Hi
Caddy is awesome and I have been using it for my startup Hashnode for 1 year now. Never had any issues. Kudos to the awesome work by the team.
However, for the last couple of days, I am facing a weird issue. Here are the details:
1. Caddy version (caddy version
):
1.0
2. How I run Caddy:
We start Caddy using the following command:
nohup caddy -log access.log
a. System environment:
OS: Ubuntu 16.04
b. Command:
nohup caddy -log access.log
c. Service/unit/compose file:
None
d. My complete Caddyfile or JSON config:
* {
proxy / localhost:3000 {
transparent
}
gzip
tls {
ask <ask-url>
}
}
*.hashnode.dev:443 {
proxy / localhost:3000 {
transparent
}
gzip
tls fullchain.pem privkey.pem
}
3. The problem I’m having:
We are running Caddy in fleet mode (total 5 servers). A common disk is mounted on .caddy/acme
via SSHFS to share SSL certs. Since we have a multi-tenant system, there are around 2500 different domains. Everything was smooth so far, but lately, I have been seeing the error “Too many new orders recently” while requesting certs for new domains. This happens occasionally. As per LE, this error comes when you exceed 300 orders / 3 hrs limit. But we are not doing that many requests in 3 hours. I checked our server logs to verify this.
What could be the reason?
4. Error messages and/or full log output:
2020/08/03 18:34:42 http: TLS handshake error from 127.0.0.1:43364: EOF
2020/08/03 18:34:44 [ERROR] Renewing [hn.werick.codes]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: ; trying again in 10s
2020/08/03 18:34:55 [ERROR] Renewing [hn.werick.codes]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: ; trying again in 10s
2020/08/03 18:35:05 [ERROR] too many renewal attempts; last error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 18:35:05 [INFO] Certificate for [blog.amnota.dev] expires in -1140h50m18.035994548s; attempting renewal
2020/08/03 18:35:09 http: TLS handshake error from 127.0.0.1:43372: EOF
2020/08/03 18:35:12 [ERROR] Renewing [blog.amnota.dev]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: ; trying again in 10s
2020/08/03 18:35:22 [ERROR] Renewing [blog.amnota.dev]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: ; trying again in 10s
2020/08/03 18:35:32 [ERROR] too many renewal attempts; last error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 18:35:32 [INFO][cache:0xc0000b87d0] Done scanning certificates
2020/08/03 18:35:32 [INFO][cache:0xc0000b87d0] Scanning for stale OCSP staples
2020/08/03 18:35:32 [INFO] Advancing OCSP staple for [blog.herce.co] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:33 [INFO] Advancing OCSP staple for [blog.bytefly.io] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:33 [INFO] Advancing OCSP staple for [juantobias.dev] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:33 [INFO] Advancing OCSP staple for [til.agentofuser.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:34 [INFO] Advancing OCSP staple for [cloudy.achakladar.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:34 [INFO] Advancing OCSP staple for [jordanfarrer.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:34 [INFO] Advancing OCSP staple for [risav.dev] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:35 [INFO] Advancing OCSP staple for [blog.levippaul.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:35 [INFO] Advancing OCSP staple for [blog.joostvandergaag.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:35 [INFO] Advancing OCSP staple for [blog.collinsruto.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:36 [INFO] Advancing OCSP staple for [blog.jarda.it] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:36 [INFO] Advancing OCSP staple for [devblog.qcobjects.org] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:36 [INFO] Advancing OCSP staple for [dev.liuweifeng.net] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:37 [INFO] Advancing OCSP staple for [blog.prokop.dev] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:37 [INFO] Advancing OCSP staple for [blog.leojacon.tech] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:37 [INFO] Advancing OCSP staple for [blog.athreyapatel.codes] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:37 [INFO] Advancing OCSP staple for [blog.cloudnative-labs.nl] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:38 [INFO] Advancing OCSP staple for [blog.mikeattara.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:38 [INFO] Advancing OCSP staple for [techoodle.vidhyaranganathan.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:38 [INFO] Advancing OCSP staple for [blog.akush.in] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:39 [INFO] Advancing OCSP staple for [blog.romanjasek.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:39 [INFO] Advancing OCSP staple for [blog.chrisjohn.digital] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:39 [INFO] Advancing OCSP staple for [fiq.me] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:40 [INFO] Advancing OCSP staple for [blog.yeshu.in] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:40 [ERROR] Checking OCSP: invalid: OCSP response for [hash.imfancy.cn] valid after certificate expiration (-24h6m36s)
