Hi,
Last week I believe I tried twice to renew my cert, the 2nd attempt got an error when trying to install it.
Today my cert expired and I attempted to renew again, but got a "rate limit error" - which looked like for a week time period.
Checked the URL listed and I'm allowed 50 attempts per week. I do a manual certonly type request, so it seems unlikely that my site actually did 50 requests in the last week.
Is there any way to check what ip addresses are making the requests? I have only 3 public IP addresses and only 2 of those could make a legitimate request. Is it possible to specify what IP addresses are allowed to make a certificate request? E.G. define a TXT record in DNS that specifies who is allowed to make a request -- something akin to an SPF record?
Hi @ramoncuriel, and welcome to the LE community forum
I like the idea of such an added level of control.
But speaking directly about your situation:
Have you checked to see how many certs have been issued for that domain recently?
[you can use: https://crt.sh/]
The rate limits you're probably hitting only triggers when someone successfully gets a certificate, e.g someone has control over your server. What you describe sounds like you're hitting the 5 duplicate certificates limit.
Other limits are per-account, which also implies access to your server. So usually it's quite difficult for an attacker to do something that would rate-limit you.
Hmmm. Didn't know about crt.sh, so that is good information. IIRC, I issued only 2 requests on Aug 9th, but I see 4 certs issued that day, 4 on the 10th and 2 on the 11th.
Ack. Looking at logs now and looks like auto renewal is running. Guess I need to turn that off...
Thanks!
Ramon
As @rg305 has alluded, you are seeing pairs of precertificates and leaf certificates. You can see these labels on crt.sh at the top of each certificate's page.
