Runnnig into "too many currently pending authorizations" limit

Server
1

Hi all,

3 months ago I’ve configured on my servers the certbot. Everything when OK to create the certificates, but at that moment I’ve used the standalone option to do the certificate verification.
But I didn’t notice that this is not working properly if Apache is running and is using 80 and 443 ports (obvious) when the certbot is trying to renew the certificates.

I’ve notice this first on a small server where I have a subdomain with SSL. Correcting the setup and using the apache plugin it worked to renew the certificate.
My problem now is that on my web server where I’m hosting some domains I can’t renew the certificate. I’m getting this issue:

ttempting to renew cert from /etc/letsencrypt/renewal/casutadinlunca.ro.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations. Skipping.

I’ve started to read about the rate limits … but now is too late do avoid this issue. All sites where configured with standalone option and I think this lead to this issue: certbot tried to do verification of the domains but it couldn’t bind on port 443 because of Apache. I’ve changed all files to use apache plugin like this:

/etc/letsencrypt/renewal/casutadinlunca.ro.conf

renew_before_expiry = 30 days

version = 0.11.1

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = None
account = XXXX

Instead authenticator = standalone.

I’ve checked yesterday after I’ve did the change, I’ve tried today also and I’m receiving the same error.
The certificates will expire tomorrow afternoon.

What I can do?

Kind regards,
Adrian

2

Hi Adrian,

Someone did write a tool for clearing authzs:

You might have to look in your log files in /var/log/letsencrypt to find the particular authzs that you need to clear. If you can clear them, this rate limit won't prevent you from issuing a new certificate.

3

@AdrianB If you do use or fork the acmecancel tool then please share your experiences. Hope you can sort out your problem!

4

Hi,

Yesterday after I got your answer I was trying to fix the problem … but in the end when I’ve rerun certbot renew command started to renew all certs. I was surprised to see that all certs where updated.

Unfortunately I couldn’t had the occasion to use the tool and check for authzs.
My crontab was set to run certbot from 12h to 12h and because of the wrong configuration as standalone instead using apache plugin, certbot fulfilled the rate limit each time. I think it took about 3 days for ACME protocol to cleanup the non-validated requests.

But for sure with next issue I will try to do the cleanup with that tool.

Kind regards,
Adrian

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.