Hi,
I am a system administrator at a web hosting company trying to debug an issue with renewals on one of our larger setups. Our server is running CentOS 6 and certbot-auto is running version 0.27.0. This particular server has well over 1000 domains hosted on it and about 700+ of them are using Let’s Encrypt certificates.
The initial setup of the certificates went without an issue, but now the certificates are about 20 days away from renewal. Each domain is unique and in their own certificate. We only combined the www. subdomain into each certificate.
The renewal ran normally for the first 300 domains, but after 300 sucessfull renewals we got rate limited. I verified that the number of sucessfull renewals is exactly 300. A search for the number 300 in the rate limiting documentation reveals this:
“You can have a maximum of 300 Pending Authorizations on your account. Hitting this rate limit is rare, and happens most often when developing ACME clients. It usually means that your client is creating authorizations and not fulfilling them.”
We are only using “certbot-auto renew” to perform the renewals. We are not doing anything fancy with the API calls to Let’s Encrypt. It’s just whatever API calls certbot-auto makes. No custom clients are being used. Also, the previous 300 domains were sucessfull, so why should they be counted as “Pending Authorizations”?
Here is the output from certbot-auto during the renewal process from when it began to fail. I’ve redacted the domain names from the output because they are of a pornagraphic nature and I didn’t want to violate any community guidelines here.
Processing /etc/letsencrypt/renewal/www.<site300_redacted>.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for <site300_redacted>.com
http-01 challenge for www.<site300_redacted>.com
Waiting for verification…
Cleaning up challenges
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.<site300_redacted>.com/fullchain.pem
Processing /etc/letsencrypt/renewal/www.<site301_redacted>.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (www.<site301_redacted>.com) from /etc/letsencrypt/renewal/www.<site301_redacted>.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
My question is why are the sucessfull renewals getting counted as pending by the rate limiters? I understand I need to wait a week for the block to expire, but I have over 450 domains awaiting renewal. If I get blocked for another week when I try to run ‘certbot-auto renew’ next week, we could be i a situation where we will have certificates expiring. I didn’t see anything related to this in the issue tracker on github. Is this a bug in certbot? Am I doing something wrong that would cause the request to remain pending even though it already succeeded and renewed the cert?