lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard
verified publisher icon auto-ssl

ACME v2 rate limit: too many new orders recently

Open gohai opened this issue 6 years ago • 1 comments

We have updated to current head (9d43c23af16203b5f94b270fde4b33a77b9cabde), plus a couple of patches, for our production servers, but had to revert after a bit more than two weeks, because certificates for newly added domains weren't getting issued.

The cause for this seems to be this rate limit:

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

which seems to be new to ACME v2. As per documentation:

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.

We're certainly not generating that many certificates organically, however, it appears to me that renewals are also counting as an "order". Is anyone able to confirm?

I am thinking this is the case because of the following I pulled from the log. If this is the case - how are renewals for systems with many thousands of domains going to work, if only the first three hundred (renewals) can be handled, and the rest not only fails - but the system is also unable to issue certificates for new organic domains.

This seems like a major issue. I'd appreciate any comment - wasn't following the specifics about ACME v2 too closely (e.g. if it is still possible to make lua-resty-auto-ssl use the v1 API for the time being?). Thanks.

 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jan 18 11:08:23 2020 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 err:   + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

Details:
HTTP/2 429
server: nginx
date: Sat, 28 Dec 2019 05:20:40 GMT
content-type: application/problem+json
content-length: 190
boulder-requester: 73071685
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0101Y6s7Fje84XcfGYCVjicPF2XTpFp6Asu6zch1BqnDvFk

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

gohai avatar Dec 28 '19 07:12 gohai

I'm having the same experience. Reverting to the old API is not an option, as Lets Encrypt has EoL the ACMEv1 API in November 2019.

Not sure if this is "changing challenges returned for invalid valid authorizations" in Jan 2020 API update is related either?

I haven't been able to find a solution to this problem. We've had to manually generate the Lets Encrypt certificates and create vhosts using the Certificates to work-around this issue for our customers.

Is there anything we can try? or is there something we should be looking for behaviour-wise? Thanks, Zac

zfarrugia avatar Jan 13 '20 15:01 zfarrugia