The self-service unpause is brilliant. The worst thing about hitting these sorts of limits is that time window when you think you've fixed the problem but you can't check because you're throttled - so there's nothing you can do but wait. Giving literally any affordance so that a human can make progress with a fix removes this huge source of frustration.
saagarjha · 39m ago
I’m curious if they could send emails to accounts indicating that they plan to shut off their access?
meltyness · 18h ago
My server got renewal halted. I rolled my own wrapper for certbot. Idk it's just a blog, I'm not that attached. It hit some rock a few months ago, I just retried and manually installed it, and it seems to have perked back up and continued receiving certs. Probably would have been more frustrating if it were a huge fleet but, it wasn't even worth my time to check logs and figure out what precisely happened (cert distributed with a modified that didn't match the ASN.1 expiry? transient issuance failure? issues the same cert? ...who knows.)
globie · 16h ago
Were you running certbot multiple times per day?
Looking at the relevant limit, "Consecutive Authorization Failures per Hostname per Account"[0], it looks like there's no way to hit that specific limit if you only run once per day.
Ah, to think how many cronjobs are out there running certbot on * * * * *!
Isn't that where we are going eventually? Certs only lasting a day?
genewitch · 34m ago
Timezones going to make that hilarious, probably go back to much longer certs. I like free so I put up with LE. The automated stuff only works on half my servers, the other half I either run without https or I manually install it. Except now I wait until the service stops working, spend 15 minutes debugging why, go to the domain in a browser and see the warning, and then go fix it. Why? LE decided sending 4 emails a year is too many. And let's be real, sending automated emails is expensive. I think AWS charges like $0.50 per email when you use their hosted email sender.
ferngodfather · 12h ago
They simultaneously want shorter certs but can't cope with the current load
globie · 14h ago
That's a good point. I suspect as the renewal period is shortened, scripts will attempt renewal faster and faster.
I hope they don't go any shorter than a month. Let the user pick, any value up to a year should do.
conradludgate · 13h ago
Browsers are eventually going to deny any certificate after 47 days iirc
UltraSane · 14h ago
No, they will never get that short due to reliability issues. I could see getting down to maybe two weeks.
To make 24 hour valid certs practical you would need to generate them ahead of time and locally switch them out. This would be a lot more reliable if systems supported two certs with 50% overlapping validity periods at the same time.
jaas · 14h ago
Let’s Encrypt has already started issuing a limited number of 6-day certs and they will be generally available later this year.
(90 days will remain the default though)
greatgib · 15h ago
As they have the account email, they could also notify of the issue by email when there are too many issues renewing for too long.
Macha · 11h ago
Note that Lets Encrypt are winding down their email notifications as of today, actually:
Sure, and they must have already emailed the person when they failed to get a new cert before their last one expired. But I suspect a lot of people don't use a real email address for LE, since there's no enforcement/verification. Or they might be using one that isn't their main one.
aorth · 5h ago
Happy to be running Caddy on a growing number of servers instead of renewing certs through certbot. Caddy has really good defaults and does the right thing with TLS certs without much hassle. Less moving parts too.
NicolaiS · 1h ago
Agree
Caddy even supports 'ACME profiles' for people that want to follow the latest recommendation from CAB / want shortlived certs
dieulot · 24m ago
Certbot does too as of 4.0.0 (2025-04-08).
efitz · 6h ago
I really appreciate the thoughtful and non-punitive approach, and intend to add your self-service-unpause approach to my own arsenal of tricks.
Looking at the relevant limit, "Consecutive Authorization Failures per Hostname per Account"[0], it looks like there's no way to hit that specific limit if you only run once per day.
Ah, to think how many cronjobs are out there running certbot on * * * * *!
[0]: https://letsencrypt.org/docs/rate-limits/#consecutive-author...
I hope they don't go any shorter than a month. Let the user pick, any value up to a year should do.
To make 24 hour valid certs practical you would need to generate them ahead of time and locally switch them out. This would be a lot more reliable if systems supported two certs with 50% overlapping validity periods at the same time.
(90 days will remain the default though)
https://letsencrypt.org/2025/01/22/ending-expiration-emails/
Caddy even supports 'ACME profiles' for people that want to follow the latest recommendation from CAB / want shortlived certs