME client is probably hard-to-impossible. If you can do this, awesome, but more likely...
Follow these instructions to "Recreate your registration". This will give your new VPS a new ACME account that doesn't have those 308 old pending authorizations still hanging around.
If the problem persists even after you create a new account, that means that something is messed up with your new VPS. It is creating orders for new certificates, but then not even attempting to fulfill the challenges to prove control over those domains. You'll need to figure out what's wrong with your setup or configuration to resolve the issue.
