I looked at our logs and they don’t match up with yours. In your logs I saw what looked like a logged response from a POST to the ACME v1
new-cert endpoint that appeared to indicate a 500 Internal Server Error was returned from the ACME server:
That led me to believe there might have been an issue on our side.
However, looking at our logs for the past 7d I can see that there were ~275 POSTs to new-cert from the ACME account in question that contained a
.mil domain. None of those requests received a 500 response. I see the following breakdown across the 7d window:
- HTTP 403 responses - 196 (~71%)
- HTTP 201 responses - 45 (~16%)
- HTTP 429 responses - 34 (~12%)
The vast majority of the 403 responses are errors indicating to the ACME client that there were problems re-checking CAA for the zones in question. Here’s one example status 403 error message that would have been returned to your client:
“Error”:“403 :: caa :: Error creating new cert :: Rechecking CAA: While processing CAA for www.c7f.navy.mil: DNS problem: query timed out looking up CAA for c7f.navy.mil, While processing CAA for www.clwp.navy.mil: DNS problem: query timed out looking up CAA for www.clwp.navy.mil, While processing CAA for www.ttgp.navy.mil: DNS problem: query timed out looking up CAA for www.ttgp.navy.mil, While processing CAA for www.csp.navy.mil: DNS problem: query timed out looking up CAA for www.csp.navy.mil, While processing CAA for www.seaport.navy.mil: DNS problem: query timed out looking up CAA for www.seaport.navy.mil, While processing CAA for www.ccsg15.navy.mil: DNS problem: query timed out looking up CAA for www.ccsg15.navy.mil”
This indicates a problem with your authoritative DNS servers. See our CAA documentation for more information.
The 201 responses were successful certificate issuances. There’s nothing to indicate we failed to deliver the certificate to your client and no indication of 500 errors. I still believe there is a problem with your ACME client/integration. Have you engaged with Akamai’s engineers about this?
The 429 responses are rate limiting errors like the one that prompted opening this thread. They’re caused by re-issuing duplicates of previously issued certificates (e.g. the ones that got a 201 response).
Can you try and find out why your logs contain status
responseCode: '500' lines without any HTTP body response body or headers? Our systems should never generate a 500 error in response to a new-cert POST that has no response headers or body.