GridPane SSL Locks and Let’s Encrypt Rate Limiting

7 min read

In order to prevent your websites from getting rate limited by Let’s Encrypt, GridPane has created a 3-attempt limit fail-safe that requires manual removal after 3 unsuccessful SSL attempts.

This article will explain why we’ve put this in place, the steps to remove it, and how to avoid it from happening altogether.

Also, you can only provision one SSL at a time on GridPane. We have a lock in place to enforce this to ensure that the process runs smoothly, and isn’t negatively affected by trying to provision multiple SSL certificates all at the same time.

Part 1. A Quick Intro to Rate Limiting

Let’s Encrypt Rate Limiting

Let’s Encrypt provide an awesome free SSL, but like anything that’s free, they have (and absolutely need) systems in place to prevent abuse.

This comes in the form of rate limiting. You get 5 attempts to provision an SSL (which should be plenty). If you fail 5 times in a row, you’ll be blocked from re-attempting for 7 days. 

We don’t want that to happen, and as long as you are following our documentation, it should never happen to you.

Also, there are limits on the number of SSLs that you can provision for an IP address over a set time. Currently it is a maximum of 10 SSL certificates per IP every 3 hours, but this is subject to change (see their documentation for more details).

You can learn more about Let’s Encrypt rate limits here: 
https://letsencrypt.org/docs/rate-limits/

GridPane’s SSL Locks

We’ve implemented a system that will lock and prevent SSL provisioning attempts from proceeding once you fail 3 times in a row. 

Removing the lock is simple, but we put this in place to ensure our users can’t hit the Let’s Encrypt rate limit by continually re-attempting again and again until you hit their limit and lock you out.

Part 2. Avoiding Locks/Rate Limiting

When an SSL attempt fails, you can easily find out the exact reason for the failure by checking your SSL log. In 95% of cases, this is related to your DNS records not pointing to your server’s IP address.

The SSL log will detail what went wrong and what you need to do in order for your SSL to provision correctly.

Always check your logs

You should check your log immediately after the first failed attempt.

To locate and view your SSL log, head to your Sites page inside your GridPane account and click on your website’s domain name to open up the configuration modal.

Next click through to the logs tab and click the button as outlined below to open up your SSL log:

This will open your log directly inside of GridPane, and you can view your latest SSL attempt by scrolling to the bottom. We’re looking for the reason for the failure, and that will look something like this, listed under “IMPORTANT NOTES”:

Here we can see that the reason for this particular failed attempt is as follows:

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

The reason your SSL attempt failed may be different, however, this is by far the most common.

If using a Proxy Service (e.g. Cloudflare) you may need to temporarily deactivate it

If you’re using a proxy service, for example, Cloudflare with orange clouds turned on, then Let’s Encrypt may not be able to verify that your domain name and server IP match up. 

To check your DNS worldwide, you can use this website:

https://dnschecker.org/#A

When attempting to provision an SSL without either the DNS Made Easy or Cloudflare API, ensure that your A record and server IP address match before re-attempting.

If using Cloudflare/DNS Made Easy API, check their status page

If you’re attempting to provision an SSL via Cloudflare API and it’s failing, then it’s highly likely that this is due to an outage or active maintenance at Cloudflare. You can check their status page here:

https://www.cloudflarestatus.com/

The same goes for DNS Made Easy. You can check their status here:

https://dnsstatus.com/

Part 3. Removing GridPane’s Rate Limit Lock

If you’ve experienced a lock, you’ll see a message that reads: 

SSL Fail for: 
yourdomain.com
System detected too many failed attempts, provision is temporarily locked.

To remove this lock, you’ll need to SSH into your server and remove 3 files. Don’t worry, this is quick and easy and the following steps will walk you through it.

Step 1. SSH into your server.

Please see the following articles to get started:

Step 2. Navigate to your websites log directory

Run the following command to navigate to your websites log directory, switching out “site.url” with your websites domain name:

cd /var/www/site.url/logs/

Example:

cd /var/www/gridpane.com/logs/

Step 3. Remove 3 log files

To view the contents of this folder, run this command:

ls -l

Here, there will be three log files that look like this:

The names of course will be based on your domain name, but the key part is the “-ssl_fail-” as you can see highlighted in the image above.

To remove the lock, we need to remove these files. You can do so with the “rm” command, followed by the file name. Here’s what it looks like for the 3 files in the image above:

rm examplewebsite.com-ssl_fail-1.date
rm examplewebsite.com-ssl_fail-2.date
rm examplewebsite.com-ssl_fail-3.date

Alternatively, remove them all at the same time with this command:

rm examplewebsite.com-ssl_fail-*.date

We can make sure the files have been removed with the ls -l command again:

ls -l

As you can see below, I ran the rm command above, and on rechecking the contents the files are no longer there.

Part 4. Set things up correctly and try again

At this point, you can re-attempt to provision your SSL. Make sure that you have followed the instructions above and have confirmed and fixed the issue as outlined in your SSL log. We can’t help you if you’re rated limited be Let’s Encrypt.

More often than not it’s just a case of correcting your DNS settings. You can learn more about DNS here:

Setting DNS Records

If you’re simply not sure, you can shoot us a message on support.

If you have everything set up correctly, your SSL should be successful.

SSL Support


SSL Certificates Failures
For assistance with SSL certificate related issues, please ensure you attach the info from your SSL provisioning logs when contacting support so that we can quickly assess what's going on and assist you as fast and efficiently as possible.
How to Create a Support Ticket

DNS Checks / Console Output / Screenshots
Please provide as much relevant information as possible - check if your DNS is live, check console output on your site (right click > inspect element > console), and attach any relevant screenshots of errors.

Too Many Redirects Error
If you're using Cloudflare with GridPane, please ensure you have the correct SSL settings to prevent redirect errors:
How to use Cloudflare SSL with GridPane

SSL Locks and Rate Limiting
If multiple SSL attempts fail, GridPane will place an SSL lock to prevent you from getting rate limited by Let's Encrypt. It's important to assess why your SSL's are failing and correct the issue. Learn more about rate-limiting and how to remove locks here:
GridPane SSL Locks and Let’s Encrypt Rate Limiting

SSL Troubleshooting Guide
This article will help new users prevent common SSL issues, and learn how to diagnose the more complex ones.
Diagnosing and Fixing SSL Certificate Issues

Mixed Content / No Padlock
If you've provisioned an SSL but don't see a padlock, please check for images and/or other content being served over HTTP instead of HTTPS. It's likely you need to update your database to serve links over HTTPS:
Why Am I Not Seeing a Padlock on my Site?