[GH-ISSUE #319] ACME client implementation flaws #5951

New issue

Closed

opened 2026-03-01 17:08:16 +03:00 by kerem · 3 comments

kerem commented

2026-03-01 17:08:16 +03:00

Owner

Originally created by @sofusskovgaard on GitHub (Feb 27, 2024).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/319

Describe the bug
If you attempt to generate more than 10 certificates within a 3 hour period, you will be rate limited. This is typically not the expected behavior. Let's Encrypt responds with an error with the following response.

too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

This is generally not a rate limit you should be running into. You can read more about the nature of this rate limiting on Let's Encrypt's website https://letsencrypt.org/docs/too-many-registrations-for-this-ip/#common-causes.

You can read about the reasonable rate limits you can expect to run into on Let's Encrypt's webiste https://letsencrypt.org/docs/rate-limits/.

To Reproduce
Generate 11 certificates within a 3 hour period.

Expected behavior
The ACME client implementation should save and reuse the account registration. This will get rid of the too many registrations for this IP error response, and should allow users to generate up to 300 unique certificates every 3 hours.

Logs
I stole the following logs from the #237 issue.

2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account
2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations
2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server
2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider
2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user
2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com
2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/

Info (please complete the following information):

Nginx UI Version: [<= v2.0.0-beta.5-patch] (basically any version that has the acme implementation)

Additional context

I made this discovery when looking through #237.
The certificate creation logic: /internal/cert/cert.go
The certificate auto renewal logic: /internal/cert/auto_cert.go

Severity
If you wanted to utilize nginx-ui to manage your load balancer for a multi tenant application that allowed it's end-users to use a custom domain name, you could very easily run into issues when trying to create certificates.

A scarier possibility is that you can run into a situation where you have to renew more than 10 certificates in a given 3 hour period. This is not impossible in the described scenario, especially because it seems that certificates get auto renewed after 7-8 days. This wouldn't be a problem either, if the auto renewal mechanism actually implemented the proper renewal api instead of just issuing a new certificate. Because Let's Encrypt caches domain validations for the account used for 30 days, meaning you can renew the certificate freely in a 30 day period, before having to revalidate the domain with a challenge. You can read about that on the Let's Encrypt website as well https://letsencrypt.org/docs/faq/#i-successfully-renewed-a-certificate-but-validation-didn-t-happen-this-time-how-is-that-possible.

Originally created by @sofusskovgaard on GitHub (Feb 27, 2024). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/319 **Describe the bug** If you attempt to generate more than 10 certificates within a 3 hour period, you will be rate limited. This is typically not the expected behavior. Let's Encrypt responds with an error with the following response. ``` too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/ ``` This is generally not a rate limit you should be running into. You can read more about the nature of this rate limiting on Let's Encrypt's website [https://letsencrypt.org/docs/too-many-registrations-for-this-ip/#common-causes](https://letsencrypt.org/docs/too-many-registrations-for-this-ip/#common-causes). ![screenshot from the let's encrypt documentation explaining the account registration rate limit](https://github.com/0xJacky/nginx-ui/assets/24526844/74bf1ee2-ecf6-43eb-ad5f-79cfb227448c) You can read about the reasonable rate limits you can expect to run into on Let's Encrypt's webiste [https://letsencrypt.org/docs/rate-limits/](https://letsencrypt.org/docs/rate-limits/). ![screenshot from the let's encrypt documentation explaining the normal rate limits](https://github.com/0xJacky/nginx-ui/assets/24526844/3ad62b8c-d4a3-46a6-a089-ccf17ea3a09e) **To Reproduce** Generate 11 certificates within a 3 hour period. **Expected behavior** The ACME client implementation should save and reuse the account registration. This will get rid of the `too many registrations for this IP` error response, and should allow users to generate up to 300 unique certificates every 3 hours. **Logs** I stole the following logs from the #237 issue. ``` 2023/12/14 16:56:23 [INFO] [Nginx UI] Generating private key for registering account 2023/12/14 16:56:23 [INFO] [Nginx UI] Preparing lego configurations 2023/12/14 16:56:23 [INFO] [Nginx UI] Creating client facilitates communication with the CA server 2023/12/14 16:56:23 [INFO] [Nginx UI] Setting HTTP01 challenge provider 2023/12/14 16:56:23 [INFO] [Nginx UI] Registering user 2023/12/14 16:56:23 [INFO] acme: Registering account for email@example.com 2023/12/14 16:56:24 [Error] register error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/ ``` **Info (please complete the following information):** - Nginx UI Version: [<= v2.0.0-beta.5-patch] *(basically any version that has the acme implementation)* **Additional context** - I made this discovery when looking through #237. - [The certificate creation logic: /internal/cert/cert.go](https://github.com/0xJacky/nginx-ui/blob/v2.0.0-beta.18/internal/cert/cert.go) - [The certificate auto renewal logic: /internal/cert/auto_cert.go](https://github.com/0xJacky/nginx-ui/blob/v2.0.0-beta.18/internal/cert/auto_cert.go) **Severity** If you wanted to utilize nginx-ui to manage your load balancer for a multi tenant application that allowed it's end-users to use a custom domain name, you could very easily run into issues when trying to create certificates. A scarier possibility is that you can run into a situation where you have to renew more than 10 certificates in a given 3 hour period. This is not impossible in the described scenario, especially because it seems that certificates get auto renewed after 7-8 days. This wouldn't be a problem either, if the auto renewal mechanism actually implemented the proper renewal api instead of just issuing a new certificate. Because Let's Encrypt caches domain validations for the account used for 30 days, meaning you can renew the certificate freely in a 30 day period, before having to revalidate the domain with a challenge. You can read about that on the Let's Encrypt website as well [https://letsencrypt.org/docs/faq/#i-successfully-renewed-a-certificate-but-validation-didn-t-happen-this-time-how-is-that-possible](https://letsencrypt.org/docs/faq/#i-successfully-renewed-a-certificate-but-validation-didn-t-happen-this-time-how-is-that-possible).

kerem

2026-03-01 17:08:16 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-01 17:08:17 +03:00

Author

Owner

@sofusskovgaard commented on GitHub (Feb 27, 2024):

It could be a great time to implement a mechanism for choosing between various ACME providers (#16). Could be implemented in a similar way as the DNS challenge providers.

Sadly I don't have any experience in developing software with Go, but if I could help in any other way, feel free to reach out @0xJacky. I don't mind getting on a Discord call and helping with research or design.

P.S.: You guys should set up a Discord server for the project if you don't have one already.

@sofusskovgaard commented on GitHub (Feb 27, 2024): It could be a great time to implement a mechanism for choosing between various ACME providers (#16). Could be implemented in a similar way as the [DNS challenge providers](https://github.com/0xJacky/nginx-ui/tree/dev/internal/cert/config). Sadly I don't have any experience in developing software with Go, but if I could help in any other way, feel free to reach out @0xJacky. I don't mind getting on a Discord call and helping with research or design. P.S.: You guys should set up a Discord server for the project if you don't have one already.

kerem commented

2026-03-01 17:08:17 +03:00

Author

Owner

@0xJacky commented on GitHub (Feb 28, 2024):

Hi @sofusskovgaard, thanks for your report and suggestions, I will try to enhance it.

@0xJacky commented on GitHub (Feb 28, 2024): Hi @sofusskovgaard, thanks for your report and suggestions, I will try to enhance it.

kerem commented

2026-03-01 17:08:17 +03:00

Author

Owner

@0xJacky commented on GitHub (Apr 30, 2024):

Thanks for your advice, I have implemented these features, for more details please check this pr #361 .

@0xJacky commented on GitHub (Apr 30, 2024): Thanks for your advice, I have implemented these features, for more details please check this pr #361 .