2020/08/03 18:35:40 [INFO] Advancing OCSP staple for [abrahamnm.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:41 [INFO] Advancing OCSP staple for [blog.vaishnavibaliga.com] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:41 [INFO] Advancing OCSP staple for [saltgen.dev] from 2020-08-07 06:00:00 +0000 UTC to 2020-08-10 06:00:00 +0000 UTC
2020/08/03 18:35:41 [INFO][cache:0xc0000b87d0] Done checking OCSP staples
2020/08/03 18:35:44 [ERROR] Sending telemetry: Post https://telemetry.caddyserver.com/v1/update/eb54bcd5-4dc0-42f4-9575-5a23cea6efe7: dial tcp: lookup telemetry.caddyserver.com on 67.207.67.3:53: no such host
2020/08/03 18:38:38 http: TLS handshake error from 18.212.228.7:47866: certificate for hostname '' not allowed, non-2xx status code 404 returned from <ask-url>
2020/08/03 19:14:32 [INFO][cache:0xc0000b87d0] Scanning for stale OCSP staples
2020/08/03 19:14:32 [INFO] Advancing OCSP staple for [blog.rakeshyadav.info] from 2020-08-07 07:00:00 +0000 UTC to 2020-08-10 07:00:00 +0000 UTC
2020/08/03 19:14:32 [INFO] Advancing OCSP staple for [blog.sireto.io] from 2020-08-07 07:00:00 +0000 UTC to 2020-08-10 07:00:00 +0000 UTC
2020/08/03 19:14:32 [ERROR] Checking OCSP: invalid: OCSP response for [hash.imfancy.cn] valid after certificate expiration (-24h6m36s)
2020/08/03 19:14:33 [INFO] Advancing OCSP staple for [blog.rafedraper.de] from 2020-08-07 07:00:00 +0000 UTC to 2020-08-10 07:00:00 +0000 UTC
2020/08/03 19:14:33 [INFO] Advancing OCSP staple for [hn.werick.codes] from 2020-08-07 07:00:00 +0000 UTC to 2020-08-10 07:00:00 +0000 UTC
2020/08/03 19:14:33 [INFO][cache:0xc0000b87d0] Done checking OCSP staples
2020/08/03 19:21:29 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:30 http: TLS handshake error from 127.0.0.1:43834: EOF
2020/08/03 19:21:32 http: TLS handshake error from 106.51.24.241:33508: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:33 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:33 http: TLS handshake error from 127.0.0.1:43840: EOF
2020/08/03 19:21:34 http: TLS handshake error from 106.51.24.241:33513: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:34 http: TLS handshake error from 106.51.24.241:33516: tls: client offered only unsupported versions: [301 300]
2020/08/03 19:21:37 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:37 http: TLS handshake error from 127.0.0.1:43844: EOF
2020/08/03 19:21:38 http: TLS handshake error from 106.51.24.241:33519: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:38 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:39 http: TLS handshake error from 127.0.0.1:43848: EOF
2020/08/03 19:21:40 http: TLS handshake error from 106.51.24.241:33520: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:40 http: TLS handshake error from 106.51.24.241:33521: tls: client offered only unsupported versions: [301 300]
2020/08/03 19:21:40 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:41 http: TLS handshake error from 127.0.0.1:43852: EOF
2020/08/03 19:21:41 http: TLS handshake error from 106.51.24.241:33522: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:42 [INFO] Obtaining new certificate for 20vueapps.com
2020/08/03 19:21:43 http: TLS handshake error from 127.0.0.1:43856: EOF
2020/08/03 19:21:43 http: TLS handshake error from 106.51.24.241:33523: [20vueapps.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/, url:
2020/08/03 19:21:43 http: TLS handshake error from 106.51.24.241:33525: tls: client offered only unsupported versions: [301 300]
If you look at the end of the above logs (domain 20vueapps.com), you will see a bunch of “too many new orders recently” errors.
5. What I already tried:
I tried finding out if we by chance request a lot of new certs in 3 hr window, but that’s not the case. I tried doing some research and realized that renewals might also be counting against my quota. But I think Caddy must be backing off before attempting to renew a lot of certs. Please correct me if I am wrong.
Also, I know that Caddy is capable of handling tens of thousands of certs easily.
So, I am not fully sure what’s going on. Any help will be highly appreciated.
Thank You!