Rate limit with acme-v01 vs acme-v02

Greetings. We have an account for the domains specified below. We have been using acme-v01 for a few years now. We are interested in using acme-v02 since we have been using a very old dehydrated version. The recent version uses acme-v02. I believe we might need to create a new account so that we can benefit from previously granted rate limit exception? Or, can we use our existing account id for both acme-v01 and acme-v02? I encountered a rate limit exception when using the new client after a number of invocations in our testing.

We would like to use both endpoints while we validate the new one and while we migrate.

Thank you,

Chuck Scott.

My domains are:

frgcloud.com
frganalytics.com
frg.tech

I ran this command:

using dehydrated (or any other acme compliant client)

It produced this output:
urn:ietf:params:acme:error:rateLimited
429 error ONLY WHEN USING acme-v02

My web server is (include version): N/A using dns-01

The operating system my web server runs on is (include version): whatever AWS lambda uses :slight_smile:

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): NO

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): dehydrated v0.6.5

As far as Let’s Encrypt is concerned, you can use the same account with v1 and v2.

I don’t know how to configure it in Dehydrated, though. Some ACME clients will automatically use the same account. Some might force you to make manual, undocumented changes to their configuration files.

1 Like

With dehydrated, all you need to do is copy the private key of the existing Let’s Encrypt account (PEM format) to the right directory.

# Get the CA directory hash (strip the trailing padding =)
$ echo "https://acme-v02.api.letsencrypt.org/directory" | base64
aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo=

# Create the CA account directory
$ mkdir -p accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo

# Copy the account key to the CA account directory
$ cp key.pem accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem

# Run Dehydrated as normal, it will locate the account and create the registration_info,json file
$ ./dehydrated -f config -c
# INFO: Using main config file config
Fetching missing account information from CA...
<snip>

$ ls accounts/aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
account_key.pem  registration_info.json

Be aware that there are rate limits in v2 that did not exist in v1.

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.

Does your rate limit exemption cover this limit too?

3 Likes

Ok thanks I will review this setup.

Regarding rate limits, what I want to know is this:

We were given a rate limit exception that we have been using for a few years now with respect to the v1 endpoint. When we switch, will these same rate limits be allowed for the same account id?

Yes, the rate limit exemptions you had in ACME v1 come across to ACME v2.

However, ACME v2 introduced a new rate limit (newOrdersPerAccount) which didn’t exist in ACME v1.

So it’s possible that you might need to apply for another exemption to get that specific limit raised for your account ID, on top of your existing exemption.

2 Likes

fwiw when we added this rate limit we also gave all existing folks with a pending authorization rate limit override a new orders rate limit override based on a rough approximation of what they made need for ACME v2.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.