[solved] Rate limit with SAN certificate (90 hostnames)


#1

Hi,
I am trying to issue one SAN certificate for 90 hostnames (all whitelisted) but I am getting following error:

Error: rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many currently pending authorizations.

I have created only one certificated so far and for domain, that is not in that 90 hostnames list. These hostnames are unique domains - no subdomains.

Is there some limit on number of hostnames?


#2

Maybe it’s because ACME can’t handle more than XX certificates at a time.


#3

sounds like the CA wide limit they have in place during testing stage @bmw @kelunik @jsha ?


#4

The pending authorization rate limit is per-account, not CA-wide. It sounds like you may have accidentally created some number of authorizations that were never fulfilled. Unfortunately we haven’t yet implemented a way to purge old authorizations. However, pending authorizations expire off your account in 7 days, so you should be able to try again soon.


#5

oh you have a pending authorisation rate limit too ! what’s the limit set at right now ? come public beta Dec 3rd that limit going away right ?


#6

The limit is 300 pending authorizations per account. We chose that level with the idea that someone can complete 100 simultaneous authorizations to issue a 100-name cert (currently the max) without coming close to the limit. However, if the client crashes partway through it’s possible to leave authorizations in a pending state. @souki, can you describe more of the steps leading up to your current state?


Maybe consider adding a summary of *all* limits beta announcement/FAQ
#7

To answer your other question @eva2000: We plan to keep the pending authorization limit, but as with other limits we may adjust it if it seems to be causing trouble for a lot of people.

The rationale is this: It’s easy to create an authorization you never intend to attempt validating, so we want to prevent attackers from filling up our database with bogus authorizations.


#8

I have an idea how it happend:
I executed certonly, blue screen asked for email and confirmation of TOS. But the confirmation dialog stayed there for a minute - I killed it because I thought it was frozen but it was actualy creating authorizations in background.


#9

@jsha i see…

I do alot of LE testing or plan to even more after public beta for integration work with my web stack and I am pretty sure my web stack’s end users will do as well. Currently ~3,000+ new downloads of my stack per month by users http://centminmod.com/letsencrypt-freessl.html.

But i don’t think myself or any of my users will hit 300 pending authorizations per account when using webroot authentication hehe :slight_smile:


#10

I tried to issue certificate with new account and everything worked on first try.

It would be useful to have a way to purge authorization - maybe hide it behind donate button?


#11

Hey, I kind of have the same issue. I had to force-quit my Let’s Encrypt client because of some errors which have been fixed now but I still get the

2016/03/29 18:22:17 [domain.tld] Could not obtain certificates
        acme: Error 429 - urn:acme:error:rateLimited - Error creating new authz :: Too many currently pending authorizations.

error when I try to re-run the client to e.g. update the certificates or add new subdomains.

Is there any way to delete the current authorizations? I have also opened an issue at the GitHub repository of the client I used.


#12

I have also hit this issue, I think it was caused by the installation of certbot from Debian jessie-backports and the fact that this package, unlike the letsencrypt package it replaced, has a crontab for renewal that actually works and lots of renewal requests were made for test sites that had been deleted but without the corresponding files in /etc/letsencrypt having been deleted.

Having a delete option would be appreciated — manually deleting files in /etc/letsencrypt is not a great idea as it is easy to make mistakes.

I guess I now have a wait a week before I can set any other sites up… *sigh*