Rate Limits hit because of TLS-SNI validation issue

dax · January 24, 2018, 6:28am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: redirect.bibushost.com

I ran this command: certbot renew

It produced this output: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): bibushost.com

The operating system my web server runs on is (include version): CentOS 7.4

My hosting provider, if applicable, is: Nimblu / ourselves

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ispconfig

My situation is that I used CentOS 7.4 with ispconfig 3.1.11 and certbot for certificate issues/renewals.
Now since the 20th of January I constantly get the rate limit message.
I did replace certbot with version 0.21 from github to ensure a current certbot.

I am affected not only with the webserver of bibushost.com, affected certificates: bibus.at, bibusmetals.hu, redirect.bibushost.com
Also I am affected on my host negotium.ch: pfaendler-uhren.ch, spielgruppe-kreuzlingen.ch, negotium.ch, etc.

I have no clue how I could reasonably clear the pending authorizations. I read https://letsencrypt.org/docs/rate-limits/ but I have not yet figured out how to do this and I suggest you find a better, aka. more intuitive method to do this.

Crashing on rate limits unexpectedly while using your client just because you changed some technical detail because of security issues is very troubling.

I would be very glad, if you could help me.

Best regards,

Patrick Daxboeck

schoen · January 24, 2018, 5:00pm

Hi @dax,

A couple of people have written scripts to clear pending authorizations. Two examples are

github.com

alexzorin/clear-authz/blob/master/clear-authz.go

package main

import (
	"bufio"
	"crypto"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"regexp"
	"strings"

	"golang.org/x/net/context"

	"golang.org/x/crypto/acme"
	"gopkg.in/square/go-jose.v2"
)

var (
	pattern = regexp.MustCompile(`https://acme-v01\.api\.letsencrypt\.org/acme/authz/[a-zA-Z0-9_-]+`)

This file has been truncated. show original

github.com

ahaw021/LE_FIND_PENDING_AUTHZ/blob/master/LE_FIND_PENDING_AUTHZ.py

import os
import re 
import datetime as dt
import urllib3
import json
import time

from acme import client
from acme import messages
from acme import jose
from acme import challenges

# UPDATE THESE for the Script to work
#PATH - path to Let's Encrypt Logs folder. by default /var/log/letsencrypt
#KEY FOLDER - folder for Let's Encrypt Account Key. Usually /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/<random numbers and letters>

PATH = r""
KEY_FOLDER = r""

#DO NOT TOUCH PARAMETERS BELOW UNLESS YOU ARE CONFIDENT OF THEIR FUNCTIONING

This file has been truncated. show original

I will inquire about adding this functionality to Certbot as well, but that wouldn’t happen in time to be useful to you.

dax · January 25, 2018, 2:13pm

Dear @schoen,

Thank you very much for your effort to provide me with some scripts.

The python script seems to be buggy as it complains about not being able to find the letsencrypt.211 logfile
The go script I was not able to compile.

So as I had it before, I have no solution to clear the pending authorizations.
And that could be a simple x86 linux(elf) binary which does the job.

I would prefer a solution where I don’t need to install programming languages and compilers which I have no other need for and scripts which do work and don’t require me to debug and fix them.

Do you have other scripts which are either written in c or bash scripts which do work in a standard server environment without special languages and depencies needed ?
Or as I would prefer, binaries which I just could execute ?

Have a nice day and best regards,

Patrick Daxboeck

jmorahan · January 25, 2018, 2:56pm

The author of the go script also shared a binary here (I’m linking to the forum post rather than directly to the binary so that you can read his warning )

schoen · January 25, 2018, 5:10pm

I don’t have another script, but if you show me the error from the Python one, I could try to help debug it!

system · February 24, 2018, 5:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rate limits hit, no way around it, no idea when/how rate limits will go away Help	5	3600	August 4, 2018
Regarding rate limiting Help	2	66	March 8, 2025
Remove from rate limit please Help	4	1724	September 6, 2019
Reach Rate Limit Help	27	1515	January 14, 2022
Renewal Rate Limit Help	5	473	August 25, 2023

Rate Limits hit because of TLS-SNI validation issue

Related topics