SSL Cert auto renewal failed

Help
1

I've set my cert for auto renewal but it didn't worked. Infact I received 6 days expiry email notification. Upon checking I found the following error in Letsencrypt log /var/log/letsencrypt. For now I manually renewed it, so just wanted to know why auto renewal failed.

Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

2025-01-01 00:07:51,773:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-01-01 00:07:51,773:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-01-01 00:07:52,114:ERROR:certbot._internal.renewal:Failed to renew certificate jobfeed.targetrecruit.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.
2025-01-01 00:07:52,120:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 471, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1235, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 124, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 331, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 143, in _poll_authorizations
in authzrs_to_check.items()}
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 142, in
authzrs_to_check = {index: self.acme.poll(authzr) for index, (authzr, _)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 690, in poll
response = self._post_as_get(authzr.uri)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 794, in _post_as_get
return self._post(*new_args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 97, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1201, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1214, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1072, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

2025-01-01 00:07:52,120:DEBUG:certbot.display.util:Notifying user:

2025-01-01 00:07:52,120:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:

Found the following certs:
Certificate Name: jobfeed.targetrecruit.com
Serial Number: 33cb6a2c1b8940dd83425ab42c75251b8f7
Key Type: RSA
Domains: jobfeed.targetrecruit.com
Expiry Date: 2025-04-23 02:29:57+00:00 (VALID: 89 days)

2

That kind of error (service busy) will happen sometimes and be temporary. Normally Certbot runs at least once a day to renew. And, by default starts renewal tries 30 days before expiration. This is more than enough to get past such problems.

Your old cert only had 6 days left so that means 24 days of failures. It is highly unlikely this happened that many times.

Can you check your older Certbot logs to see the earlier error messages?

Have you modified the default renewal frequency or "days before" setting in Certbot?

The date in the log you showed was from Jan1. Why did Certbot not run between then and now?

2 Likes
3

No I didn't modify the renewal frequency. I could see only jan1 log and latest to that is dec1

[root@ip-172-27-1-28 ~]# cd /var/log/letsencrypt/
[root@ip-172-27-1-28 letsencrypt]# ll
total 572
-rw-r--r-- 1 root root 1660 Jan 23 04:33 letsencrypt.log
-rw-r--r-- 1 root root 25921 Jan 23 03:28 letsencrypt.log.1
-rw-r--r-- 1 root root 34489 Jul 1 2024 letsencrypt.log.10
-rw-r--r-- 1 root root 3015 Jun 1 2024 letsencrypt.log.11
-rw-r--r-- 1 root root 32313 May 1 2024 letsencrypt.log.12
-rw-r--r-- 1 root root 3015 Apr 1 2024 letsencrypt.log.13
-rw-r--r-- 1 root root 32318 Mar 1 2024 letsencrypt.log.14
-rw-r--r-- 1 root root 3015 Feb 1 2024 letsencrypt.log.15
-rw-r--r-- 1 root root 33579 Jan 1 2024 letsencrypt.log.16
-rw-r--r-- 1 root root 25861 Dec 1 2023 letsencrypt.log.17
-rw-r--r-- 1 root root 3015 Nov 1 2023 letsencrypt.log.18
-rw-r--r-- 1 root root 34130 Oct 1 2023 letsencrypt.log.19
-rw-r--r-- 1 root root 1659 Jan 23 03:28 letsencrypt.log.2
-rw-r--r-- 1 root root 3015 Sep 1 2023 letsencrypt.log.20
-rw-r--r-- 1 root root 3015 Aug 1 2023 letsencrypt.log.21
-rw-r--r-- 1 root root 3011 Jul 18 2023 letsencrypt.log.22
-rw-r--r-- 1 root root 34485 Jul 18 2023 letsencrypt.log.23
-rw-r--r-- 1 root root 7108 Jul 18 2023 letsencrypt.log.24
-rw-r--r-- 1 root root 6612 Jul 18 2023 letsencrypt.log.25
-rw-r--r-- 1 root root 6885 Jul 1 2023 letsencrypt.log.26
-rw-r--r-- 1 root root 3119 Jun 1 2023 letsencrypt.log.27
-rw-r--r-- 1 root root 3119 May 1 2023 letsencrypt.log.28
-rw-r--r-- 1 root root 3119 Apr 25 2023 letsencrypt.log.29
-rw-r--r-- 1 root root 1659 Jan 23 03:04 letsencrypt.log.3
-rw-r--r-- 1 root root 40542 Apr 25 2023 letsencrypt.log.30
-rw-r--r-- 1 root root 14202 Apr 25 2023 letsencrypt.log.31
-rw-r--r-- 1 root root 18455 Apr 25 2023 letsencrypt.log.32
-rw-r--r-- 1 root root 17785 Apr 25 2023 letsencrypt.log.33
-rw-r--r-- 1 root root 21203 Apr 25 2023 letsencrypt.log.34
-rw-r--r-- 1 root root 0 Apr 25 2023 letsencrypt.log.35
-rw-r--r-- 1 root root 22086 Jan 1 00:07 letsencrypt.log.4
-rw-r--r-- 1 root root 3017 Dec 1 00:00 letsencrypt.log.5
-rw-r--r-- 1 root root 34490 Nov 1 00:04 letsencrypt.log.6
-rw-r--r-- 1 root root 3017 Oct 1 00:00 letsencrypt.log.7
-rw-r--r-- 1 root root 40407 Sep 1 00:02 letsencrypt.log.8
-rw-r--r-- 1 root root 3017 Aug 1 00:00 letsencrypt.log.9

1 Like
4

Your automated renewal is only running once each month. It should be running at least once a day. A single problem with your monthly renewal means your certificate could expire before your next try. And, that is what happened to you.

Usually a proper renewal is setup during Certbot install. But, I think on your system someone set it up manually as a cronjob. And, chose just once per month.

Please review this section for recommended options: User Guide — Certbot 3.2.0.dev0 documentation

2 Likes
5

Yep you're correct. I tuned the cronjob to run for every day from now. Thank you for your help!

1 Like
6

You should also choose a time different from midnight for the cronjob to run. Some totally random time throughout the day would be ideal, since everyone's comming down on the CA at midnight, which makes it more likely to trigger the rate limit.

2 Likes
7

Yes, it is. The Certbot docs give a good example of randomization for twice/day:
https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.