Description
Describe the bug
If you attempt to generate more than 10 certificates within a 3 hour period, you will be rate limited. This is typically not the expected behavior. Let's Encrypt responds with an error with the following response.
too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/
This is generally not a rate limit you should be running into. You can read more about the nature of this rate limiting on Let's Encrypt's website https://letsencrypt.org/docs/too-many-registrations-for-this-ip/#common-causes.
You can read about the reasonable rate limits you can expect to run into on Let's Encrypt's webiste https://letsencrypt.org/docs/rate-limits/.
To Reproduce
Generate 11 certificates within a 3 hour period.
Expected behavior
The ACME client implementation should save and reuse the account registration. This will get rid of the too many registrations for this IP
error response, and should allow users to generate up to 300 unique certificates every 3 hours.
Logs
I stole the following logs from the #237 issue.
2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account
2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations
2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server
2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider
2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user
2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com
2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/
Info (please complete the following information):
- Nginx UI Version: [<= v2.0.0-beta.5-patch] (basically any version that has the acme implementation)
Additional context
- I made this discovery when looking through letsencrypt - too many registrations for this IP #237.
- The certificate creation logic: /internal/cert/cert.go
- The certificate auto renewal logic: /internal/cert/auto_cert.go
Severity
If you wanted to utilize nginx-ui to manage your load balancer for a multi tenant application that allowed it's end-users to use a custom domain name, you could very easily run into issues when trying to create certificates.
A scarier possibility is that you can run into a situation where you have to renew more than 10 certificates in a given 3 hour period. This is not impossible in the described scenario, especially because it seems that certificates get auto renewed after 7-8 days. This wouldn't be a problem either, if the auto renewal mechanism actually implemented the proper renewal api instead of just issuing a new certificate. Because Let's Encrypt caches domain validations for the account used for 30 days, meaning you can renew the certificate freely in a 30 day period, before having to revalidate the domain with a challenge. You can read about that on the Let's Encrypt website as well https://letsencrypt.org/docs/faq/#i-successfully-renewed-a-certificate-but-validation-didn-t-happen-this-time-how-is-that-possible.
Metadata
Metadata
Assignees
Labels
Projects
Status