Too many new orders recently

Hello we are getting the following error while trying to renew Certificate.

My domain is: yoel-shufaro.co.il

I ran this command: certbot-auto -a manual --manual-auth-hook “/bin/true” --manual-cleanup-hook “/bin/true” --manual-public-ip-logging-ok renew

It produced this output:
letsencrypt.log.98: “detail”: “Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/”,
letsencrypt.log.98:2020-05-01 13:56:38,408:WARNING:certbot._internal.renewal:Attempting to renew cert (www.yoel-shufaro.co.il) from /etc/letsencrypt/renewal/yoel-shufaro.co.il.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
letsencrypt.log.98:Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): nginx/1.15.9

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0

Could you please inform us what isn’t clear about the error message and the document about the rate limits in the same error message?

This is not new certificate request, we are trying to renew the existing one.
As i know there is no limit for certificate renew.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week

Please read the error message carefully and seek the correct rate limit in the document. Your error is neither the “Certificates per Registered Domain” limit nor the “Duplicate Certificate” limit.

Also:

This isn’t true. In your quoted piece of text it actually says so: “they are subject to…”.

Dear Osiris, we don’t understand please explain, does certifcate renewal falls in this:

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently .

This certificate is trying to renew in last 10 days without success.

Yes. As it says, it applies to “each certificate request” – regardless of whether it’s a “renewal” or a “new” certificate or whether it is successful.

What were the other 300 orders you’ve created in the last few hours?

For the last 10 days, has it always been failing due to that rate limit – meaning you’re making thousands and thousands of orders – or does it fail for different reasons at different times?

Edit: Wait, are @anatoly and @maddogx coworkers or something?

3 Likes

Thanks, yes we are coworkers, thanks for clarification.
We found 300+ domains which are non exists (expired) or moved host, I assume that each try to renew a domain from this list counts?

Hi @maddogx

there

is your problem.

So your ACME client tries to create new certificates -> too many new orders.

Cleanup your system.

1 Like

understood! Thanks for super fast reply!

PS: And you should add a monitoring.

Domain name removed -> no renew, no new order. If not, you will have the same situation.

1 Like

Alright. Hello! (Welcome back!) :smile:

Yes. Given Certbot’s design, that’s a problem: When you run “certbot renew”, it tries to renew every certificate that needs to be renewed. Over time, more and more broken certificates build up, and eventually, every time you run it, it will try to renew over 300 certificates, and some of them will start hitting that rate limit.

You have to make sure that no more than a couple hundred certificates need to be renewed simultaneously. In Certbot, that means deleting the failing ones eventually.

Other ACME clients might have more advanced logic.

3 Likes

Certbot is great and all, but probably not the most suited client for enterprise level hosting providers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.