dshop
dshop copied to clipboard
OriginProtocol
Let's Encrypt rate limiting
Looks like we recently hit certs per domain per week rate limiting by Let's Encrypt:
err: + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)
Details:
HTTP/2 429
server: nginx
date: Mon, 08 Feb 2021 17:29:49 GMT
content-type: application/problem+json
content-length: 211
boulder-requester: 101135264
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0103UDRXl436S9vahUaN6Wa_VfaitGTESMruhdIiosTSei4
{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for: ogn.app: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
https://letsencrypt.org/docs/rate-limits/ https://crt.sh/?q=ogn.app
Ref #695
Options:
- Add support to infra for wildcard cert
- Add more default domains per dshop node (e.g. ogn2.app, ogn3.app)
- Require custom domains to be setup for shops
- Request a higher limit
- Do nothing and wait for the rate limit window to shift
1 & 2 would take significant engineering. 3 would take some engineering but might be the most minimal? 4 takes weeks to process. 5 is an option.
CC @franckc @nick
I kind of like 3. I'm also fine with a sort of 4+5 but not crazy about 1 or 2.
I'm going to label this P1 just for us to make a decision on it, not necessarily do any work.
We may as well fill out the form. What's our ACME account ID?
I tweeted at them to ask if we can get some accelerated service. I can probably find a warm intro to them if that doesn't work.
https://twitter.com/OriginProtocol/status/1362002957823172616
I kind of like option 3 to filter out shops that are not serious about actually making sales.
Option 3 seems to be working, so I think that is our solution while we do 4+5.