Strange rate limit hit

Hello,

When we tried to renew our certificate with certbot as we usually do, we apparently hit the rate limit and we’re locked out.

This is very strange, since there’s only 8 or so certificates being renewed. We issued the command manually and we see no reason why this should be happening.

Could you guys help in any way or do I need to go and buy a commercial cert to work with in the meantime?

My domain is: myinventa.com

I ran this command: certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/myinventa.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (myinventa.com) from /etc/letsencrypt/renewal/myinventa.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myinventa.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myinventa.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

The operating system my web server runs on is (include version): ubuntu 16

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.22.2

Hi @rflor_inventa

read your error message:

You have created 5 identical failed requests per hour. So, one hour later, this limit is gone.

And there is a check of your domain - https://check-your-website.server-daten.de/?q=myinventa.com#ct-logs

There you see:

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1176884058 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-02-05 11:24:27 2019-05-06 11:24:27 broker.myinventa.com, ema.myinventa.com, id.myinventa.com, myinventa.com, pricing.myinventa.com, staging.myinventa.com
6 entries
1008913045 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-12-07 11:29:42 2019-03-07 11:29:42 broker.myinventa.com, ema.myinventa.com, id.myinventa.com, myinventa.com, pricing.myinventa.com, staging.myinventa.com
6 entries
835755320 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-10-08 10:07:41 2019-01-06 10:07:41 broker.myinventa.com, ema.myinventa.com, id.myinventa.com, myinventa.com, pricing.myinventa.com, staging.myinventa.com
6 entries
744495470 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-08-09 10:13:12 2018-11-07 10:13:12 broker.myinventa.com, ema.myinventa.com, id.myinventa.com, myinventa.com, pricing.myinventa.com, staging.myinventa.com
6 entries

No current certificate.

So the question: Why are these orders failed?

Your Certbot

looks too old. Perhaps you have used tls-sni-01 validation, that's not longer supported.

So first step: Update your certbot. Then try it again (one time).

But checking your url-checks that can't work.

Domainname Http-Status redirect Sec. G
http://myinventa.com/
139.162.255.13 301 https://myinventa.com/ 0.060 A
http://www.myinventa.com/
139.162.255.13 200 0.057 H
https://myinventa.com/
139.162.255.13 302 Sign in - Google Accounts 0.477 N
Certificate error: RemoteCertificateChainErrors
https://www.myinventa.com/
139.162.255.13 404 0.980 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Sign in - Google Accounts 200 0.426 B
Sign in - Google Accounts
139.162.255.13 301 https://myinventa.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.060 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.18 (Ubuntu) Server at myinventa.com Port 80
Sign in - Google Accounts
139.162.255.13 404 0.060 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at www.myinventa.com Port 80
https://myinventa.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 302 Sign in - Google Accounts 0.277 N
Certificate error: RemoteCertificateChainErrors
Visible Content: Found The document has moved here . Apache/2.4.18 (Ubuntu) Server at myinventa.com Port 443
Sign in - Google Accounts 200

There is a redirect of /.well-known/acme-challenge to Google. Exclude that directory, so /.well-known/acme-challenge isn't redirected.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.