Too many failed authorizations

danielgugo · November 10, 2023, 9:23pm

im tryong to generate a new certificate but i cant:

I ran this command: i'm using webadmin for use let's encrypt, i got an apache2 with reverse proxy to tomcat

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for pinbikets.ddns.net
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
last version

The operating system my web server runs on is (include version):
ubuntu 22

My hosting provider, if applicable, is:
my server

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot version: 1.21.0

Bruce5051 · November 10, 2023, 9:45pm

See Rate Limits - Let's Encrypt and Failed Validation Limit - Let's Encrypt and Duplicate Certificate Limit - Let's Encrypt

Bruce5051 · November 10, 2023, 10:09pm

Here is a list of issued certificates crt.sh | pinbikets.ddns.net; however this is the certificate presently being served https://decoder.link/sslchecker/pinbikets.ddns.net/443 which is a self-signed certificate.

MikeMcQ · November 10, 2023, 10:17pm

@danielgugo We need to know the reason for all your failures prior to you being temporarily blocked for having "too many".

Can you find and upload a log file from the most recent failure before this one? It should be in /var/log/letsencrypt folder and probably a series of them.

Also, STOP requesting certs from the production system. You are only allowed 5 identical certs per week and you already got 4. After the next you will have to wait a week to get another. See the other Rate Limits @Bruce5051 linked.

You should use the Let's Encrypt Staging system when testing. It is far more flexible about failures and limits.

rg305 · November 11, 2023, 12:24am

Hi @danielgugo, and welcome to the LE community forum

Webmin?

Then, if you also plan on also using Apache for HTTPS, you may be able to use the un-named ACME client with Apache and directly obtain a cert [ignoring the "webadmin" panel].

danielgugo · November 11, 2023, 9:04am

letsencrypt.log.txt (304.7 KB)

danielgugo · November 11, 2023, 9:05am

yes sorry, i'm using webmin.
how can i use the un-named ACME client with Apache?

rg305 · November 11, 2023, 9:42am

I called it "un-named" because you have yet to give us the name of your ACME client:

[your response to that line is EMPTY]

Which is the ACME client you use?

danielgugo · November 11, 2023, 10:03am

Certbot

rg305 · November 11, 2023, 10:13am

This is the boiled down version of that log file:

"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/I7gb5dSIH0KErA70_jnJDjPrc9YZtKau3A42YVkAQUc: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/PcnR5ooA2Ju_w7Az-tQFvnOZtkyCL5dZ7fIfIu68BeU: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/2eriEE3ed_RLSJExFnx7CU1jg6O6MsEhPzoFzkFMHM0: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/1wtvbE98zPiK2_MhuiCvzrncvmztfIL9E7tNAZwzJKg: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/4OCbwYKWp7y1GLMcH0A5CftTWf3mJvnwrTmerpns4Ns: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/YgK4we67p1QOobTzLwg1dLh6zfTJPPzRQzdxbsfKEVg: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/ZLpsPb1UKqa41I9NXwEqCL2QVC7HbXPdQeG-lYMOPeg: 404",
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/FvOsSHmLP7LesW0J1psgWd-am6Nm94SkE8xOtaXl76M: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/0kC27ZFbzsGgq_cS_2Y3GuzBYxgp3IJBUK2kHfxTMBw: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/WhgVFg0W6oPFWk8ndmxYjaQLq8PcDDk3fMSEA3hInJk: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/Tw5ZEckPYJJb7dhViVkHukObO0KLIV1EyRjmp9_fyA8: 404",
"detail": "81.56.56.63: Invalid response from http://pinbikets.ddns.net/.well-known/acme-challenge/bDlL9yew2nQDXJDNbQPB-iqBI2wscHDp_amzRvy4cmU: 404",

We can see that all requests for the ACME challenge file return "404".
Let's have a look at:
certbot certificates
sudo apachectl -t -D DUMP_VHOSTS

danielgugo · November 12, 2023, 3:15pm

$ certbot --version
certbot 1.21.0

$ sudo certbot certificates
[sudo] password for pinbike:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 pinbikets.ddns.net (/etc/apache2/sites-enabled/tomcat-prod-le-ssl.conf:2)
*:80 pinbikets.ddns.net (/etc/apache2/sites-enabled/tomcat-prod.conf:1)

rg305 · November 13, 2023, 1:02am

Please show this file:
[I'd like to see where it gets its' cert]