Why is my renewal request treated as new order? rate limits

jb-cologne · May 4, 2023, 9:31am

I've hit rate limits for new orders although it's only a renewal of an exisiting certificate.
Old certificate is in /live and there is also a .conf-file in /renewal.

My domain is: e.g. your-best-trip.de

I ran this command: automatic renewal attempt not triggered directly by me

It produced this output:
----------------------letsencrypt.log------------------------------

2023-05-04 04:58:54,612:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2023-05-23 11:33:19 UTC.
2023-05-04 04:58:54,612:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2023-05-04 04:58:54,612:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-05-04 04:58:54,612:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fcbb8aa1070>
Prep: True
2023-05-04 04:58:54,612:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fcbb8aa1070> and installer None
2023-05-04 04:58:54,613:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-05-04 04:58:54,613:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='>
2023-05-04 04:58:54,614:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-05-04 04:58:54,615:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-05-04 04:58:55,099:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 756
2023-05-04 04:58:55,100:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 04 May 2023 02:58:55 GMT
Content-Type: application/json
Content-Length: 756
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "J5dzX4ewYzE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
    "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-05-04 04:58:55,100:INFO:certbot.main:Renewing an existing certificate
2023-05-04 04:58:57,112:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/602854_key-certbot.pem
2023-05-04 04:58:59,006:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/602852_csr-certbot.pem
2023-05-04 04:58:59,007:DEBUG:acme.client:Requesting fresh nonce
2023-05-04 04:58:59,007:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-05-04 04:58:59,169:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-05-04 04:58:59,170:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 04 May 2023 02:58:59 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 853Fy-MUD17DCWgXlU51mPuxgvjP60juIPZ-S1OaNTrqPVA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-05-04 04:58:59,170:DEBUG:acme.client:Storing nonce: 853Fy-MUD17DCWgXlU51mPuxgvjP60juIPZ-S1OaNTrqPVA
2023-05-04 04:58:59,170:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.your-best-trip.de"\n    },\n    {\n      "type": "dns",\n      "value": "your-best-trip.de"\n    }\n  ]\n}'
2023-05-04 04:58:59,172:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzNzIxOTc2IiwgIm5vbmNlIjogIjg1M0Z5LU1VRDE3RENXZ1hsVTUxbVB1eGd2alA2MGp1SVBaLVMxT2FOVHJxUFZBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRz>
  "signature": "XzP2XPBLc6RYkBBrZbhtrs7dvGiWANLhIc5lmXCRL28WtYIRNpCSlJti-r8auOLZnkRh4gno4p-O-pu4CkeXoB8CQ4YIgzRIyKW8_pL6zCtfDjHlngbkGzHI0R0ytCxDlVmlSA8ExdeppNjU-7bz8xozY2ITJSal6qQ2i0aEOl6m-7DgNI2A-SV7S4OZH4WQonvdtUAQyAXOAcHIm04yo00kQO8Lvcw53rkqd3xN0v1Z>
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy55b3VyLWJlc3QtdHJpcC5kZSIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJ5b3VyLWJlc3QtdHJpcC5kZSIKICAgIH0KICBdCn0"
}
2023-05-04 04:58:59,352:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 190
2023-05-04 04:58:59,353:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Date: Thu, 04 May 2023 02:58:59 GMT
Content-Type: application/problem+json
Content-Length: 190
Connection: keep-alive
Boulder-Requester: 113721976
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 27121Vk8nFQKJIF1wsmWPk5rHAiKLMwQJcrFcqXmSYlLp5U

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}
2023-05-04 04:58:59,353:WARNING:certbot.renewal:Attempting to renew cert (www.your-best-trip.de) from /etc/letsencrypt/renewal/www.your-best-trip.de.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many reques>
2023-05-04 04:58:59,353:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 381, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 863, in new_order
  return self.client.new_order(csr_pem)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 666, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1171, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1184, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1042, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/

----------------------letsencrypt.log------------------------------
My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: manitu.de

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Thank you for any advice!

webprofusion · May 4, 2023, 9:36am

You get 300 new order per hour per account, and it thinks you've exceeded that?

jb-cologne · May 4, 2023, 9:46am

I got like 3000 certificates/domains in total but only a few new over the last weeks. I don't understand why a renewal should count as a new order. IMHO renewals should not count.

webprofusion · May 4, 2023, 9:49am

That's just how it is, the process for a renewal is almost entirely the same as the first time you request a certificate, so it uses all the same Let's Encrypt resources. A renewed certificate is just a completely new certificate for the same names.

webprofusion · May 4, 2023, 9:52am

Check that whatever method you are using to renew certs isn't renewing them all at the same time - it should be working in small batches with almost randomised renewal times.

If you're really on certbot 0.40 you may want to look into how you could upgrade also.

jb-cologne · May 4, 2023, 10:15am

Thank you webprofusion, now it makes sense.
I'm using the default cronjob so far:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

If I reduce the interval to 4 hours it should work it's way automatically through all certificates in ~2 days (worst case scenario).
If there is a smart way to split the certificates into batches and adjust the cronjob I would take that path but right now it seems to involve using a script and keeping additional track of the batches...

rg305 · May 4, 2023, 4:10pm

Also reduce the random wait time of 43200 seconds accordingly.
[OR runs may overlap]

system · June 3, 2023, 4:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.