Let's Encrypt failures

Requesting a certificate for commercialfleetservices.com, www.commercialfleetservices.com from Let's Encrypt .. .. request failed : Failed to request certificate : Parsing account key... Parsing CSR... Registering account... Already registered! Verifying commercialfleetservices.com... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 122, in get_crt raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) ValueError: Error requesting challenges: 429 { "type": "urn:acme:error:rateLimited", "detail": "Error creating new authz :: Too many invalid authorizations recently.", "status": 429 }

I have disabled the redirect to no avail. This has not been a problem for a while...so is this a regression?

Status: 
Active

Comments

Howdy -- if you receiving "Too many invalid authorizations", that means one or more of your domains have been failing to renew.

You'd need to wait 24 hours before trying any additional Let's Encrypt certificates.

But that may suggest that there's a renewal somewhere that's failing.

If it was't one you did manually, there may be an automatic renewal failing... when it fails, it should be sending an email to the Virtual Server owner.

I have hit the rate limit, not sure why. May have been 4 auto-renewals earlier in the week. I can wait a week to get my new site under ssl, pain tho it is, but I do worry there may be some underlying issue/ongoing failure, which could mean I was waiting for nothing and it still would not work! How can i find out a) when the week is up b) any logs info to do with the Lets Encrypt process? Thanks

Are you getting any emails from Virtualmin to the domain owner's address regarding failed renewals?

No, I have no emails. (I don't use the server for email but I do get virtualmin package notification emails so I assume that part is working ok.)

Also check the domain owner's primary mailbox.

I do not own that mailbox but owner assures me nothing came through and not in spam. Would there be an email on each attempt or just the first failure? Is this emailing a function of LE or VM?

It should send an email on every successful or failed automatic renewal - this is done by Virtualmin.

Whatever the cause is, you will also be able to see it if you try to renew manually via the Virtualmin UI.

I get no emails. The message I get is the same as in many posts about Lets' Encrypt "too many authz" issues: Parsing account key... Parsing CSR... Registering account... Already registered! Verifying [DOMAIN]... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 122, in get_crt raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) ValueError: Error requesting challenges: 429 { "type": "urn:acme:error:rateLimited", "detail": "Error creating new authz :: too many currently pending authorizations", "status": 429 } I have several Virtual Servers with auto renew which seems to work fine - but again I get no notifications to say anything has happened there either. Thanks for looking,

I have changed the email address on all my virtual servers to one I know rather than "Administrator's mailbox" - no idea where those are going. Now I am getting a failure emailed every 5 mins on a previously configured (and working, and not yet certificate expired) domain trying to auto renew on 2 months rather than 3. How can I kill it? In my acme-challenge folder there are 600 auth files dated from 21/7 (they are accessible in browser). Should I delete those files?

For the time being, you may just want to disable the auto-renew, until the rate limit expires. That will take roughly 24 hours from the last request that has been made.

Thanks Andreychek! - so obvious i did not think of it :-) Let's see what happens next.

OK, by turning off the auto-renew attempts that were causing an error, and waiting a week, i have managed to get my new domain certificate. Phew! Now, looking back at the problem server (which is 5 related domains and a subdomain) I can see an error saying hostname does not match . It turns out I had not switched on SSL on the subdomain so it was for some reason looking under my first-named server. (Not sure how the certificate got issued originally, like that.) In case it helps someone - full error here:

Verifying [subdomain].[domain].com... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 144, in get_crt resp = urlopen(wellknown_url) File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/usr/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib/python2.7/urllib2.py", line 469, in error result = self._call_chain(*args) File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 656, in http_error_302 return self.parent.open(new, timeout=req.timeout) File "/usr/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/usr/lib/python2.7/urllib2.py", line 1194, in do_open h.request(req.get_method(), req.get_selector(), req.data, headers) File "/usr/lib/python2.7/httplib.py", line 1039, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.7/httplib.py", line 1073, in _send_request self.endheaders(body) File "/usr/lib/python2.7/httplib.py", line 1035, in endheaders self._send_output(message_body) File "/usr/lib/python2.7/httplib.py", line 879, in _send_output self.send(msg) File "/usr/lib/python2.7/httplib.py", line 841, in send self.connect() File "/usr/lib/python2.7/httplib.py", line 1250, in connect server_hostname=server_hostname) File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket _context=self) File "/usr/lib/python2.7/ssl.py", line 566, in init self.do_handshake() File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake match_hostname(self.getpeercert(), self.server_hostname) File "/usr/lib/python2.7/ssl.py", line 269, in match_hostname % (hostname, ', '.join(map(repr, dnsnames)))) ssl.CertificateError: hostname '[subdomain.domain].com' doesn't match either of '[domain2].com>, 'www.[domain2].com'

Do you have redirects setup from http to https? Because normally the Let's Encrypt validation is only done using the http site.

I don;t think any of my redirects are affecting it (as in I can get to acme etc).

OK so my subdomain was now working - but I now find the main domains are all failing! The certificate for the virtual server on the first of my domains is showing that subdomain only as valid. I have deleted the subdomain and created it as an alias (this is a multi-domain set up under Drupal using Domain Control) which should work for the site ok . Now when i try to get a new cert i am getting "500 Error creating new authz" Good grief!

OK have now created auth OK.

So the cert request works now?

Yes thanks -all good. (I don't know why the subdomain seemed to take control but deleting it and waiting a while has solved the issue. )