Hello we are getting the following error while trying to renew Certificate.
My domain is: yoel-shufaro.co.il
I ran this command: certbot-auto -a manual --manual-auth-hook “/bin/true” --manual-cleanup-hook “/bin/true” --manual-public-ip-logging-ok renew
It produced this output:
letsencrypt.log.98: “detail”: “Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/”,
letsencrypt.log.98:2020-05-01 13:56:38,408:WARNING:certbot._internal.renewal:Attempting to renew cert (www.yoel-shufaro.co.il) from /etc/letsencrypt/renewal/yoel-shufaro.co.il.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
letsencrypt.log.98:Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/
My web server is (include version): nginx/1.15.9
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0
This is not new certificate request, we are trying to renew the existing one.
As i know there is no limit for certificate renew.
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week
Please read the error message carefully and seek the correct rate limit in the document. Your error is neither the "Certificates per Registered Domain" limit nor the "Duplicate Certificate" limit.
Also:
This isn't true. In your quoted piece of text it actually says so: "they are subject to...".
Dear Osiris, we don’t understand please explain, does certifcate renewal falls in this:
For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently .
This certificate is trying to renew in last 10 days without success.
Yes. As it says, it applies to "each certificate request" -- regardless of whether it's a "renewal" or a "new" certificate or whether it is successful.
What were the other 300 orders you've created in the last few hours?
For the last 10 days, has it always been failing due to that rate limit -- meaning you're making thousands and thousands of orders -- or does it fail for different reasons at different times?
Thanks, yes we are coworkers, thanks for clarification.
We found 300+ domains which are non exists (expired) or moved host, I assume that each try to renew a domain from this list counts?
Yes. Given Certbot's design, that's a problem: When you run "certbot renew", it tries to renew every certificate that needs to be renewed. Over time, more and more broken certificates build up, and eventually, every time you run it, it will try to renew over 300 certificates, and some of them will start hitting that rate limit.
You have to make sure that no more than a couple hundred certificates need to be renewed simultaneously. In Certbot, that means deleting the failing ones eventually.
Other ACME clients might have more advanced logic.
