My web server is (include version): nginx (1.17.3)
The operating system my web server runs on is (include version): Ubuntu 18.04
My hosting provider, if applicable, is: Linode (with Forge)
I can login to a root shell on my machine (yes or no, or I don't know): yes!
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): It's not installed. Certs are handled via Forge
We host 500+ sites and we have been having a lot of renewals fail recently. Forge sent this email:
Certificate will expire
Certificate will not expire
Creating challenge directory...
Installing LetsEncrypt client...
Configuring client...
Restarting Nginx...
Generating Certificate...
# INFO: Using main config file /root/letsencrypt1662756122/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
# INFO: Using main config file /root/letsencrypt1662756122/config
+ Creating chain cache directory /root/letsencrypt1662756122/chains
Processing ga-cpa.com with alternative names: www.ga-cpa.com
+ Creating new directory /root/letsencrypt1662756122/certs/1662756122631ba51a1c469 ...
+ Signing domains...
+ Generating private key...
+ Generating signing request... + ERROR: An error occurred while sending head-request to https://acme-v02.api.letsencrypt.org/acme/new-nonce (Status 429)
Details:
HTTP/2 429
server: nginx
date: Fri, 09 Sep 2022 20:42:18 GMT
content-type: application/problem+json
content-length: 90
cache-control: private
retry-after: 20Failed!
ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/151594134047/ZiHI2A (Status 400)
Details: HTTP/2 400 server: nginx date: Fri, 09 Sep 2022 20:42:18 GMT content-type: application/problem+json content-length: 112 boulder-requester: 724915757 cache-control: public, max-age=0, no-cache link: <https://acme-v02.api.letsencrypt.org/directory>;;rel="index" replay-nonce: 0001iDwqtFLuhaeNe3UvZt5XGCDlqbpA8-oS3ECXLhgeH-I
{ "type": "urn:ietf:params:acme:error:badNonce", "detail": "JWS has no anti-replay nonce", "status": 400 }
I've looked over several forms with renewal problems and most of them seem to be blocked IP's or DNS issues. I ran the dns checker on this domain and everything was fine.
There was recently a change to better manage load spikes for Let's Encrypt servers. Your ACME client should be retrying after the 429 rather than failing.
See this topic for announcement for more details:
If this doesn't help you'll need to wait for other volunteers or even LE staff as I only know as much as this announcement says.
Hey everyone! Thanks for chiming in! And yes, we've been having renewal failures for awhile but it's been pretty persistent since mid August I believe. I don't even know if this will re-try though. The only way to get a new cert is to delete and re-install but we are having problems with lags with that too. As in the cert generates just fine but the browser doesn't see it. That's just a whole other issue. ^^;
No, it isn't retrying but it should (at least how it looks in that log fragment). The Forge ACME client comms handler should see the retry-after: 20 response header and retry after 20 seconds (or whatever number stated). This should be transparent to you.
The retry-after can be issued for various http codes such as 503 as well.
That said, your persistent problems don't sound like they are all related to this. What are some of the other errors in the Forge emails?
They seem to be all the same with different times. I'm wondering if we hit the threshold with what we can do with forge. This is for a different domain: www.parkinsfinancial.com