Too many failed authorizations recently

barbalex · February 1, 2020, 11:09am

My domain is: api.eigenschaften.art

I ran this command:

Caddy was part of a docker-compose:

caddy:
    image: abiosoft/caddy:0.11.0-no-stats
    container_name: caddy
    networks:
      - network
    depends_on:
      - graphql
      - json
    restart: always
    ports:
      - '80:80'
      - '443:443'
    environment:
      # use staging url for dev
      CA_URL: https://acme-staging-v02.api.letsencrypt.org/directory
    volumes:
      - ./caddy/Caddyfile:/etc/Caddyfile
      - caddy_certs:/root/.caddy

with this Caddyfile:

api.eigenschaften.art {
  proxy /graphql localhost:5000
  proxy /graphiql localhost:5000
  proxy /artendb localhost:4000
  proxy /evab localhost:4000
  proxy /alt localhost:4000
}

It produced this output:

Activating privacy features... 
2020/02/01 10:55:39 [INFO][api.eigenschaften.art] acme: Obtaining bundled SAN certificate
2020/02/01 10:55:40 [api.eigenschaften.art] failed to obtain certificate: acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

What completely baffles me is: This output happened THE FIRST TIME I RAN docker-compose up --force-recreate after changing the url in the Caddyfile.

My web server is (include version):

Here the complete docker-compose.yml:

version: '3.7'
services:
  db:
    # specify container name to make it easier to run commands.
    # for example, you could run docker exec -i postgres psql -U postgres postgres < schema.sql to run an SQL file against the Postgres database
    container_name: db
    restart: always
    image: db
    build:
      context: ./db
    env_file:
      - ./.env
    networks:
      - network
    expose:
      - '5432'
    ports:
      # make the Postgres database accessible from outside the Docker container on port 5432
      - '5432:5432'
    volumes:
      - db_data:/var/lib/postgresql/data
      - sik_data:/sik_data
  graphql:
    container_name: graphql
    restart: unless-stopped
    build:
      context: ./graphql
    networks:
      - network
    expose:
      - '5000'
    ports:
      - '5000:5000'
    depends_on:
      - db
    env_file:
      - ./.env
    command:
      [
        '--connection',
        '${DATABASE_URL}',
        '--schema',
        'ae',
        '--append-plugins',
        'postgraphile-plugin-connection-filter,@graphile-contrib/pg-order-by-related',
        '--jwt-token-identifier',
        'auth.jwt_token',
        '--default-role',
        'anon',
        '--jwt-secret',
        '${JWT_SECRET}',
        '--cors',
        '--disable-query-log',
        '--enable-query-batching',
        '--retry-on-init-fail',
      ]
  json:
    container_name: json
    restart: always
    build:
      context: ./json
    networks:
      - network
    expose:
      - '4000'
    ports:
      - '4000:4000'
    depends_on:
      - db
    env_file:
      - ./.env
  caddy:
    image: abiosoft/caddy:0.11.0-no-stats
    container_name: caddy
    networks:
      - network
    depends_on:
      - graphql
      - json
    restart: always
    ports:
      - '80:80'
      - '443:443'
    environment:
      # use staging url for dev
      CA_URL: https://acme-staging-v02.api.letsencrypt.org/directory
    volumes:
      - ./caddy/Caddyfile:/etc/Caddyfile
      - caddy_certs:/root/.caddy
volumes:
  db_data:
  sik_data:
  caddy_certs:
networks:
  network:

The operating system my web server runs on is (include version): Ubuntu Docker 5:19.03.1~3 on 18.04

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): don’t know - using caddy

JuergenAuer · February 1, 2020, 11:16am

Hi @barbalex

that's account specific. There may be the same error earlier.

Use the test system
wait, then try it again. Then fix the real problem: Why are there so much failed validations?

That's the problem you have to fix.

PS: Checking yor domain - what's that? https://check-your-website.server-daten.de/?q=api.eigenschaften.art

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
api.eigenschaften.art		Name Error	yes	1	0
www.api.eigenschaften.art		Name Error	yes	1	0

The domain name isn't defined, that's impossible if you want to use http validation.

Please start with some basics:

Then read

PPS: An A- or AAAA record is required. Your domain name -> the ip address where you run your docker.

barbalex · February 1, 2020, 11:35am

Well, to be honest, I am completely blown by this authorization limit. This first happened on the production domain on artdaten.ch after everything had repeatedly worked fine in dev mode.

So now that the production site is down, I decided to create new domains to try this with.

I just created the domain eigenschaften.art, added the dns for api.eigenschaften.art and now that the domain eigenschaften.art had been verified by zeit.co I decided to try to run the docker file in dev mode on my local machine. Then this happened. Maybe the dns setting is not yet active?

Now if you're telling me the limit is per account, what account would that be? Would that be an account with letsencrypt.com? Does that mean that ALL MY PROJECTS are now blocked from renewing their certificates?

Why are there so much failed validations?

Yeah, I would like to know that too. This is my first project that uses docker so I guess I am just blundering it all. But honestly it seems that whatever I do I will not be able to learn because the whole process is blocked by the rate limits.

I am doubly baffeld as I tried to use the staging url in dev mode as shown above in the docker-compose.yml: https://acme-staging-v02.api.letsencrypt.org/directory.

So I would be VERY grateful for help but honestly don't know where to begin asking for it as you seem to imply that here is not the right place?

JuergenAuer · February 1, 2020, 11:42am

You have to read the basics. The link is shared in your error message.

Same. Missing A-record - http validation can't work, that's expected. Trying that again and again is wrong.

barbalex · February 1, 2020, 4:10pm

haven’t solved the issue yet but thanks for helping!!!

barbalex · February 1, 2020, 6:08pm

For others finding this thread: It seems that there is a bug in some versions of letsencrypt that causes an error when staging: Problem with renew certificates - The request message was malformed :: Method not allowed.

I ran into this too. So good luck trying not to overrun rate limits…

system · March 2, 2020, 6:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.