In order to prevent your websites getting rate limited by Let's Encrypt, GridPane has created a 3-attempt limit fail-safe that requires manual removal after 3 unsuccessful SSL attempts.
This article will explain why we've put this in place, the steps to remove it, and how to avoid it from happening all together.
Also, you can only provision one SSL at a time on GridPane. We have a lock in place to enforce this to ensure that the process runs smoothly, and isn't negatively affected by trying to provision multiple SSL certificates all at the same time.
Part 1. A Quick Intro to Rate Limiting
Let's Encrypt Rate Limiting
Let's Encrypt provide an awesome free SSL, but like anything that's free, they have (and absolutely need) systems in place to prevent abuse.
This comes in the form of rate limiting. You get 5 attempts to provision an SSL (which should be plenty). If you fail 5 times in a row, you'll be blocked from re-attempting for 7 days.
We don't want that to happen, and as long as you are following our documentation, it should never happen to you.
You can learn more about Let's Encrypt rate limits here: https://letsencrypt.org/docs/rate-limits/
GridPane's SSL Locks
We've implemented a system that will lock and prevent SSL provisioning attempts from proceeding once you fail 3 times in a row.
Removing the lock is simple, but we put this in place to ensure our users can't hit the Let's Encrypt rate limit by continually re-attempting again and again until you hit their limit and lock you out.
Part 2. Avoiding Locks/Rate Limiting
When an SSL attempt fails, you can easily find out the exact reason for the failure by checking your SSL log. In 95% of cases, this is related to your DNS records not pointing to your server's IP address.
The SSL log will detail what went wrong and what you need to do in order for your SSL to provision correctly.
Always check your logs
You should check your log immediately after the first failed attempt.
To locate and view your SSL log, head to your Sites page inside your GridPane account and click on your websites domain name to open up the configuration modal.
Next click through to the logs tab and and click the button as outlined below to open up your SSL log:
This will open your log directly inside of GridPane, and you can view your latest SSL attempt by scrolling to the bottom. We're looking for the reason for the failure, and that will look something like this, listed under "IMPORTANT NOTES":
Here we can see that the reason for this particular failed attempt is as follows:
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
The reason your SSL attempt failed may be different, however, this is by far the most common.
If using a Proxy Service (e.g. Cloudflare) you may need to temporarily deactivate it
If you're using a proxy service, for example Cloudflare with orange clouds turned on, then Let's Encrypt may not be able to verify that your domain name and server IP match up.
To check your DNS world wide, you can use this website:
When attempting to provision an SSL without either the DNS Made Easy or Cloudflare API, ensure that your A record and server IP address match before re-attempting.
If using Cloudflare/DNS Made Easy API, check their status page
If you're attempting to provision an SSL via Cloudflare API and it's failing, then it's highly likely that this is due to an outage or active maintenance at Cloudflare. You can check their status page here:
Same goes for DNS Made Easy. You can check their status here:
Part 3. Removing GridPane's Rate Limit Lock
If you've experienced a lock, you'll see a message that reads:
SSL Fail for:
System detected too many failed attempts, provision is temporarily locked.
To remove this lock, you'll need to SSH into your server and remove 3 files. Don't worry, this is quick and easy and the following steps will walk you through it.
Step 1. SSH into your server.
Please see the following articles to get started:
Generate your SSH Key:
Add your SSH Key to GridPane:
Connect to your server:
Step 2. Navigate to your websites log directory
Run the following command to navigate to your websites log directory, switching out "site.url" with your websites domain name:
Step 3. Remove 3 log files
To view the contents of this folder, run this command:
Here, there will be three log files that look like this:
The names of course will be based on your domain name, but the key part is the "-ssl_fail-" as you can see highlighted in the image above.
To remove the lock, we need to remove these files. You can do so with the "rm" command, followed by the file name. Here's what it looks like for the 3 files in the image above:
Alternatively, remove them all at the same time with this command:
We can make sure the files have been removed with the ls -l command again:
As you can see below, I ran the rm command above, and on rechecking the contents the files are no longer there.
Part 4. Set things up correctly and try again
At this point, you can re-attempt to provision your SSL. Make sure that you have followed the instructions above and have confirmed and fixed the issue as outlined in your SSL log. We can't help you if you're rated limited be Let's Encrypt.
More often that not it's just a case of correcting your DNS settings. You can learn more about DNS here:
If you're simply not sure, you can shoot us a message on support.
If you have everything setup correctly, your SSL should be successful.