Articles in this section

See more

Could not issue Let's Encrypt SSL/TLS certificate in Plesk: too many failed authorizations recently

Avatar
Leonid Gukhman
Updated
Follow
Plesk for Windows Plesk for Linux DoNotDelete:docref kb: technical ext: le ABT: Group B

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

Unable to install or renew Let's Encrypt SSL certificate:

Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.

One of the Let's Encrypt rate limits has been exceeded for example.com.
See the related Knowledge Base article for details.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rateLimited
Status: 429
Detail: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Cause

Limits for issuing certificates are reached on Let's Encrypt servers. This is a Failed Validation limit of 5 failures per account, per hostname, per hour.

Resolution

The only way is to wait until limits will be reset on Let's Encrypt side.

Information about Let's Encrypt limits can be found here: Let's Encrypt | Rate Limits

The most common rate limit of 50 certificates per domain per 7 days in a place that is set by Let's Encrypt. As the limit is defined by Let's Encrypt directly and cannot be managed through Plesk. To overcome the issue wait for this week period to pass and reissue the certificate.

There are two other limits:

  • User can create a maximum of 10 Accounts per IP Address per 3 hours.
  • User can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Rajesh

    Could not issue an SSL/TLS certificate for localhost.localdomain
    Details

    Could not issue a Let's Encrypt SSL/TLS certificate for localhost.localdomain.



    Failed to connect to the Let's Encrypt server https://acme-v02.api.letsencrypt.org.

    Please try again later or report the issue to support.

    Details
    Could not obtain directory: cURL error 60: Peer's Certificate has expired. (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
    0
    Comment actions Permalink
  • Avatar
    Andor Admiraal

    This error seems to occur when Plesk automatically tries to renew a certificate and it's failing, and it keeps trying. The best way to prevent this would be to allow Plesk to automatically renew wildcard certificates by automatically updating the DNS, but while that's not possible, is there any way we can control (e.g. disable) automatic renewal attempts of certificates? More control over failing certificates without having to manually hacking the psa database would be great in any case!

    1
    Comment actions Permalink
  • Avatar
    Mar Spe

    https://letsencrypt.org/docs/duplicate-certificate-limit/ describes this workaround after running into Status: 429 - Type: urn:ietf:params:acme:error:rateLimited 

    .. you can always request a certificate for a different “exact set” of hostnames. For example, if you’ve exceeded the Duplicate Certificate limit for [example.com] then requesting a certificate for [example.com, login.example.com] will succeed. Similarly, if you’ve exceeded the Duplicate Certificate limit for [example.com, login.example.com] then requesting a separate certificate for [example.com] and another for [login.example.com] will succeed.

    So an addional SAN (subjectAltName) should do the job. Voting here should bring us closer to a solution:

    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/40688470

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles