Rate limited for duplicate certs for my load balancers - what to do?

Hi! Every time I provision new load balancers, if I provision more than 5, I get a rate limit error. I've tried keeping instances around longer, but sometimes things happen and I need more. (Also, every single time I try to get certs issued when I'm under load, the Let's Encrypt API is slow for me!) Right now every time I have this problem, I just leave the extra load balancers offline until a week later when their automatic renewal task fixes their cert, and then I add them into the mix at our CDN.

I wonder if I should get an override, or bite the bullet and add a key distribution mechanism?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
acme-v02.api.letsencrypt.org

I ran this command:

/certbot-auto certonly  -d acme-v02.api.letsencrypt.org \
  -d acme-v02-1.api.letsencrypt.org \
  -d acme-v02-2.api.letsencrypt.org \
  -d acme-v02-3.api.letsencrypt.org \
  -d acme-v02-4.api.letsencrypt.org \
  -d acme-v02-5.api.letsencrypt.org \
  -d incident.letsencrypt.org

It produced this output:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: acme-v02.api.letsencrypt.org acme-v02-1.api.letsencrypt.org acme-v02-2.api.letsencrypt.org acme-v02-3.api.letsencrypt.org acme-v02-4.api.letsencrypt.org acme-v02-5.api.letsencrypt.org incident.letsencrypt.org : see https://letsencrypt.org/docs/rate-limits/ 

My web server is (include version):
nginx 1.21.6

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.25.0

11 Likes

Is he serious? Is this a test? Lemme see... What is his domain name?

Just curious :face_with_monocle:

6 Likes

ZeroSSL doesn't have rate limits on their production service. Have you given that a shot?

9 Likes

You probably just need to revoke all of your existing certificates to alleviate the load.

8 Likes

Just add dummy domain names to your certs!?!?!

6 Likes

Ah, when I spin down a load balancer, make sure to revoke the certs?

I think I have a way to do that real easy with a database query, can give this a try later

UPDATE certificateStatus SET status="revoked";
8 Likes

True. Be careful though. You want that command to be as broad as possible. "Inclusive", if you will.

5 Likes

Also, be certain of the protocol for your requests. You might need to bring your own sugar. If you see a 406 response, be cautious. If you get a 418 or, heaven forbid, a 2319, unplug your server as fast as possible and wait for things to cool down.

5 Likes

Please don't open threads with a log file almost a month old already. :wink:

8 Likes

April Fools!
clown-creepy-150x150

5 Likes

On an odd (and not joking note), I just got several minutes of non-response from https://acme-v02.api.letsencrypt.org and https://acme-v02.api.letsencrypt.org/directory. It appears to be resolved now. Was this deliberate or?

3 Likes

Why sure they are serious about April fools. :smile:

5 Likes

We did some traffic shifts today to reboot some hosts for updates, which shouldn't have been externally visible, but may have lead to what you saw. Do you have timestamps for when you saw this?

6 Likes

@mcpherrinm
Welcome to the party!

6 Likes

About 20 minutes into the creation of this topic. I visited both the base domain and /directory with my web browser and got "no data" responses for both.

3 Likes

That aligns with when the maintenance occurred. Thanks for the report, and I'll see if I can figure out where something went wrong.

6 Likes

Now you've got me curious which ACME client (and architecture for distributing certs) you actually use at your scale.

5 Likes

I prefer certbot-home myself when I'm not on the road. It has better support for HTCPCP.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.