Nixpkgs: acme: When enabling multiple new acme-using sites, `Failed to start Renew ACME Certificate` from account creation rate-limiting

Created on 30 Mar 2018  路  3Comments  路  Source: NixOS/nixpkgs

This is both documenting the current issue and leaving a note for future implementation

Issue description

Using NixOS 17.09, the behaviour should be the same using 18.03 if doing nothing different, enabling multiple new acme-using sites or domains will result in, possibly, multiple failures:

Mar 30 14:07:38 HOSTNAME systemd[1]: Failed to start Renew ACME Certificate for example.com.

Those failures, as seen using journalctl --unit acme-example.com.service, stem from new registrations for new accounts:

Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: 2018-03-30 18:08:10,566:DEBUG:acme.client:540: JWS payload:
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: {
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]:   "resource": "new-reg"
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: }
...
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: Connection: close
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: {
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]:   "type": "urn:acme:error:rateLimited",
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]:   "detail": "Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/",
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]:   "status": 429
Mar 30 14:08:10 HOSTNAME acme-example.com-start[25915]: }

Registrations, as documented in the rate limits article are limited at a maximum of 10 Accounts per IP Address per 3 hours.

Steps to reproduce

Enable ACME on multiple different domains, more than 10 should do the trick.

Solution

Existing solutions

Starting with 18.03, it is possible to reduce the risks of hitting this limit using useACMEHost. This setting allows re-using an existing ACME certificate, allowing one configured to handle multiple hosts to be used.

Needed solution

The integration guide for Let's Encrypt recommends using a single account.

However, for most larger hosting providers we recommend using a single account and guarding the corresponding account key well.

Adding an option to use one global account, and another option per-cert to specify accounts is probably the right solution. The default of those options isn't decided yet, and it's not my call anyway.

picture samueldr
👍1

Most helpful comment

+1

picture NorfairKing on 11 Nov 2018
👍5

All 3 comments

+1

NorfairKing picture NorfairKing on 11 Nov 2018
👍5

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.
stale[bot] picture stale[bot] on 3 Jun 2020

still important to me

NorfairKing picture NorfairKing on 3 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tomberek picture tomberek  路  3Comments
sid-kap picture sid-kap  路  3Comments
rzetterberg picture rzetterberg  路  3Comments
yawnt picture yawnt  路  3Comments
copumpkin picture copumpkin  路  3Comments