Too many registrations for this IP/domains - Error status 429


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.77bar.com.tw

I ran this command:
openresty(nginx+lua) auto register and re-new

It produced this output:

2018/03/30 06:04:37 [error] 15573#15573: *17832383 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=4cc14856952fc2f961dd6f0392c000beb95b47fcc29a5373db6b652f8b997c2a HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain www.scgreen.co --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
# INFO: Using additional config file /etc/resty-auto-ssl/letsencrypt/conf.d/custom.sh
Processing www.scgreen.co
+ Signing domains...
+ Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/www.scgreen.co ...
+ Generating private key...
+ Generating signing request...
+ Requesting authorization for www.scgreen.co...
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for www.scgreen.co authorization...
+ Challenge is valid!
+ Requesting certificate...
err:   + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-cert (Status 429)

Details:
{
 "type": "urn:acme:error:rateLimited",
 "detail": "Error creating new cert :: too many certificates already issued for exact set of domains: www.scgreen.co: see https://letsencrypt.org/docs/rate-limits/",
 "status": 429
}
2018/03/30 14:07:07 [error] 27#27: *165188 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=744200c017ca835c4b4d8797a8c1cc39f47eada6c4b2ffd2394c710fd05407a3 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain winemart.hk --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
# INFO: Using additional config file /etc/resty-auto-ssl/letsencrypt/conf.d/custom.sh
+ Generating account key...
+ Registering account key with ACME server...
 err:   + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 429)

Details:
{
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

rm: can't remove '/etc/resty-auto-ssl/letsencrypt/domains.txt': No such file or directory


Error registering account key. See message above for more information.

My web server is (include version): Openresty

The operating system my web server runs on is (include version): Amazon Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Hi, we get those error log when using Let’s Encrypt services to register new domain certificates.

And after we debug the web server(openresty), we found it was cause by the certificate starting is bigger than the default buffer size of 16k.

So we have already increased the buffer size on our web server to fix this issue and pass the test that we register new certificates.

Can you please help us to un-block those 7 domains for our corp to make sure our services work healthy?

Thank you so much.


#2

Hi,

This is not a block,
It’s happening since LE only allow 5 exact certificate for (exact) set of domains.


Please wait for 7 days or add/remove a domain to bypass this issue.

Thank you


#3

Hi @stevenzhu ,
Does it affect our others domains which are new registered or someone has be re-new?


#4

It doesn’t need to be new you just need to have a different domain that it’s not rate limited

thank you


#5

@stevenzhu, I think you’re talking about the other rate limit here. This rate limit relates to creating large numbers of accounts rather than to issuing large numbers of certificates.

@davidh83110, does your issuance process always create a new Let’s Encrypt account for some reason? E.g. running with a container that is destroyed and recreated frequently without persisting the contents of /etc/letsencrypt?


#6

Yes…
My bad…

(However, the first output is rate limit for exact certificate… second one is register error)


#7

Oh yeah! @davidh83110, both of these problems are pretty likely to be caused for a related reason: the failure to persist resources between times that a container or similar mechanism is started. Each time that a new certificate is issued, it consumes resources at the certificate authority and so there are rate limits in place to prevent abuse of these resources. Normally people can find a persistence option that can avoid reissuing the certificates super-frequently (and avoiding having to create many separate Let’s Encrypt accounts on the server).


#8

@schoen oh yes, we use container to do that without persisting the contents and I know those limits too.
I think I already fixed the bug on my site so that we won’t issue new certificates which already registered.
but is there has any way to solve this issue without waiting for 7 days?


#9

Nope, for the registrations issue you’ll need to use an existing account or a different IP address, or wait three hours. For the duplicate certificates issue you’ll need to request certificates that don’t cover exactly the same set of names (like @stevenzhu suggested, you could add a different SAN), or wait seven days.


#10

Okay Thanks for helping @schoen @stevenzhu


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.