Hello,

We are getting rate-limited while requesting certificates from the staging environment. The error we get:

Action required to unpause your account

You have been directed to this page because your ACME account (ID: 174142594) is temporarily restricted from requesting new certificates for certain identifiers including, but not limited to, the following:

• <domain>

These identifiers were paused after consistently failing validation attempts without any successes over an extended period.

This happens for a few domains, and looking at the rate-limits, I am not sure how this could happen.

We run a script every 10 minutes to check whether DNS resolves correctly, and when it does, we request the certificate using the http challenge, first against staging, and if it succeeds, also against live. The rate limits for staging are very large and I don't see how we could hit a rate limit here.

We can manually unpause of course, but it's not ideal.
I would like to figure out which rate limit we are hitting, as it doesnt mention it in the error.

Is there a way to figure this out?

Thanks!

This is caused by having many (hundreds or thousands) of failed renewals for one or more orders.

[It is not quite related to rate limits, instead it's consecutive failures for the "same" certificate order. Usually it's because you have attempted a renewal thousands of time that's just never going to work, such as a customer domain that no longer points to your server.]

So, you need to get a handle on how many failures you are having, and for which certificate orders. Which ACME client are you using?

webprofusion has covered the key points. The description of this "zombie client" pause was announced in the API section: Automatic Pausing of Zombie Clients