Rate limited for duplicate certs for my load balancers - what to do?

jcjones · April 1, 2022, 5:44pm

Hi! Every time I provision new load balancers, if I provision more than 5, I get a rate limit error. I've tried keeping instances around longer, but sometimes things happen and I need more. (Also, every single time I try to get certs issued when I'm under load, the Let's Encrypt API is slow for me!) Right now every time I have this problem, I just leave the extra load balancers offline until a week later when their automatic renewal task fixes their cert, and then I add them into the mix at our CDN.

I wonder if I should get an override, or bite the bullet and add a key distribution mechanism?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
acme-v02.api.letsencrypt.org

I ran this command:

/certbot-auto certonly  -d acme-v02.api.letsencrypt.org \
  -d acme-v02-1.api.letsencrypt.org \
  -d acme-v02-2.api.letsencrypt.org \
  -d acme-v02-3.api.letsencrypt.org \
  -d acme-v02-4.api.letsencrypt.org \
  -d acme-v02-5.api.letsencrypt.org \
  -d incident.letsencrypt.org

It produced this output:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: acme-v02.api.letsencrypt.org acme-v02-1.api.letsencrypt.org acme-v02-2.api.letsencrypt.org acme-v02-3.api.letsencrypt.org acme-v02-4.api.letsencrypt.org acme-v02-5.api.letsencrypt.org incident.letsencrypt.org : see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):
nginx 1.21.6

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.25.0

Rip · April 1, 2022, 5:48pm

Is he serious? Is this a test? Lemme see... What is his domain name?

Just curious

Phil · April 1, 2022, 5:48pm

ZeroSSL doesn't have rate limits on their production service. Have you given that a shot?

griffin · April 1, 2022, 5:48pm

You probably just need to revoke all of your existing certificates to alleviate the load.

Nummer378 · April 1, 2022, 5:53pm

Just add dummy domain names to your certs!?!?!

jcjones · April 1, 2022, 5:54pm

Ah, when I spin down a load balancer, make sure to revoke the certs?

I think I have a way to do that real easy with a database query, can give this a try later

UPDATE certificateStatus SET status="revoked";

griffin · April 1, 2022, 5:56pm

True. Be careful though. You want that command to be as broad as possible. "Inclusive", if you will.

griffin · April 1, 2022, 6:03pm

Also, be certain of the protocol for your requests. You might need to bring your own sugar. If you see a 406 response, be cautious. If you get a 418 or, heaven forbid, a 2319, unplug your server as fast as possible and wait for things to cool down.

Osiris · April 1, 2022, 6:09pm

Please don't open threads with a log file almost a month old already.

Rip · April 1, 2022, 6:15pm

April Fools!
clown-creepy-150x150

griffin · April 1, 2022, 6:19pm

On an odd (and not joking note), I just got several minutes of non-response from https://acme-v02.api.letsencrypt.org and https://acme-v02.api.letsencrypt.org/directory. It appears to be resolved now. Was this deliberate or?

Bruce5051 · April 1, 2022, 6:22pm

Why sure they are serious about April fools.

mcpherrinm · April 1, 2022, 6:58pm

We did some traffic shifts today to reboot some hosts for updates, which shouldn't have been externally visible, but may have lead to what you saw. Do you have timestamps for when you saw this?

rg305 · April 1, 2022, 7:00pm

@mcpherrinm
Welcome to the party!

griffin · April 1, 2022, 7:17pm

About 20 minutes into the creation of this topic. I visited both the base domain and /directory with my web browser and got "no data" responses for both.

mcpherrinm · April 1, 2022, 7:46pm

That aligns with when the maintenance occurred. Thanks for the report, and I'll see if I can figure out where something went wrong.

petercooperjr · April 1, 2022, 10:12pm

Now you've got me curious which ACME client (and architecture for distributing certs) you actually use at your scale.

griffin · April 1, 2022, 10:20pm

I prefer certbot-home myself when I'm not on the road. It has better support for HTCPCP.

system · May 1, 2022, 10:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help for rate limit Help	4	331	March 22, 2024
[SOLVED] Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: domain.tld Help	3	8025	September 15, 2016
Client error: `POST https://acme-v02.api.letsencrypt.org/acme/new-order Help	19	6084	August 12, 2023
Assistance with rate limit reset Help	11	2037	February 5, 2022
How to avoid rate limit Help	11	396	June 8, 2024

Rate limited for duplicate certs for my load balancers - what to do?

Related Topics