I’m getting errors of “Too many registrations from this IP”. I’ve yet to issue my first cert; this was my second try, and the first failed with an ASN1 error when reading my CSR.
I’m using the following command as indicated by the beta email:
$ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr /etc/ssl/www.example.org-letsencrypt.csr
[...]
Error: rateLimited :: There were too many requests of a given type :: Error creating new registration :: Too many registrations from this IP
The domain is [www.]example.org and the server is running FreeBSD 10.2 at 45.55.38.158.
The beta email mentions “you should avoid deleting the /etc/letsencrypt/accounts folder”, but I never touched any letsencrypt file, and only installed it once on a single server with dedicated static IP. What exactly is a “registration” and why did I hit the cap? Is there anything I can do that doesn’t involve waiting a week for my rate limit to expire?
Same here…got an error on the first attempt that I had an “insecure platform warning.” Went back and did apt-get update and upgrade and re-ran. It got through the insecure platform warning and then threw this registration limiting error.
We’re looking into this; it appears to mostly affect IPv6 clients. We’re going to adjust some limits – and drop from 1 week to 1 day windows – on our side and I’ll post back.
Rate limit is increased to 10 registrations / day now, from 2 registrations / week. There’s also likely a bug in our IPv6 rate limit handling, and there’s an issue filed (#1046).
I am also on a Linode VPS and unable to register a domain on my first run of the script. Are you limiting these IPs by IP block or actual IP address?
I was able to start the process on another VPS service, Chunkhost, but ran into whitelisting issues that were due to me not registering those specific domains for the beta. Otherwise, it seemed to work fine on that server.
It's the same issue as above; it'll clear itself up as the rate window moves forward. I opened a Boulder issue about this, but the Boulder team has a lot on its plate moving to GA.
I'll also notify the ops team that they should consider upping the limits again.
Wow, so the issue is that our ISP (also a Linode VPS customer here) assigns us a /64 address, our virtual neighbors suck up “our” registrations and then we can’t register or request a certificate?
On first blush that seems like bad design from the get-go; however, thinking deeper into it one of the perks of IPv6 is being able to just hand over big chunks of addresses to anyone who wants them, which means that the average Joe Blow IPv6 user could trivially bypass any IP-based rate-limiting, possibly without even knowing he’s doing it, if you took the “naive” IPv4-based approached of sticking to just a single address for rate-limiting purposes.
Is there a way to restrict the client to use IPv4, or to tell it to use a particular (virtual) network adapter when sending the request?
I’m also hitting this issue on a VPS (IntoVPS) registering from both IPV4 and IPV6. Yesterday I issued one cert to my server. the First attempt failed because I’m doing “certonly” and I forgot to shut down Nginx before trying to issue the cert. That seems to “use up” one attempt. Then I went to issue a second cert today (within 24 hours) and forgot to stop nginx again, the 4th time (total) I’ve tried to issue a cert I get the above error.
Looking forward to the nginx plugin working. But I have 5 domains total to get certs for. If I can’t even do two in one day… that will make spacing them well for the 60 day expiry… slow.
I’ve registered around 10 times this week and I cant register anymore. Are you sure the limit is set to 10/day? For me it looks like 10/week. I only registered once yesterday and I’m not able to register anymore. Anything that could be done about that? It would really help as I cant test my stuff if I cant register anymore.
I’ll let @jcjones reply on the current value of the rate limit, but just a reminder: If you are testing, please do it against staging. We are able to be much more liberal about rate limits there (though I think currently the registration limit may be the same?).
Thanks for your patience.