I managed to create an SSL cert for my domain kilgin.node.mooball.net about 4 months ago simply by clicking all the LetsEncrypt buttons, but I am now unable to renew it.
Firstly, each time I try to renew it I get a "Too many invalid authorizations recently" error - what makes this odd is the fact that I have waited 2 days to do the try then when I press it I get this error, I then waited 7 days and still get it. So I can't figure out why I am getting this error. Ive actually been trying now for 6 weeks and still never managed to get the renewal to work. Is there any way to interrogate this and figure out why it thinks I have too many tries and when I can try again?
The second issues - why are they concidered "invalid"? surely all should be fine since I am using exactly the same info that generated the cert in teh first place - again, how am I supposed to debug this? I get these confusing errors but no explanation of why or what I can do to solve the problem. I've been going weeks now without a cert and getting pretty desparate to sort it out.
Parsing account key... Parsing CSR... Registering account... Already registered! Verifying kilgin.node.mooball.net... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 122, in get_crt raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) ValueError: Error requesting challenges: 429 { "type": "urn:acme:error:rateLimited", "detail": "Error creating new authz :: Too many invalid authorizations recently.", "status": 429 }
Comments
Submitted by tomcameron on Tue, 06/27/2017 - 21:57 Comment #1
Submitted by andreychek on Tue, 06/27/2017 - 22:14 Comment #2
Howdy -- the errors you're seeing there should clear out after a day of no requests.
If you've waited more than a day, there may be an automatic renewal that's failing for some reason. You may want to see if any of your domains using Let's Encrypt certificates are up for renewal -- and if so, try changing those to be a manual renewal rather than automatic.
If you had any additional questions, it looks like you're using Virtualmin GPL there... you'd actually want to use the Forums for support. We monitor the Forums, along with lots of wonderful folks in the community. Thanks!
Submitted by tomcameron on Tue, 06/27/2017 - 22:26 Comment #3
Thanks for the reply - how do I change them from automatic to manual? I was unaware that there was any kind of automatic renewal
Submitted by tomcameron on Tue, 06/27/2017 - 22:39 Comment #4
OK I think I've figured this out - so the auto renewal is failing and because I never see it I get no explantion of why. And Ive figured out (I think) how to switch it to manual.
So a few thoughts: 1. if an automatic renewal is failing it would be good for the UI to record the error and possibly even switch it to manual after a number of failures - I get no indication that its failing and no indication of why with the current UI. 2. I actually had no idea what the 'only upate renewal' button does - I thought it would 'renew the certificate' but it has just dawned on me what it means - I would suggest a rewording of this or a change to the UI by moving that button up next to the renewal option.
Finally I was not entirely sure what the difference between the support and forums area was- sorry about that.
Regards Tom
Submitted by JamieCameron on Tue, 06/27/2017 - 23:09 Comment #5
Did you get an email to the domain's contact address, which is set on the Edit Virtual Server page?
Submitted by qos on Wed, 06/28/2017 - 05:31 Comment #6
If you have a redirect to https it will not renew sens it ned http to renew. You ned to make a exception from https to the dir the file for verification file is stored.
Submitted by tomcameron on Wed, 06/28/2017 - 19:54 Comment #7
Follow up info: 1. I never check the mailbox on the domains so I had no idea it was emailing that address - sorry again, my mistake. I can now see the emails. 2. it turns out the issue was related to IPv6 routing issues. LetsEncrypt was using IPv6 and that host was only setup to listen on IPv4. Once I updated Apache to listen on the IPv6 address it started working.
My only remaining recommendation would be some warning in the UI that there was a failure happening - I literally had no idea it was auto trying to renew or that errors were happening. All sorted now, and thanks for the help.
Submitted by JamieCameron on Wed, 06/28/2017 - 22:04 Comment #8
Showing the last auto-renewal failure in the UI is a good idea - I will add this in a future release.
Submitted by JamieCameron on Mon, 07/03/2017 - 20:13 Comment #9
This has been implemented, for inclusion in the next release.
Submitted by JamieCameron on Mon, 07/03/2017 - 20:13 Comment #10
Submitted by IssueBot on Mon, 07/17/2017 - 20:30 Comment #11
Automatically closed - issue fixed for 2 weeks with no activity.