Ratelimited post after updating certbot

Please fill out the fields below so we can help you better.

My domain is: Many domains (Approx 200)

I ran this command: sudo certbot --nginx

It produced this output:

261: www.xxx1.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): ENTER

My web server is (include version): Nginx 1.12.0

The operating system my web server runs on is (include version):Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Hello, I need some help.
After an update of certbot I received the following message in my log.

2017-07-21 00:59:23,957:DEBUG:certbot.main:certbot version: 0.14.2
2017-07-21 00:59:23,958:DEBUG:certbot.main:Arguments: []
2017-07-21 00:59:23,958:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-21 00:59:23,993:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7facb69279d0> and installer <certbot.cli._Default object at 0x7facb69279d0>
2017-07-21 00:59:23,993:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7facb691dfd0>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7facb691dd90>, apache=<certbot.cli._Default object at 0x7facb69273d0>, apache_challenge_location=<certbot.cli._Default object at 0x7facb6990650>, apache_ctl=<certbot.cli._Default object at 0x7facb6996150>, apache_dismod=<certbot.cli._Default object at 0x7facb691d850>, apache_enmod=<certbot.cli._Default object at 0x7facb691d510>, apache_handle_modules=<certbot.cli._Default object at 0x7facb6990a50>, apache_handle_sites=<certbot.cli._Default object at 0x7facb6990e10>, apache_init_script=<certbot.cli._Default object at 0x7facb6996510>, apache_le_vhost_ext=<certbot.cli._Default object at 0x7facb6982190>, apache_logs_root=<certbot.cli._Default object at 0x7facb69829d0>, apache_server_root=<certbot.cli._Default object at 0x7facb6982050>, apache_vhost_root=<certbot.cli._Default object at 0x7facb69826d0>, authenticator=<certbot.cli._Default object at 0x7facb69279d0>, break_my_certs=<certbot.cli._Default object at 0x7facb6927c10>, cert_path=<certbot.cli._Default object at 0x7facb692ba10>, certname=<certbot.cli._Default object at 0x7facb6982490>, chain_path=<certbot.cli._Default object at 0x7facb692b410>, checkpoints=<certbot.cli._Default object at 0x7facb6933310>, config_dir=<certbot.cli._Default object at 0x7facb692b210>, config_file=None, configurator=<certbot.cli._Default object at 0x7facb69279d0>, csr=<certbot.cli._Default object at 0x7facb6933110>, debug=<certbot.cli._Default object at 0x7facb6927710>, debug_challenges=<certbot.cli._Default object at 0x7facb6927810>, dialog=None, domains=<certbot.cli._Default object at 0x7facb6982590>, dry_run=<certbot.cli._Default object at 0x7facb6982150>, duplicate=<certbot.cli._Default object at 0x7facb6927110>, eff_email=<certbot.cli._Default object at 0x7facb691d750>, email=<certbot.cli._Default object at 0x7facb691d8d0>, expand=<certbot.cli._Default object at 0x7facb691d2d0>, force_interactive=<certbot.cli._Default object at 0x7facb6982710>, fullchain_path=<certbot.cli._Default object at 0x7facb692b610>, func=<function certificates at 0x7facb6cd0410>, hsts=<certbot.cli._Default object at 0x7facb692b150>, http01_port=<certbot.cli._Default object at 0x7facb6927b10>, ifaces=<certbot.cli._Default object at 0x7facb692bdd0>, init=<certbot.cli._Default object at 0x7facb6933410>, installer=<certbot.cli._Default object at 0x7facb69279d0>, key_path=<certbot.cli._Default object at 0x7facb692b810>, logs_dir=<certbot.cli._Default