Certs rate limiting #84

New Issue

Closed

opened 2025-12-29 09:22:44 +01:00 by adam · 18 comments

adam commented 2025-12-29 09:22:44 +01:00

Owner

Copy Link

Originally created by @zachkont on GitHub (May 31, 2025).

For the past few versions (including the latest GoDoxy version v0.13.7) the container keeps restarting as soon as it runs and the logs show this error:

05-31 10:23 FTL autocert setup error

        • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-01 17:24:08 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

Originally created by @zachkont on GitHub (May 31, 2025). For the past few versions (including the latest GoDoxy version `v0.13.7`) the container keeps restarting as soon as it runs and the logs show this error: ``` 05-31 10:23 FTL autocert setup error • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-01 17:24:08 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames ```

adam closed this issue 2025-12-29 09:22:44 +01:00

adam commented 2025-12-29 09:22:45 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (May 31, 2025):

Could you send me the first non rate-limit error? There must be previous errors to turn into this.

@yusing commented on GitHub (May 31, 2025): Could you send me the first non rate-limit error? There must be previous errors to turn into this.

adam commented 2025-12-29 09:22:45 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (May 31, 2025):

These are the entire logs on container start:

05-31 12:08 INF GoDoxy version v0.13.7

05-31 12:08 INF loaded route providers

                  • docker@local 8 routes

                

2025/05/31 12:08:33 [INFO] acme: Trying to resolve account by key

05-31 12:08 INF reused acme registration from private key

2025/05/31 12:08:34 [INFO] [*.lab.domain.me, lab.domain.me] acme: Obtaining bundled SAN certificate

05-31 12:08 FTL autocert setup error

                  • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-01 17:47:27 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

I just changed the domain name to domain.me

@zachkont commented on GitHub (May 31, 2025): These are the entire logs on container start: ``` 05-31 12:08 INF GoDoxy version v0.13.7 05-31 12:08 INF loaded route providers • docker@local 8 routes 2025/05/31 12:08:33 [INFO] acme: Trying to resolve account by key 05-31 12:08 INF reused acme registration from private key 2025/05/31 12:08:34 [INFO] [*.lab.domain.me, lab.domain.me] acme: Obtaining bundled SAN certificate 05-31 12:08 FTL autocert setup error • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-01 17:47:27 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames ``` I just changed the domain name to `domain.me`

adam commented 2025-12-29 09:22:46 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (May 31, 2025):

You said the container kept restarting right? So there should be logs from previous restart unless you manually docker compose down.

Try again on 2025-06-01 17:24:08 UTC then.

@yusing commented on GitHub (May 31, 2025): You said the container kept restarting right? So there should be logs from previous restart unless you manually `docker compose down`. Try again on 2025-06-01 17:24:08 UTC then.

adam commented 2025-12-29 09:22:46 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 1, 2025):

Unfortunately I'm running it via portainer with gitops updates and I only noticed after updating and the original container has since been deleted. I believe it only started happening after updating to v0.13.5 too but I can't be sure. Anything else I can try?

@zachkont commented on GitHub (Jun 1, 2025): Unfortunately I'm running it via portainer with gitops updates and I only noticed after updating and the original container has since been deleted. I believe it only started happening after updating to v0.13.5 too but I can't be sure. Anything else I can try?

adam commented 2025-12-29 09:22:46 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Jun 2, 2025):

Update to the current latest version and try again?

@yusing commented on GitHub (Jun 2, 2025): Update to the current latest version and try again?

adam commented 2025-12-29 09:22:46 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 2, 2025):

Still the same :/

06-02 09:23 INF GoDoxy version v0.13.8

06-02 09:23 INF loaded route providers

                  • docker@local 8 routes

                

2025/06/02 09:23:14 [INFO] acme: Trying to resolve account by key

06-02 09:23 INF reused acme registration from private key

2025/06/02 09:23:14 [INFO] [*.lab.domain.me, lab.domain.me] acme: Obtaining bundled SAN certificate

06-02 09:23 FTL autocert setup error

                  • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-03 03:03:47 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

@zachkont commented on GitHub (Jun 2, 2025): Still the same :/ ``` 06-02 09:23 INF GoDoxy version v0.13.8 06-02 09:23 INF loaded route providers • docker@local 8 routes 2025/06/02 09:23:14 [INFO] acme: Trying to resolve account by key 06-02 09:23 INF reused acme registration from private key 2025/06/02 09:23:14 [INFO] [*.lab.domain.me, lab.domain.me] acme: Obtaining bundled SAN certificate 06-02 09:23 FTL autocert setup error • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-03 03:03:47 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames ```

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 2, 2025):

If it helps, my server just had a filesystem corruption issue and I've had to manually run fsck on the affected volume, which is also where docker volumes reside. Could it be related to that and if so, how can I make it recover?

