Renew fails , 429 - assuming it's a CAA issue?

My domain is:app.nevvon.com

I ran this command: dehydrated (running by Lua auto):
/..{redacted}../dehydrated --accept-terms --domain app.nevvon.com --challenge dns-01 (tried both HTTP and DNS) --config {redacted} --hook {redacted}

It produced this output:
err: + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

My web server is (include version): {redacted}

I believe the issue is that we now have CAA as mandated by AWS/Route53 - but there was no CAA record for this subdomain (the main domain has a different CAA record).

I now added the CAA for app.nevvon.com with 0 issue "letsencrypt.org" - but the 429 persists.

Is there a way to reset it, or what is the min delay before it will start working?

1 Like

There should be more info with the 429 - what was that?

Because a 429 indicates Let's Encrypt is throttling activity. Maybe because you made too many failed requests too often. Or have gotten too many certs or some other reason.

I don't know dehydrated very well but is there a more detailed log or error description?

If you made many failed requests recently because of the CAA error you might just have to wait an hour. There is a failed request limit of 5 failures / hour / account / domain

Your new CAA record looks okay and yes the CAA on nevvon.com restricting to just google would have been a reason to deny a cert request by LE

3 Likes

thanks for the update. about an hour after deploying the CAA records it was all fixed.

2 Likes

Two things happened during that hour:

  • CAA was changed
  • One hour of time passed

Perhaps both were required.

3 Likes

It seems you sorted it out, but the issue is ultimately that you failed validation too many times, so you were ratelimited.

The full error message is 429 :: rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/. At least when I run the current version of dehydrated, that's printed in a "Details:" section after the "ERROR:" line.

That page states: All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour

Before you got those 429s, you should have previously gotten errors caa :: CAA record for nevvon.com prevents issuance which points to the problem.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.