Caddy: Too many registrations from this IP

Created on 20 May 2016 · 7Comments · Source: caddyserver/caddy

I use caddy to run 2 sites and API service from AWS small EC2 instance. Just upgraded caddy from to v0.8.1 to v0.8.3.

Caddyfile hasn't changed:

indieforger.com {
  proxy / http://localhost:8002
  tls   [email protected]
}

www.indieforger.com {
  redir https://indieforger.com
}

fullstackforger.com {
  proxy / http://localhost:8003
  tls   [email protected]
}

www.fullstackforger.com {
  redir https://fullstackforger.com
}

api.indieforger.com {
  proxy / http://localhost:8001
  tls   [email protected]
}

Was trying to restart caddy but it fails. Tailing logs outputs:

2016/05/20 18:56:14 error creating client: registration error: acme: Error 429 - urn:acme:error:rateLimited - Error creating new registration :: Too many registrations from this IP

From what I have read in and on Let's Encrypt forum limits should be lifted in 24 hours. That means both sites and a service are all down for 24 hours. This is pretty damn bad... There is no commercial traffic there yet but I imagine it could get serious for production servers if not addressed.

As suggested in one of the comments I tried to temporarily disable IPv6. It didn't help.

One thing I don't understand is why Caddy tried to refresh certs upon service restart (I am using upstart) if I already had them issued. Is that a serious bug or am I missing something here?

Source

FullStackForger

Most helpful comment

Thanks for the info @wmark. I have shown the config above. Based on what you saying I assume I can remove cd lines. Will give it a go. Looks like I need to do a bit more learning on upstart configs too.

I don't know how to check HOME during the upstart but since it works ok now, perhaps setting uid and guid to caddy does it automatically.

setuid caddy
setgid caddy

I do have a caddy user for which HOME=/home/caddy and it is where .caddy folder is located.

Thanks for all the help guys and good bloody job with caddy. Absolutely love it.

FullStackForger on 22 May 2016

👍3

All 7 comments

I wonder if somehow caddy got in a restart loop, and was unable to save the
registrations or something. That limit is pretty hard to hit unless it is
constantly restarting and failing. If the service starts up and finds valid
certs, it should not talk to Let's Encrypt at all. What is $HOME in the
context of your upstart service? There should be a .caddy folder in there.
Does it have stuff in it?

captncraig on 20 May 2016

I am using upstart config file that used to work ok before I updated caddy, /etc/init/caddy.conf looks like this:

description "Caddy Server startup script"

start on runlevel [2345]
stop on runlevel [016]

setuid caddy
setgid caddy

respawn
respawn limit 10 5

limit nofile 4096 4096

script
    cd /home/caddy/
    bin/caddy -conf="/home/caddy/Caddyfile" -agree
end script

As for $HOME I really have no idea. I thought I can not set $HOME in my upstart file.
I believe that since I am cd-ing into /home/caddy/ and running script from that level caddy looks for .caddy folder there, right? It is there and it has been created by caddy so it all should be fine.
Or am I doing something stupid here?

Nice hint though about restarts. Tailed log constantly expands which I believe would confirm your theory of restarts. I must be missing something here.

FullStackForger on 21 May 2016

Thanks for the comment @captncraig. I couldn't resolve this but since I am using AWS, did a snapshot of my instance and used it to re-create the server. That gave me new IP address. Launched the server along with caddy and everything seems to be in order now. Sites are working fine.

I am happy to close the ticket, unless you guys want to investigate it bit more. However I am not sure how to replicate the issue.

FullStackForger on 21 May 2016

Caddy does nothing in the _workdir_, the one you cd' into. Certificates go to the _homedir_ of the user Caddy runs as. That's passed as environment variable HOME even if you did not set one.