@zachkont commented on GitHub (Jun 2, 2025): If it helps, my server just had a filesystem corruption issue and I've had to manually run `fsck` on the affected volume, which is also where docker volumes reside. Could it be related to that and if so, how can I make it recover?

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Jun 2, 2025):

too many certificates (5)

Do you have other reverse proxy / certbot registering certs for the same domain? I don't think it's related to filesystem corruption.

@yusing commented on GitHub (Jun 2, 2025): > too many certificates (5) Do you have other reverse proxy / certbot registering certs for the same domain? I don't think it's related to filesystem corruption.

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 2, 2025):

No I don't, and godoxy has been working perfectly so far for me

@zachkont commented on GitHub (Jun 2, 2025): No I don't, and godoxy has been working perfectly so far for me

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 2, 2025):

In order to help with debugging as much as possible, here is a domain where this happens: https://crt.sh/?q=kontoulis.cloud

@zachkont commented on GitHub (Jun 2, 2025): In order to help with debugging as much as possible, here is a domain where this happens: https://crt.sh/?q=kontoulis.cloud

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Jun 2, 2025):

It's weird, I only see two certs obtained on 2nd June and 31th May but those errors showed 5.

Could you try running with bare docker compose (no portainer) so failed requests can be logged? Please also clean up certs directory.

@yusing commented on GitHub (Jun 2, 2025): It's weird, I only see two certs obtained on 2nd June and 31th May but those errors showed 5. Could you try running with bare docker compose (no portainer) so failed requests can be logged? Please also clean up `certs` directory.

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 2, 2025):

So I have already tried cleaning up the certs directory, got an error saying acme.key is not readable, added only that back in, got the error I mentioned above.

Now I just tried moving priv.key and cert.crt back into certs/ and I get an additional line

06-02 18:22 INF GoDoxy version v0.13.8

06-02 18:22 INF loaded route providers

                  • docker@local 8 routes

                

06-02 18:22 INF next renewal in -8 days and 14 minutes

06-02 18:22 INF certs expired, renewing

2025/06/02 18:22:02 [INFO] acme: Trying to resolve account by key

06-02 18:22 INF reused acme registration from private key

2025/06/02 18:22:02 [INFO] [*.lab.kontoulis.cloud, lab.kontoulis.cloud] acme: Obtaining bundled SAN certificate

06-02 18:22 FTL autocert setup error

                  • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-03 03:04:03 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

I will try running without portainer and post findings

@zachkont commented on GitHub (Jun 2, 2025): So I have already tried cleaning up the certs directory, got an error saying `acme.key` is not readable, added only that back in, got the error I mentioned above. Now I just tried moving `priv.key` and `cert.crt` back into `certs/` and I get an additional line ``` 06-02 18:22 INF GoDoxy version v0.13.8 06-02 18:22 INF loaded route providers • docker@local 8 routes 06-02 18:22 INF next renewal in -8 days and 14 minutes 06-02 18:22 INF certs expired, renewing 2025/06/02 18:22:02 [INFO] acme: Trying to resolve account by key 06-02 18:22 INF reused acme registration from private key 2025/06/02 18:22:02 [INFO] [*.lab.kontoulis.cloud, lab.kontoulis.cloud] acme: Obtaining bundled SAN certificate 06-02 18:22 FTL autocert setup error • acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-06-03 03:04:03 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames ``` I will try running without portainer and post findings

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 3, 2025):

However, the documentation states

Up to 5 certificates can be issued per exact same set of hostnames every 7 days.

so it's not a daily limit which explains the error right? Why does the app register so many new credentials for the same domain? Shouldn't it check if it already exists or something?

@zachkont commented on GitHub (Jun 3, 2025): However, the [documentation](https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames) states >Up to 5 certificates can be issued per exact same set of hostnames every 7 days. so it's not a daily limit which explains the error right? Why does the app register so many new credentials for the same domain? Shouldn't it check if it already exists or something?

adam commented 2025-12-29 09:22:47 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Jun 3, 2025):

Why does the app register so many new credentials for the same domain?

Because of the file system corruption?

Btw you do not move those domains those certs back in, in this case. Just clean the directory and obtain a new one after "unban".

