letsencrypt - too many registrations for this IP

[DjSni]

Describe the bug
I have the strange problem that my IP was apparently blocked at letsencrypt because I sent too many requests. I am currently using 9 certificates.

Expected behavior
that the certificates are updated automatically.

Log

2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account
2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations
2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server
2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider
2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user
2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com
2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

Info (please complete the following information):

• Docker Container
• Server Arch: amd64
• Nginx UI Version: 2.0.0-beta.6

It would be practical if the update interval could be set in the GUI.

[0xJacky]

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

[0xJacky]

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

[DjSni]

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

I can't do that, I currently have 10 different TDLs in use, so a wildcard certificate won't help me.

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

Apparently this does not work, because I still get the error message, my certificates are all still valid until March (distributed from 2 - 15).

[0xJacky]

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

[DjSni]

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I added a "location /.well-known/acme-challenge" to each server block when I set it up.
I have configured it like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 307 https://$server_name$request_uri;
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name example.com www.example.com;
    ssl_certificate /etc/nginx/ssl/example.com_www.example.com/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/example.com_www.example.com/private.key;
    # set upsteam
    set $VARWWW wordpress_example-com_1:80;
    # set fallback
    include /etc/nginx/snippets/fallback.conf;
    # lcoation block
    # include /etc/nginx/snippets/authelia-location.conf;
    location / {
        include /etc/nginx/snippets/authelia-proxy-standard.conf;
        #include /etc/nginx/snippets/authelia-authrequest.conf;
        client_max_body_size 20M;
        proxy_pass http://$VARWWW;
    }
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

I have only updated to version: 2.0.0-beta.8 (101)
In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Here is a small example:
Not valid until: 2023-12-05 15:39:28
Expired on: 2024-03-04 15:39:27

Logs from the certificate:

2023/12/16 07:51:50 [INFO] [Nginx UI] Generating the private key for account registration
2023/12/16 07:51:50 [INFO] [Nginx UI] Preparing the Lego configurations
2023/12/16 07:51:50 [INFO] [Nginx UI] Creating the client facilitates communication with the CA server
2023/12/16 07:51:51 [INFO] [Nginx UI] Set HTTP01 challenge provider
2023/12/16 07:51:51 [INFO] [Nginx UI] Register user
2023/12/16 07:51:51 [INFO] acme: Account registration for email@example.com
2023/12/16 07:51:51 [Error] Registration error: acme: Error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

EDIT:
I have checked all sites again and there is a well-known location in each one.

[0xJacky]

In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Yes, this is the current method. 😂