What rate limit did I hit with this situation?

Not sure what rate limit I hit in this situation, my cert expires tomorrow……
And I don’t know why it failed to renew on DSM. I enabled HSPS on Web Station in DSM. Not sure if that’s the problem.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Magiklog.com

I ran this command:
Curl -Ike http://www.magiklog.com

It produced this output:

Status: 301 Moved Permanently
Code: 301
Server: nginx
Date: Sun, 19 Dec 2021 15:39:09 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.magiklog.com/
Strict-Transport-Security: max-age=15768000

I also ran this:
Curl -Ike https://www.magiklog.com

And it produced this output:

Status: 200 OK
Code: 200
Server: nginx
Date: Sun, 19 Dec 2021 15:39:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Link: https://www.magiklog.com/wp-json/; rel="https://api.w.org/"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15768000

My web server is (include version):

The operating system my web server runs on is (include version):
DSM 7

My hosting provider, if applicable, is:
Synology with Wordpress

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

it found you have two backend server (both pointing to different aws ec2) it looks like it
abnd www.magiklog.com points yet another ip address (this looks like it's your NAS
you may edit DNS record of magiklog.com 's A record to match www.magiklog.com, or remove magiklog.com from certificate request.

4 Likes

Who says you've hit a rate limit? Your post does not contain any evidence for that.

3 Likes

if I keep trying it says:

Maximal certificate requests reached for this domain name.

1 Like

Which domain name(s) are you trying to get a cert for? In your crt.sh history it shows certs with both magiklog.com and www.magiklog.com. But, your DNS for each name points to different servers.

www.magiklog.com        canonical name = jian-home.com.
Name:   jian-home.com
Address: 173.48.49.158

Name:   magiklog.com
Address: 15.197.142.173
Name:   magiklog.com
Address: 3.33.152.147
3 Likes

Thanks for your response. I did find out in the DNS record that I have 2 nameservers listed and 2 A records.

I also have a forwarding rule redirecting magiklog.com to www.magiklog.com

Is that a correct way to set up? Should I remove a nameserver?

1 Like

you have to keep the nameserver(NS record) while change A record to same as www version

3 Likes

I'm trying to get a cert for magiklog.com. I set up a forwarding rule in DNS record to redirect it to www.magiklog.com

it also has a CNAME record jian-home.com

I set this up about a year ago and it just worked so I didn't think about whether it's a correct way to do it.

1 Like

CNAME on root zone will maek www.magiklog.com to point www.jian-home.com, which doesn't exsit. you need to type A record manually.

3 Likes

The DNS record doesn't allow me to edit any of the A records. (it's on GoDaddy)

It says:

"You can't modify records that have been applied by a product or service connected to your domain."

1 Like

well, they (godaddy) redirect to you www verison currectly so it may be false warning:
did you try open DSM menu to request cert manually and see the log?

2 Likes

You are using GoDaddy's domain forwarding service for your www subdomain. Turn that off then wait a bit (up to an hour) then you can modify your A record. Your current A record is the GoDaddy forwarding server.

3 Likes

Here's the log I can find:

2021-12-19T07:07:50-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[2986]: certificate.cpp:1663 handle le renew. [e3ZzzP]

2021-12-19T07:08:03-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[2986]: certificate.cpp:1157 syno-letsencrypt failed. 110 [Invalid response from http://magiklog.com/.well-known/acme-challenge/G43p8qZ4Q9LxRb3xoAM3riPjwQ89mb3nSE3AKJRdBG4 [3.33.152.147]: 404]

2021-12-19T07:08:03-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[2986]: certificate.cpp:1668 Failed to renew Let'sEncrypt certificate. [110][Invalid response from http://magiklog.com/.well-known/acme-challenge/G43p8qZ4Q9LxRb3xoAM3riPjwQ89mb3nSE3AKJRdBG4 [3.33.152.147]: 404]

//// I tried multiple times...

2021-12-19T07:15:03-08:00 JianHome synoscgi_SYNO.Core.Certificate_1_export[10950]: uploadsslca.cpp:433 Failed to clean up files

2021-12-19T07:16:02-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11482]: certificate.cpp:1663 handle le renew. [e3ZzzP]

2021-12-19T07:16:03-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11482]: certificate.cpp:1157 syno-letsencrypt failed. 104 [Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt]

2021-12-19T07:16:03-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11482]: certificate.cpp:1668 Failed to renew Let'sEncrypt certificate. [104][Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt]

2021-12-19T07:34:20-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[18005]: certificate.cpp:1663 handle le renew. [e3ZzzP]

2021-12-19T07:34:21-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[18005]: certificate.cpp:1157 syno-letsencrypt failed. 104 [Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt]

2021-12-19T07:34:21-08:00 JianHome synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[18005]: certificate.cpp:1668 Failed to renew Let'sEncrypt certificate. [104][Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt]

1 Like

If I turn that off, what nameserver should I use then?

1 Like

it's erroed too much so you got 300 new order in 3 hours. and as redirect is done on godaddy side and you don't give cert to it, just remove non www version and wait 3 hours

4 Likes

Just to clarify:

did you mean removing magiklog.com from the Subject Alternative Name?

Thanks.

1 Like

What, exactly, are you trying to accomplish with your domain mappings? Don't worry about the technical part for now. Just explain in simple words what specifically you want to happen.

2 Likes

So I have this wordpress blog hosted on my NAS which has its own domain name so I can access it externally. I also want to use a different domain name for the blog.

So the DNS record has a CNAME with the NAS domain name. I remembered the blog could be accessed with "www.magiklog.com" but not "magiklog.com". I think that is why I set up the forwarding rule of "magiklog.com" to "www.magiklog.com" in GoDaddy, which was about a year ago. And then everything just worked. And I've renewed the cert a few times before and I didn't run into any issues until today.

2 Likes

So you want the blog website on your NAS to serve the exact same content from both domain names?

2 Likes

Right, so basically non www and www versions go to the same place.

And yes the domain name for NAS is jian-home.com

2 Likes