Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

letsencrypt - too many registrations for this IP #237

Closed
DjSni opened this issue Dec 14, 2023 · 10 comments
Closed

letsencrypt - too many registrations for this IP #237

DjSni opened this issue Dec 14, 2023 · 10 comments
Labels
enhancement New feature or request

Comments

@DjSni
Copy link

DjSni commented Dec 14, 2023

Describe the bug
I have the strange problem that my IP was apparently blocked at letsencrypt because I sent too many requests. I am currently using 9 certificates.

Expected behavior
that the certificates are updated automatically.

Log

2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account
2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations
2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server
2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider
2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user
2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com
2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

Info (please complete the following information):

  • Docker Container
  • Server Arch: amd64
  • Nginx UI Version: 2.0.0-beta.6

It would be practical if the update interval could be set in the GUI.

@DjSni DjSni added the bug Something isn't working label Dec 14, 2023
@0xJacky
Copy link
Owner

0xJacky commented Dec 14, 2023

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

@0xJacky 0xJacky added wontfix This will not be worked on enhancement New feature or request and removed bug Something isn't working wontfix This will not be worked on labels Dec 14, 2023
@0xJacky
Copy link
Owner

0xJacky commented Dec 14, 2023

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

@0xJacky 0xJacky closed this as not planned Won't fix, can't repro, duplicate, stale Dec 15, 2023
@DjSni
Copy link
Author

DjSni commented Dec 15, 2023

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

I can't do that, I currently have 10 different TDLs in use, so a wildcard certificate won't help me.

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

Apparently this does not work, because I still get the error message, my certificates are all still valid until March (distributed from 2 - 15).

@0xJacky
Copy link
Owner

0xJacky commented Dec 16, 2023

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

@0xJacky 0xJacky reopened this Dec 16, 2023
@DjSni
Copy link
Author

DjSni commented Dec 16, 2023

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I added a "location /.well-known/acme-challenge" to each server block when I set it up.
I have configured it like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 307 https://$server_name$request_uri;
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name example.com www.example.com;
    ssl_certificate /etc/nginx/ssl/example.com_www.example.com/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/example.com_www.example.com/private.key;
    # set upsteam
    set $VARWWW wordpress_example-com_1:80;
    # set fallback
    include /etc/nginx/snippets/fallback.conf;
    # lcoation block
    # include /etc/nginx/snippets/authelia-location.conf;
    location / {
        include /etc/nginx/snippets/authelia-proxy-standard.conf;
        #include /etc/nginx/snippets/authelia-authrequest.conf;
        client_max_body_size 20M;
        proxy_pass http://$VARWWW;
    }
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

I have only updated to version: 2.0.0-beta.8 (101)
In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Here is a small example:
Not valid until: 2023-12-05 15:39:28
Expired on: 2024-03-04 15:39:27

Logs from the certificate:

2023/12/16 07:51:50 [INFO] [Nginx UI] Generating the private key for account registration
2023/12/16 07:51:50 [INFO] [Nginx UI] Preparing the Lego configurations
2023/12/16 07:51:50 [INFO] [Nginx UI] Creating the client facilitates communication with the CA server
2023/12/16 07:51:51 [INFO] [Nginx UI] Set HTTP01 challenge provider
2023/12/16 07:51:51 [INFO] [Nginx UI] Register user
2023/12/16 07:51:51 [INFO] acme: Account registration for email@example.com
2023/12/16 07:51:51 [Error] Registration error: acme: Error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

EDIT:
I have checked all sites again and there is a well-known location in each one.

@0xJacky
Copy link
Owner

0xJacky commented Dec 16, 2023

In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Yes, this is the current method. 😂

@DjSni
Copy link
Author

DjSni commented Dec 16, 2023

😂
But then why do I get the error message from letsencrypt. As I understand it, it is still trying to establish a connection.

@DjSni
Copy link
Author

DjSni commented Dec 16, 2023

wtf, whatever happened, it worked again about an hour ago. Surely this can't be due to the update to the latest version?

@0xJacky
Copy link
Owner

0xJacky commented Dec 16, 2023

Yes, it has been 3 weeks since I last change that part of codes.

@DjSni
Copy link
Author

DjSni commented Dec 19, 2023

It seems to work without problems now, thanks

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
enhancement New feature or request
Projects
Status: Done
Development

No branches or pull requests

2 participants