#4555 - [GH-ISSUE #237] letsencrypt - too many registrations for this IP - starred/nginx-ui

kerem commented

2026-03-01 15:34:14 +03:00

Owner

Originally created by @DjSni on GitHub (Dec 14, 2023).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/237

Describe the bug
I have the strange problem that my IP was apparently blocked at letsencrypt because I sent too many requests. I am currently using 9 certificates.

Expected behavior
that the certificates are updated automatically.

Log

2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account
2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations
2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server
2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider
2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user
2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com
2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

Info (please complete the following information):

Docker Container
Server Arch: amd64
Nginx UI Version: 2.0.0-beta.6

It would be practical if the update interval could be set in the GUI.

Originally created by @DjSni on GitHub (Dec 14, 2023). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/237 **Describe the bug** I have the strange problem that my IP was apparently blocked at letsencrypt because I sent too many requests. I am currently using 9 certificates. **Expected behavior** that the certificates are updated automatically. **Log** ``` 2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account 2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations 2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server 2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider 2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user 2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com 2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/ ``` **Info (please complete the following information):** - Docker Container - Server Arch: amd64 - Nginx UI Version: 2.0.0-beta.6 It would be practical if the update interval could be set in the GUI.

kerem

2026-03-01 15:34:14 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@0xJacky commented on GitHub (Dec 14, 2023):

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

@0xJacky commented on GitHub (Dec 14, 2023): This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours. By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@0xJacky commented on GitHub (Dec 14, 2023):

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

@0xJacky commented on GitHub (Dec 14, 2023): Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@DjSni commented on GitHub (Dec 15, 2023):

This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours.

By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate.

I can't do that, I currently have 10 different TDLs in use, so a wildcard certificate won't help me.

Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate.

Apparently this does not work, because I still get the error message, my certificates are all still valid until March (distributed from 2 - 15).

@DjSni commented on GitHub (Dec 15, 2023): > This is the letsencrypt api rate limit issue. Just wait, it will return normal after 24 hours. > > By the way, if you have more than 5 certificates, I recommend you to issue a wilcard certificate. I can't do that, I currently have 10 different TDLs in use, so a wildcard certificate won't help me. > Currently, the checking interval is about 5 minutes, and it will only perform the renewal action if it has been a month since the last issuance. As the validity period of the certificate is 3 months, I think time is enough for nginx-ui to renew the certificate. Apparently this does not work, because I still get the error message, my certificates are all still valid until March (distributed from 2 - 15).

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@0xJacky commented on GitHub (Dec 16, 2023):

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

@0xJacky commented on GitHub (Dec 16, 2023): I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others. So, I think you can check if the problem is caused by the failure of renewal of one of the certificates. I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@DjSni commented on GitHub (Dec 16, 2023):

I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others.

So, I think you can check if the problem is caused by the failure of renewal of one of the certificates.

I added a "location /.well-known/acme-challenge" to each server block when I set it up.
I have configured it like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 307 https://$server_name$request_uri;
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name example.com www.example.com;
    ssl_certificate /etc/nginx/ssl/example.com_www.example.com/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/example.com_www.example.com/private.key;
    # set upsteam
    set $VARWWW wordpress_example-com_1:80;
    # set fallback
    include /etc/nginx/snippets/fallback.conf;
    # lcoation block
    # include /etc/nginx/snippets/authelia-location.conf;
    location / {
        include /etc/nginx/snippets/authelia-proxy-standard.conf;
        #include /etc/nginx/snippets/authelia-authrequest.conf;
        client_max_body_size 20M;
        proxy_pass http://$VARWWW;
    }
    location /.well-known/acme-challenge {
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_pass http://127.0.0.1:9180;
    }
}

I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days.

I have only updated to version: 2.0.0-beta.8 (101)
In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Here is a small example:
Not valid until: 2023-12-05 15:39:28
Expired on: 2024-03-04 15:39:27

Logs from the certificate:

2023/12/16 07:51:50 [INFO] [Nginx UI] Generating the private key for account registration
2023/12/16 07:51:50 [INFO] [Nginx UI] Preparing the Lego configurations
2023/12/16 07:51:50 [INFO] [Nginx UI] Creating the client facilitates communication with the CA server
2023/12/16 07:51:51 [INFO] [Nginx UI] Set HTTP01 challenge provider
2023/12/16 07:51:51 [INFO] [Nginx UI] Register user
2023/12/16 07:51:51 [INFO] acme: Account registration for email@example.com
2023/12/16 07:51:51 [Error] Registration error: acme: Error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

EDIT:
I have checked all sites again and there is a well-known location in each one.

