Rate limits issue

Hi

We have encounter the error
{“type”: “urn:ietf:params:acme:error:rateLimited”, “detail”: "Your IP, 52.76.230.128, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org "}

Coz we are a SASS platform, so many domains registered via us.
So what we could do for it? thx

CC @jsha and @cpu, could you please be so kind and take a look into this issue?.

2 Likes

FYI, we are using https://hub.docker.com/r/openresty/openresty/ as the cert generation nginx

Hi @ianchan0817

Your ACME client is misconfigured and was generated an excessive amount of repeat validation attempts for non-existent domains.

Can you investigate why this might be occurring? We would likely be able to lift the block once you have confirmed that your client will not be acting in an abusive manner.

Thanks!

2 Likes

ACME client we are using lua-resty-auto-ssl
It should be some domains already expired, but it still inside the redis stored ssl cert. It will retry everyday.

This is a problem that will need to be fixed on your end. The API traffic you are generating for these expired, invalid domains is causing complications for the day-to-day operation of our service. We won't be able to unblock your client until you've resolved this problem.

Perhaps the developers of lua-resty-auto-ssl can provide some guidance on things you can try.

I believe the block is not applied in the staging environment, you should be able to iterate on your approach there.

1 Like

In addition, please add an email address to your ACME account so we can contact you directly about such misconfigurations in the future. Thanks!

1 Like

@cpu yes, thank you for reply. We had a hotfix build for it to extend the retry interval and we already manually remove the invalid domains. We will have a better domains management at our side. So the issue has been solved.

Please help to lift the block.

@jsha yes, this is also in our roadmap to add back the email contact. We will make it in next build. Thanks for reminding us.

In addition to setting your email address, please add:

  • Logging and/or metrics about the number of requests you are sending, so you can notice if your traffic becomes excessive again.
  • A meaningful User-Agent string. Right now your User-Agent just says “curl” and a version number.

I’ve filed a ticket with our Ops team to unblock your IP address.

okay, we will also mark it down into our to-do list for future build

may i know how long does it become effective? coz we have many pending domains waiting for issue new certs. Coz everyday we have many new domains registered via us, since we are a e-commence platform as i said.

And some domains cannot be renewed as well, but we should have 30 days grace period so still okay. But hopefully we can issue new domains asap.

Thank you for your help

@ianchan0817 The block has been removed and you should be able to issue again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.