Letsencrypt rate limit and multiple account

job_noam · February 3, 2022, 7:26am

Hi,

We have a lot of domains under our servers and sometimes we get into the rate limit of Letsencrypt because we create more than 300 certificates in 3 hours:

Because we’re using many Caddy servers (with the same storage) to serve our system I thought maybe every server will have a different Letsencrypt account on his unique Caddyfile and this way every server can handle 300 orders for 3 hours.

I wanted to know if it’s possible?
And also what will happen if account A will create the SSL and account B will be the one that needs to renew?

Thanks a lot

francislavoie · February 3, 2022, 4:47pm

Please fill out the help topic template (click “New Topic” and copy the template into this thread, and fill it out).

What version of Caddy are you using? What’s your config? What do you see in your logs? Are you running more than one instance of Caddy?

job_noam · February 3, 2022, 5:08pm

1. Caddy version (`caddy version`):

v2.4.3

2. How I run Caddy:

We have 5 servers running behind an AWS network load balancer.
They share the same storage using AWS EFS.
Every server has the same Caddyfile but he doesn’t locate it in the shared storage (EFS). Just in the local storage of the server.

a. System environment:

Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-1041-aws x86_64)
Simple install without Docker

b. Command:

Auto Caddy services are running in the background

d. My complete Caddyfile or JSON config:

    {
        #debug
        storage file_system {
                root /mnt/efs/caddy_data
        }
        log HHHH {
            output file /var/caddy_log/requests.log {
                roll_size 200mb
                roll_keep 3
                roll_keep_for 24h
            }
            level WARN
        }

        # TLS Options
        email HHHH @ HHHH .com
        on_demand_tls {
                ask      https://www. HHHH .com/isDomainValid.php
        }
    }

    https://

    tls {
        on_demand
        issuer acme {
                email HHHH @ HHHH .com
        }
        issuer zerossl HHHH {
                email HHHH @ HHHH .com
        }
    }

    reverse_proxy 76.223. HHHH . HHHH {
        header_down -proxy-cache
    }

3. The problem I’m having:

Sometimes we have more than 300 new domains in 3 hours and then Letsencrypt blocks us for a week.

5. What I already tried:

I think maybe give every server Caddyfile a different email for Letsencrypt. So I will have 300 orders for each server.
That means every server will create new SSLs with his unique user, but the renewal can happen from any other server. That means different emails that create the SSL. Is that OK?
Does caddy storage can work with multiple users on the same storage?
Does Letsencrypt support this kind of workaround?

Hope I did it right now (sorry)

Thanks

matt · February 3, 2022, 5:32pm

First, I want to make sure we’re on the same page.

What evidence do you have of that? It’s a 3 hour rate limit, not 1 week. So you can do 300 in the first 10 minutes, then be “blocked” for only the next 2 hours and 50 minutes. LE says they use a sliding window algorithm.

job_noam · February 4, 2022, 4:00am

I blocked last week (again).
You can see it here:

You can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently

and then they write:

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 25 certificates on Monday and 25 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.

francislavoie · February 4, 2022, 4:13am

Matt asked on the LE forums, and they said that it definitely should only be for 3 hours, not a week.

job_noam · February 4, 2022, 4:55am

Thank you @matt. really appreciate that.
But I’m not sure the answer is right, I can’t create a new SSL with Let’sEncrypt, and it always goes to ZeroSSL.
All my logs full with this error: “HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt”

I don’t use all the other options that can block my rate. No sub-domains, no new accounts…

francislavoie · February 4, 2022, 5:49am

Maybe you should reach out to them yourself on the LE forums, give them the details they need to lookup your LE account to see what rate limits you’re actually hitting.

There’s not much we can do here, this isn’t really a Caddy problem per se.

job_noam · February 4, 2022, 6:03am

Yes, I agree.
I just asked to see if Caddy can offer me a workaround to this rate limit issue.
My question is still relevant because my system hit the rate limit for some reason, and I need a solution it will not happen even if it’s only for 3 hours.

francislavoie · February 4, 2022, 6:14am

Rate limit avoidance would be against the terms of service of LE. So we can’t help you there.

job_noam · February 4, 2022, 9:13am

OK, I tried something here:

Hope it will change something

Thanks!

system · March 5, 2022, 7:27am

This topic was automatically closed after 30 days. New replies are no longer allowed.