"Too many requests of a given type" after one request?

Help
1

Been renewing my RSA certificates with LE for 8 years, and since EC became an option, twice in a row, one for RSA, another for EC certs. For my renewal this time I was greet with the "Too many requests of a given type :: Service busy; retry later" message, after I requested the very first certificate in over 80 days of my 90-day window for renewal.

I understand limits are in place for certificate requests in the production environment, but locking to just one request at a time seems a little excessive IMHO. And clearly because they are not identical to each other; one is RSA, another is EC, I don't see that as a duplicate.

Was I just luck and got my renewal done during rush hour (8:15AM EST)? Or is there a minimum time I should wait in between requests?

2

To me, "Service busy; retry later" sounds like some kind of internal issue. I'm not sure why it wouldn't be markes as such, but instead is marked as a "too many requests of a given type" error as this easily can be mistaken as an error associated with the ACME client itself instead of the server.

You probably can try again any time.

1 Like
3

yes you were hit by rush hour I guess
too many requests of a given type part is prepended by certbot for ratelimited type error, actual errer message sent by LE would be

{
    "type": "urn:ietf:params:acme:error:rateLimited",
    "detail": "Service busy; retry later."
}
5 Likes
4

Hm, might be a good idea for Certbot to distinguish between actual rate limits and overloads more clearly.

4 Likes
5

Wish I would also hit the jackpot that easy :sweat_smile:

I manually triggered my certificate updates during any random time I feel like I can check my systems to ensure new certs were successfully applied (using these for way more than just HTTPS and one server).

While in the "might be a good idea for Certbot", what if we had a certbot flag for one request to both RSA and EC certificates?

1 Like
6

What were their timestamps [and time zone]?

3 Likes
7

2023-10-24 8:12:35AM EST for the first successful request of EC certificates,
2023-10-24 8:13:57AM EST for the failed attempt of RSA certificates.

8

Unfortunately our traffic can be very bursty, if too many requests come in at the same time. Those bursts rarely last more than a few seconds, so a retry will usually succeed.

There's two "scheduled" bursts every day, at midnight UTC, when a lot of people run scheduled tasks, and at 16:10 UTC when a particular piece of software is preconfigured to renew.

For transparency, here's a graph of when we served those over the last week, with the time you hit circled in red:

image.psd
image.psd4196×612 81.8 KB

This is a small fraction of our traffic, so you do have to be a bit unlucky to hit these bursts. It's typically under 5%-10% of traffic for just a few seconds.

5 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.