Unable to get certificate : ACME rate limited error

I just acquired a FQDN and try to get a TLS certificate by just restarting Caddy as I usually do with my other Caddy servers but I ran into an issue on this one.

Version
Caddy 2.5.1

Caddyfile

my-domain-name.com {
	root * /var/www/
	# Enable the static file server.
	file_server
	php_fastcgi unix//var/run/php/php7.4-fpm.sock
	log {
		output file /var/log/caddy/my.log
	}
}

Error log when I try to restart Caddy with systemctl

mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.572451,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.5735912,"msg":"serving initial configuration"}
mai 26 07:35:24 colline systemd[1]: Started Caddy.
mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.574774,"logger":"tls.obtain","msg":"acquiring lock","identifier":"my-domain-name.com"}
mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.5843384,"logger":"tls.obtain","msg":"lock acquired","identifier":"my-domain-name.com"}
mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.5892339,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["my-domain-name.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
mai 26 07:35:24 colline caddy[160950]: {"level":"info","ts":1653543324.589345,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["my-domain-name.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
mai 26 07:35:25 colline caddy[160950]: {"level":"error","ts":1653543325.5529118,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my-domain-name.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"}
mai 26 07:35:25 colline caddy[160950]: {"level":"warn","ts":1653543325.5552533,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
mai 26 07:35:26 colline caddy[160950]: {"level":"info","ts":1653543326.1604457,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"xTioeGo0HdoevXtYH6Mlyg"}
1 Like

Solved : my nft firewall rules were blocking requests from Let’s Encrypt in some way. Just to avoid this for the renewals, is Caddy managing these from the lan side, I mean by triggering a “established, related” type of connection state or do I have to open my FW for the Let’s Encrypt IP’s ?

1 Like

Let’s Encrypt and ZeroSSL need to be able to reach your server to complete ACME issuance.

I recommend you read up on how ACME works, and the challenge types. The Caddy docs have a basic explanation:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.