object at 0x7facb6927dd0>, manual=<certbot.cli._Default object at 0x7facb691dd50>, manual_auth_hook=<certbot.cli._Default object at 0x7facb691d3d0>, manual_cleanup_hook=<certbot.cli._Default object at 0x7facb6996e10>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7facb6933390>, must_staple=<certbot.cli._Default object at 0x7facb6927e10>, nginx=<certbot.cli._Default object at 0x7facb69271d0>, nginx_ctl=<certbot.cli._Default object at 0x7facb6933510>, nginx_server_root=<certbot.cli._Default object at 0x7facb6996990>, no_bootstrap=<certbot.cli._Default object at 0x7facb6927410>, no_self_upgrade=<certbot.cli._Default object at 0x7facb6927310>, no_verify_ssl=<certbot.cli._Default object at 0x7facb6927910>, noninteractive_mode=<certbot.cli._Default object at 0x7facb6982890>, num=<certbot.cli._Default object at 0x7facb692bed0>, os_packages_only=<certbot.cli._Default object at 0x7facb6927210>, post_hook=<certbot.cli._Default object at 0x7facb692ba50>, pre_hook=<certbot.cli._Default object at 0x7facb692b950>, pref_challs=<certbot.cli._Default object at 0x7facb692b850>, prepare=<certbot.cli._Default object at 0x7facb692bf90>, quiet=<certbot.cli._Default object at 0x7facb6927510>, reason=<certbot.cli._Default object at 0x7facb6933210>, redirect=<certbot.cli._Default object at 0x7facb6927f10>, register_unsafely_without_email=<certbot.cli._Default object at 0x7facb6982410>, reinstall=<certbot.cli._Default object at 0x7facb691d450>, renew_by_default=<certbot.cli._Default object at 0x7facb691d0d0>, renew_hook=<certbot.cli._Default object at 0x7facb692bb50>, renew_with_new_domains=<certbot.cli._Default object at 0x7facb691dc90>, rsa_key_size=<certbot.cli._Default object at 0x7facb6927d10>, server=<certbot.cli._Default object at 0x7facb6927bd0>, staging=<certbot.cli._Default object at 0x7facb6927610>, standalone=<certbot.cli._Default object at 0x7facb691df90>, standalone_supported_challenges=<certbot.cli._Default object at 0x7facb6933610>, staple=<certbot.cli._Default object at 0x7facb692b550>, strict_permissions=<certbot.cli._Default object at 0x7facb692b750>, text_mode=<certbot.cli._Default object at 0x7facb6982a10>, tls_sni_01_port=<certbot.cli._Default object at 0x7facb6927a10>, tos=<certbot.cli._Default object at 0x7facb691ded0>, uir=<certbot.cli._Default object at 0x7facb692b350>, update_registration=<certbot.cli._Default object at 0x7facb691da50>, user_agent=<certbot.cli._Default object at 0x7facb692bfd0>, validate_hooks=<certbot.cli._Default object at 0x7facb692bc50>, verb='certificates', verbose_count=<certbot.cli._Default object at 0x7facb6982b90>, webroot=<certbot.cli._Default object at 0x7facb691d090>, webroot_map=<certbot.cli._Default object at 0x7facb6933810>, webroot_path=<certbot.cli._Default object at 0x7facb69331d0>, work_dir=<certbot.cli._Default object at 0x7facb6927fd0>)
2017-07-21 00:59:24,064:DEBUG:certbot.log:Root logging level set at 20
2017-07-21 00:59:24,065:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-21 00:59:24,069:WARNING:certbot.storage:Attempting to parse the version 0.16.0 renewal configuration file found at /etc/letsencrypt/renewal/XXXXX1.com.br.conf with version 0.14.2 of Certbot. This might not work.
2017-07-21 00:59:24,070:WARNING:certbot.storage:Attempting to parse the version 0.15.0 renewal configuration file found at /etc/letsencrypt/renewal/XXXXX2.com.br.conf with version 0.14.2 of Certbot. This might not work.

