There were too many requests of a given type :: Error creating new order :: too many currently pending authorizations

I am a bit out of my depth here, but I am running into an issue when updating an existing certificate with another domain.

My domain is:
I am not sure

What happened

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate sixth to include new domain(s):
+ domain1.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/

I have an existing certificate and I want to add a new domain to this certificate, this worked for the past 3 years. If I am creating a new certificate with just one domain in them it works fine. I have read that one can have a max of 300 so I would assume that I am having less than 77 open authorizations which is weird though because I do not run them in parallel, I am only adding more domains to one certificate or manually renew older ones one by one.

The operating system my web server runs on is (include version):
ubuntu 16.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Is there a way to clean out pending requests ? I found https://tools.letsdebug.net/clear-authz but

it did not seem to have found any pending authorizations.

1 Like

Do you have any other large certificates being managed by Certbot? Or just this one?

1 Like

We have six in total at the moment, we are filling them up to 90ish domains until starting a new one

1 Like

The only thing I can think of is that some of your other five certificates have pending authorizations against them, which pushes you over the 300.

Are any of them within 30 days of expiry?

1 Like

Yes I think all of them are valid for another 27 days.

1 Like

Then it might be the case then that Certbot tried to automatically renew some of the others (since they're under 30 days), but ran into trouble and left a lot of the authorizations in a pending state.

I can't explain why clear-authz wouldn't be able to locate them, though. AFAICT the tool still works ...

You could try see whether you can complete (or at least fail) the renewal of some of the other certificates, and see whether that unblocks you.

As a last resort, you could also just give up and unregister+reregister your Let's Encrypt account, that will leave your pending authzs behind.

Big certificates are a big pain in the butt, I avoid them for reasons like this ... :frowning: .

3 Likes

Okay, I looked through the logs and I saw that there has indeed been an attempt to renew them, I was not aware that LE would actually do this.

Ok I will try this and report back if I manage to fix it, thank you so far :slight_smile:

2 Likes

I think you were right, I have renewed the older certificates and there have been some domains which had errors. I removed them and now making the new requests works fine.

Thank you very much and I will look into splitting them into smaller certificates but I remember that I could only request a small amount of certificates at once and which is why I started combining them in one large one

3 Likes