@yusing commented on GitHub (Jun 3, 2025): > Why does the app register so many new credentials for the same domain? Because of the file system corruption? Btw you do not move those domains those certs back in, in this case. Just clean the directory and obtain a new one after "unban".

adam commented 2025-12-29 09:22:48 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 3, 2025):

Because of the file system corruption?

hmm so maybe because it could not read the existing cert file it thought there was none and tried to make a new one? Which looks like it started on 2025-05-28, before that it seemed more reasonable.

However, it does look like the app does not handle this error gracefully so maybe that can be improved if you'd like. At least avoid the container going in a crash loop. In any case, I'll report back when the "ban" is lifted and close this, thanks for being so responsive and helpful

@zachkont commented on GitHub (Jun 3, 2025): >Because of the file system corruption? hmm so maybe because it could not read the existing cert file it thought there was none and tried to make a new one? Which looks like it started on 2025-05-28, before that it seemed more reasonable. However, it does look like the app does not handle this error gracefully so maybe that can be improved if you'd like. At least avoid the container going in a crash loop. In any case, I'll report back when the "ban" is lifted and close this, thanks for being so responsive and helpful

adam commented 2025-12-29 09:22:48 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 10, 2025):

Hi again, I'm back with a different error:

06-10 15:45 INF GoDoxy version v0.14.2
06-10 15:45 INF failed to load ACME private key, generating a now one error="open certs/acme.key: no such file or directory"
06-10 15:45 WRN skipping conflicting route
• route with alias godoxy already exists
container godoxy
conflicting container godoxy-frontend

06-10 15:45 INF loaded route providers
• docker@local 9 routes

06-10 15:45 WRN errors in config
• config load error
• save ACME private key
• open certs/acme.key: permission denied

06-10 15:45 INF autocert not configured
06-10 15:45 INF http_routes: added home-assistant
06-10 15:45 INF http_routes: added godoxy
06-10 15:45 INF http_routes: added portainer
06-10 15:45 INF http_routes: added wallos
06-10 15:45 INF http_routes: added orb-sensor
06-10 15:45 INF http_routes: added everything-presence-mmwave-configurator
06-10 15:45 INF http_routes: added music-assistant
06-10 15:45 INF http_routes: added adguard
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0xaedae0]

I deleted the contents of the /certs dir as you mentioned but it tries to find them instead of recreating. the folder permissions are
drwxr-xr-x 2 root docker 4.0K Jun 3 11:31 certs

@zachkont commented on GitHub (Jun 10, 2025): Hi again, I'm back with a different error: > 06-10 15:45 INF GoDoxy version v0.14.2 > 06-10 15:45 INF failed to load ACME private key, generating a now one error="open certs/acme.key: no such file or directory" > 06-10 15:45 WRN skipping conflicting route > • route with alias godoxy already exists > container godoxy > conflicting container godoxy-frontend > > > 06-10 15:45 INF loaded route providers > • docker@local 9 routes > > 06-10 15:45 WRN errors in config > • config load error > • save ACME private key > • open certs/acme.key: permission denied > > 06-10 15:45 INF autocert not configured > 06-10 15:45 INF http_routes: added home-assistant > 06-10 15:45 INF http_routes: added godoxy > 06-10 15:45 INF http_routes: added portainer > 06-10 15:45 INF http_routes: added wallos > 06-10 15:45 INF http_routes: added orb-sensor > 06-10 15:45 INF http_routes: added everything-presence-mmwave-configurator > 06-10 15:45 INF http_routes: added music-assistant > 06-10 15:45 INF http_routes: added adguard > panic: runtime error: invalid memory address or nil pointer dereference > [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0xaedae0] I deleted the contents of the `/certs` dir as you mentioned but it tries to find them instead of recreating. the folder permissions are `drwxr-xr-x 2 root docker 4.0K Jun 3 11:31 certs`

adam commented 2025-12-29 09:22:48 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Jun 10, 2025):

route with alias godoxy already exists

rename godoxy container to something else like godoxy-proxy

open certs/acme.key: permission denied

check for UID and GID in your .env and chown to corresponding user and group ids

@yusing commented on GitHub (Jun 10, 2025): > route with alias godoxy already exists rename godoxy container to something else like `godoxy-proxy` > open certs/acme.key: permission denied check for `UID` and `GID` in your `.env` and `chown` to corresponding user and group ids

adam commented 2025-12-29 09:22:48 +01:00

Author

Owner

Copy Link

@zachkont commented on GitHub (Jun 11, 2025):

I had used the wrong UID, everything works again now. Thanks for your help!

@zachkont commented on GitHub (Jun 11, 2025): I had used the wrong `UID`, everything works again now. Thanks for your help!

adam referenced this issue 2025-12-29 09:23:42 +01:00

[PR #84] [MERGED] Feat/http3 #160

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy#84