Too many requests for new certificate requests


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

We run an SSL Certificate pipeline on behalf of around 60,000 customers. We have had a few requests for a new certificate fail recently on the first try stating that we’ve hit our rate limit for that particular domain. What’s causing this and is there anything we can do to mitigate it?

My domain is: liorablum.com

I ran this command: n/a. We use acmephp to programatically request certificates

It produced this output:

Truncated from our error logs:

“message”:“Client error: POST https://acme-v01.api.letsencrypt.org/acme/new-cert resulted in a 429 Too Many Requests response:\n{\n \“type\”: \“urn:acme:error:rateLimited\”,\n \“detail\”: \“Error creating new cert :: too many certificates already issued f (truncated…)\n”,“code”:429,“file”:”/app/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113",“trace”:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Please show the command line as used.
Maybe also in a cron job?


#3

It looks like 5 exactly duplicate certificates were issued within a 4 hour window.

Do your logs show that you were the party responsible for issuing these certificates?

The mitigation is to not create duplicate certificates, if you already have one that covers those domains.


#4

Hi @chthomas

this

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:bGlvcmFibHVtLmNvbTpmYWxzZTpmYWxzZTo6RUFFPQ&cert_search=include_expired:false;include_subdomains:false;domain:liorablum.com&lu=cert_search_cert

looks terrible.

5 Certificates (5 pre and 5 leaf) today. Last monday the same. One week before again.

You should create one certificate and use it 60 days. Instead of creating weekly 5 certificates.


#5

It’s literally a method call to https://github.com/acmephp/acmephp/blob/master/src/Core/AcmeClient.php#L209 in our codebase that looks for any requests that have passed domain authorization


#6

That’s interesting. We need to amend some of our logic to stop retrying after a rate limit for a week. That customer’s domain was only hosted with us as of four days ago where we would assume they’d have a fresh 5 chances.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.