@DjSni commented on GitHub (Dec 16, 2023): > I can add a setting for the renewal interval, but I don’t think it can solve the problem. I have 6 certificates on my server, and also have the same issue as you. I checked the logs for each certificate, and I finally found that one of the sites had not configured the proxy to the HTTP challenge port, resulting in too many failures on this site which caused rate limiting issues on others. > > So, I think you can check if the problem is caused by the failure of renewal of one of the certificates. I added a "location /.well-known/acme-challenge" to each server block when I set it up. I have configured it like this: ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; server_name example.com www.example.com; return 307 https://$server_name$request_uri; location /.well-known/acme-challenge { proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_pass http://127.0.0.1:9180; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name example.com www.example.com; ssl_certificate /etc/nginx/ssl/example.com_www.example.com/fullchain.cer; ssl_certificate_key /etc/nginx/ssl/example.com_www.example.com/private.key; # set upsteam set $VARWWW wordpress_example-com_1:80; # set fallback include /etc/nginx/snippets/fallback.conf; # lcoation block # include /etc/nginx/snippets/authelia-location.conf; location / { include /etc/nginx/snippets/authelia-proxy-standard.conf; #include /etc/nginx/snippets/authelia-authrequest.conf; client_max_body_size 20M; proxy_pass http://$VARWWW; } location /.well-known/acme-challenge { proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_pass http://127.0.0.1:9180; } } ``` > > I also need to apologize because, in the previous version, due to my oversight, the auto-cert goroutine would block during certificate renewal. Therefore, in the current updated version, there might be an accumulation of previously unrenewed certificates in the first few days. However, as long as the root problem is resolved, these certificates will automatically renew within two or three days. I have only updated to version: 2.0.0-beta.8 (101) In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all. Here is a small example: Not valid until: 2023-12-05 15:39:28 Expired on: 2024-03-04 15:39:27 Logs from the certificate: ``` 2023/12/16 07:51:50 [INFO] [Nginx UI] Generating the private key for account registration 2023/12/16 07:51:50 [INFO] [Nginx UI] Preparing the Lego configurations 2023/12/16 07:51:50 [INFO] [Nginx UI] Creating the client facilitates communication with the CA server 2023/12/16 07:51:51 [INFO] [Nginx UI] Set HTTP01 challenge provider 2023/12/16 07:51:51 [INFO] [Nginx UI] Register user 2023/12/16 07:51:51 [INFO] acme: Account registration for email@example.com 2023/12/16 07:51:51 [Error] Registration error: acme: Error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/ ``` EDIT: I have checked all sites again and there is a well-known location in each one.

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@0xJacky commented on GitHub (Dec 16, 2023):

In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all.

Yes, this is the current method. 😂

@0xJacky commented on GitHub (Dec 16, 2023): > In my opinion, you should look at the expiration date of the certificate and if it is valid for more than 1 month, do not connect to Letsencypt at all. Yes, this is the current method. 😂

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@DjSni commented on GitHub (Dec 16, 2023):

😂
But then why do I get the error message from letsencrypt. As I understand it, it is still trying to establish a connection.

@DjSni commented on GitHub (Dec 16, 2023): 😂 But then why do I get the error message from letsencrypt. As I understand it, it is still trying to establish a connection.

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@DjSni commented on GitHub (Dec 16, 2023):

wtf, whatever happened, it worked again about an hour ago. Surely this can't be due to the update to the latest version?

@DjSni commented on GitHub (Dec 16, 2023): wtf, whatever happened, it worked again about an hour ago. Surely this can't be due to the update to the latest version?

kerem commented

2026-03-01 15:34:15 +03:00

Author

Owner

@0xJacky commented on GitHub (Dec 16, 2023):

Yes, it has been 3 weeks since I last change that part of codes.

@0xJacky commented on GitHub (Dec 16, 2023): Yes, it has been 3 weeks since I last change that part of codes.

kerem commented

2026-03-01 15:34:16 +03:00

Author

Owner

@DjSni commented on GitHub (Dec 19, 2023):

It seems to work without problems now, thanks

@DjSni commented on GitHub (Dec 19, 2023): It seems to work without problems now, thanks

Rows
Columns

[GH-ISSUE #237] letsencrypt - too many registrations for this IP #4555