Too many new orders recently, random

Hi everyone.
I have on an ubuntu machine, certbot installed.
For a few weeks now I've been having problems with both renewals and new certificates. I run a renewal cron every day, and after 128 (today example) renewals I start receiving

rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt

Reading the documentation, the limit is 300 but on new certificates not on renewals. Can you confirm me?

So every day I accumulate new domains to renew without success.

Also during the day, I create about 10 new certificates

certbot certonly --non-interactive --agree-tos --webroot -w $domain_path -d www.$domain -d $domain

Randomly out of 10 attempts following creation, after 1 or sometimes 3 successfully generated, I get

There were too many requests of a given type :: Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt

Checking the logs well, in the last 24H I find 780 requests looking for new-order, an example of log filtering

2023-06-20 02:51:06,317:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 483
2023-06-20 02:51:29,143:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 493
2023-06-20 02:52:16,746:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 477
2023-06-20 02:53:51,041:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 190
2023-06-20 02:54:12,825:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 479

Thank you have a nice day.

Renewals and new certificates are both New Orders, so your limit is 300 in 3 hrs. You would need to apply for a rate limit increase if you think you are exceeding that (new certs +renewals).

If you don't need to do all your renewals in once go make sure they are happening randomly and not all at the same time.

Ensure your certbot is a recent version and also try to make sure your cron job for renewals runs regularly (like every 30 mins) if you have many certs to maintain. Only the certs that need to renew will do so.

Hi, thanks for the reply.

The logs were referring to new certificates, if the problem was the limit, they should all fail, not 2 yes and 1 no and another yes, that's what weirds me out.

As for the renewal, I do it once a day, but I don't understand why, for example today, it stopped at 128, there weren't 272 new certificates before.

Furthermore, checking the logs in the last 24H I find 780 new requests(649 failed and 132 success), much less than the limit of 300 in 3 hrs, because they are distributed throughout the day, in fact the cron that generates the new certificates is executed every 3 hours and 40 minutes.

My certbot version is 1.21.0, latest for Ubuntu 22.04.1 LTS

Do you think it is necessary to update it manually?

Certbot should be installed through snap (see the certbot website for instructions) as distros tend to only have old versions.

I believe 649 failed requests is still 649 failed orders, whether the certs were new or not.

If you have lots of domains that were previously hosted on your server but are now hosted elsewhere etc you need to remove those certificate renewals because they are counting towards your rate limit even when they fail.

I've no idea what certbots max renewals per batch is but it won't be infinite and 128 sounds like a good number for that.

If I remember correctly, certbot renew will attempt to renew every certificate that's due for renewal (including already-expired), every time that it's run.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.