Rate limits are extremely worsening the situation

While I played with updates for nginxproxy/acme-companion and checking options to solve problems my certificates were lost and now my host is blocked. I don't have old certificates and can't fetch new because of rate limits. And API returns me absolutely unrealistic deadlines.

[Sat Oct  2 20:18:38 UTC 2021] Getting domain auth token for each domain
[Sat Oct  2 20:18:39 UTC 2021] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: my_domain_was_here.dot: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

Maybe it is not good idea to have so poor limits during this difficult time?

1 Like

That's just the regular rate limit. You've created 5 certificates recently, please use one of those.

Also, since when does "playing with updates" result in loosing your certificates? You can't blame Let's Encrypt for your own mistakes.

5 Likes

Hi @QuAzI,

Sorry you're running into trouble. One common workaround for the "duplicate certificate limit" (the one you're hitting) is to add some arbitrary subdomain to your requests so they are no longer an exact duplicate.

Also, keep a copy of your certificates around between attempts so you can better deal with rate limit situations.

You may want to try out our staging environment. Staging Environment - Let's Encrypt

5 Likes

Please use an existing certificate from the backups you took before deleting them. In the future the staging environment should be used for debugging systems.

Using the production API costs let's encrypt, the resources to issue the certificate are expended and they are obligated to provide sufficient capacity for OCSP responses. It's disrespectful to waste it.

1 Like

Why?
It seems that your certificate maintenance procedures are lacking some basic steps.
Also, it would be nice to use the staging system while you test things (and until all tests are passed).

Without production limits it would be way too easy for intentional, or unintentional, overloading to create a DoS on the entire PKI system.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.