Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP
Please see the logfiles in /var/log/letsencrypt for more details.
The previous install of the server had a cronjob which ran the following on a weekly basis:
So I’m not entirely sure why I’m getting the rejection, as worst case this server should have 1 cert renewed in the last month or so, and maybe 1 or 2 other certs in the last 90 days where the server has been rebuilt previously.
This server is a non-shared (i.e. private) VPS with a public fixed IP so there’s no other certs getting requested from this IP.
Does your server have an IPv6 address? For IPv6, because it’s common to receive large blocks of IP space, we rate limit by the /48. It’s possible someone else, or many someones, are creating lots of registrations from neighboring IPs. However, the Accounts Per IP rate limit is very high (500 per 3 hours), so try again in a few hours? If you’re willing to share your IP I can take a look at nearby account creation activity.
I’m checking our logs to investigate whether someone from a nearby IP, but strangely I don’t see any rate limit events from either the IPv6 address or the IPv4 address I get from host psfshr.uk. Can you tell me whether you have changed IPs recently, and whether those are the addresses we should expect those requests to have come from?
Ok, I found the new-reg request that @psfshr got rate limited on. It was on a different IPv6 address, one belonging to Digital Ocean. We’ve had at least one other subscriber on Digital Ocean report issues. Earlier today, I tracked the problem to a single misconfigured VPS that was hitting us constantly with new-reg requests and eating up all the rate limit for its neighbors. I’ve contacted the owner and asked them to fix their config, and we’ll be blocking that IP to stop the problem for now. We’re also talking about ways to mitigate the impact of similar issues in the future.
I’ve run in to this now too. I just spun up a brand new Digital Ocean box, pointed a domain at it, ran our ansible provisioner which installs Caddy, and Caddy is failing to start with a message in the logs saying
registration error: acme: Error 429 - urn:acme:error:rateLimited - Error creating new registration :: too many registrations for this IP
Even leaving it alone for 3 hours and then running the provisioner again produces the same error.
Apologies for the trouble. As @sandhawke and others have mentioned disabling IPv6 when you register your account initially is one short term workaround. IPv6 connectivity can be reenabled afterwards.
For folks that land on this issue from a Google search the underlying problem was addressed with https://github.com/letsencrypt/boulder/pull/2782 and two separate limits. It should no longer be required to disable IPv6 to avoid this rate limit if you are on a provider with misconfigured neighbours.