2017-07-21 00:59:24,270:WARNING:certbot.storage: (… other messages identical to above about 30 other domains my …)
2017-07-21 00:59:24,810:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/XXXXX1.com.br/cert.pem
2017-07-21 00:59:24,811:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/XXXXX1.com.br/chain.pem -cert /etc/letsencrypt/live/XXXXX1.com.br/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/XXXXX1.com.br/chain.pem -verify_other /etc/letsencrypt/live/XXXXX1.com.br/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
2017-07-21 00:59:25,058:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/XXXXX2.com.br/cert.pem
2017-07-21 00:59:25,059:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/XXXXX2.com.br/chain.pem -cert /etc/letsencrypt/live/XXXXX2.com.br/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/XXXXX2.com.br/chain.pem -verify_other /etc/letsencrypt/live/XXXXX2.com.br/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
2017-07-21 00:59:25,159:DEBUG:certbot.ocsp:(… other messages identical to above about 30 other domains my …)
2017-07-21 00:59:31,473:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 11, in
load_entry_point(‘certbot==0.14.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 553, in certificates
cert_manager.certificates(config)
File “/usr/lib/python2.7/dist-packages/certbot/cert_manager.py”, line 84, in certificates
_describe_certs(config, parsed_certs, parse_failures)
File “/usr/lib/python2.7/dist-packages/certbot/cert_manager.py”, line 224, in _describe_certs
notify(_report_human_readable(config, parsed_certs))
File “/usr/lib/python2.7/dist-packages/certbot/cert_manager.py”, line 185, in _report_human_readable
if checker.ocsp_revoked(cert.cert, cert.chain):
File “/usr/lib/python2.7/dist-packages/certbot/ocsp.py”, line 64, in ocsp_revoked
output, err = util.run_script(cmd, log=logger.debug)
File “/usr/lib/python2.7/dist-packages/certbot/util.py”, line 82, in run_script
stdout, stderr = proc.communicate()
File “/usr/lib/python2.7/subprocess.py”, line 800, in communicate
return self._communicate(input)
File “/usr/lib/python2.7/subprocess.py”, line 1417, in _communicate
stdout, stderr = self._communicate_with_poll(input)
File “/usr/lib/python2.7/subprocess.py”, line 1471, in _communicate_with_poll
ready = poller.poll()

When I try to update these my domains, I received a failure and now I can not perform any actions (renew, new certificate), I get the following error.
“Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations”

Hi @mauricio.ecommet,

This is often due to a Let's Encrypt client crashing or otherwise not completing the certificate issuance process. Do you know if this has happened to you?

There is now a third-party tool for clearing pending authorizations

If you use it to clear these authorizations, you should be able to issue new certificates again.

You can find references to the authorizations in the Certbot logs in /var/log/letsencrypt.

I’ll try. Thanks @voutasaurus

Where can I get these Let’s Encrypt keys ECDSA P256?

LE_KEY=’{“ID”:00000,“X”:00000000,“Y”:0000000000,“D”:000000000}’

hi @mauricio.ecommet

I have written a script which automates the gathering of challenges and deactivating them

Write up:

Your LE key information can be found under etc\letsencrypt\accounts\acme-v01.api.letsencrypt.org\directory\

Note: Your number will be different.

Andrei

Thank you for your help.
When trying to run the script I received the following error.

/var/log/letsencrypt# python2 LE_FIND_PENDING_AUTHZ.py
Traceback (most recent call last):
File "LE_FIND_PENDING_AUTHZ.py", line 97, in
for files in os.listdir(PATH):
OSError: [Errno 2] No such file or directory: ''

Do you have any idea what is?

hi @mauricio.ecommet

I updated the script with a few comments to help out

UPDATE THESE for the Script to work
PATH - path to Let's Encrypt Logs folder. usually /var/log/letsencrypt
KEY FOLDER - folder for Let's Encrypt Account Key. Usually /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/random numbers and letters

PATH = r""
KEY_FOLDER = r""

once you update those parameters the script should work

Andrei

hi @mauricio.ecommet

Note also: there is hacky way of doing this that essentially involves rotating the account key (rate limits are per account)

I would try clearing the pending authz first though as the second way tends to introduce some risks

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.