-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsmadeeasy: authorizing ~50+ domains causes a fatal rate limiting error #7411
Comments
I would suggest either warning in the dnsmadeeasy plugin on >50 domains, or directly emitting 429 rate-limit message from lexicon. Or both. |
A simple fix could be just to sleep when we see that the Certbot isn't exposed to that level of detail, so that'd need to be part of Lexicon's behavior. WDYT @AnalogJ? |
Another Lexicon maintainer here. Yes, I think it is doable at Lexicon level. However we can go a little further. Indeed a sleep on its own does not guarantee that you moved out of the limit window, and so that the next request after the sleep will not fail. Except if you put a 5 min sleep, but it is a big waste since new requests are certainly possible after some seconds only. So the API will return a 400, but with an informative body. This is sufficient to recognize it among other potential 400 responses. How about defining a short sleep (like 5 seconds), and a retry strategy with a max attempts, triggered in case of 400 with body @alexzorin I would suggest you to open a new issue on Lexicon repository, linking to this one. I do not have credentials for |
I would note however that this is a workaround that is not solving the root cause in my opinion: 150 requests on a 5 min window is way too low for an API, typically designed for automation. I would also suggest to contact |
@adferrand I have some DME sandbox credentials you can use which has |
I propose to move to the dedicated Lexicon issue for further discussions. For Certbot's concern, this issue can be closed once AnalogJ/lexicon#437 is fixed. |
I'm closing this in favor of #7631. This issue is resolved by using a new version of our dependency If you're having this issue using packages provided by your OS, I'd ask your distro maintainers to update the packaged version of |
Originally reported on the forums.
My operating system is (include version):
Ubuntu Disco
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
certbot-auto
I ran this command and it produced this output:
I ran (50 domains):
It produced:
Certbot's behavior differed from what I expected because:
Provider's published rate limits are as follows:
The pattern of requests generated by Certbot/Lexicon (3 requests per domain) means that having a reasonably high number of domains (50) will guarantee a fatal error during runtime, either during auth or cleanup. Math in my head tells me that 25 domains should be enough to trigger the problem.
The rate limit response is an HTTP 400 with a response body of:
but the body isn't logged by Certbot or Lexicon, and is just reported as a generic 400.
Here is a Certbot log showing the issue (if available):
letsencrypt.log
The text was updated successfully, but these errors were encountered: