Renew fails , 429 - assuming it's a CAA issue?

My domain

I ran this command: dehydrated (running by Lua auto):
/..{redacted}../dehydrated --accept-terms --domain --challenge dns-01 (tried both HTTP and DNS) --config {redacted} --hook {redacted}

It produced this output:
err: + ERROR: An error occurred while sending post-request to (Status 429)

My web server is (include version): {redacted}

I believe the issue is that we now have CAA as mandated by AWS/Route53 - but there was no CAA record for this subdomain (the main domain has a different CAA record).

I now added the CAA for with 0 issue "" - but the 429 persists.

Is there a way to reset it, or what is the min delay before it will start working?

1 Like

There should be more info with the 429 - what was that?

Because a 429 indicates Let's Encrypt is throttling activity. Maybe because you made too many failed requests too often. Or have gotten too many certs or some other reason.

I don't know dehydrated very well but is there a more detailed log or error description?

If you made many failed requests recently because of the CAA error you might just have to wait an hour. There is a failed request limit of 5 failures / hour / account / domain

Your new CAA record looks okay and yes the CAA on restricting to just google would have been a reason to deny a cert request by LE


thanks for the update. about an hour after deploying the CAA records it was all fixed.


Two things happened during that hour:

  • CAA was changed
  • One hour of time passed

Perhaps both were required.


It seems you sorted it out, but the issue is ultimately that you failed validation too many times, so you were ratelimited.

The full error message is 429 :: rateLimited :: Error creating new order :: too many failed authorizations recently: see At least when I run the current version of dehydrated, that's printed in a "Details:" section after the "ERROR:" line.

That page states: All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour

Before you got those 429s, you should have previously gotten errors caa :: CAA record for prevents issuance which points to the problem.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.