Symptoms
When running AutoSSL, you receive an error similar to either of the following:
CONFIG_TEXT: 0:00:00 AM WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account has reached a rate limit. (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: Reason)) You may contact Let’s Encrypt to request a change to this rate limit.
CONFIG_TEXT: WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account (https://acme-v02.api.letsencrypt.org/acme/acct/123456789) has reached a rate limit. (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for "domain.tld". Retry after 2024-04-01T19:00:00Z: see https://letsencrypt.org/docs/rate-limit
It's also possible that Let's Encrypt may provide a portal link to request that the rate limit be changed or unpaused.
CONFIG_TEXT: (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Your account is temporarily prevented from requesting certificates for domain.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=token)) You may contact Let’s Encrypt to request a change to this rate limit.
Cause
Let's Encrypt has many reasons to rate-limit a user. New certificate requests for domains that are not currently issued a Let's Encrypt SSL, the following limits apply:
- Up to 50 certificates can be issued per registered domain every 7 days.
For example, the registered domain for a subdomain like www.example.com would be example.com. -
Up to 5 certificates can be issued per exact same set of hostnames every 7 days.
If you request a certificate for example.com and login.example.com, the “exact set of hostnames” is:CONFIG_TEXT: [example.com, login.example.com]
- One account can incur up to 5 authorization failures per hostname every hour.
An authorization is generated for each hostname included in an order. Before a certificate can be issued, all authorizations in the order must be successfully validated. - Up to 300 new orders can be created by a single account every 3 hours.
- A single certificate can include up to 100 Domains.
For performance reasons, it’s better to use fewer domains per certificate whenever you can.
The rate limits provided above are an excerpt of the full documentation provided by Let's Encrypt. Please take a look at the full document linked below for more details:
Resolution
Review the AutoSSL logs where the rate limit was hit to determine the reason for the DCV failure and resolve that issue. Depending on the limit being hit, the domain count will need to be reduced for the certificate to be issued, or the rate limit timeframe needs to be waited out.
Comments
0 comments
Article is closed for comments.