Blocking old cert-manager versions

Issuance Tech
#1

We’ve been working with Jetstack, the authors of cert-manager, on a series of fixes to the client. Cert-manager sometimes falls into a traffic pattern where it sends excessive traffic to Let’s Encrypt’s servers, continuously. To mitigate this, we plan to start blocking all traffic from cert-manager versions less than 0.8.0 (the current semver minor release), as of November 1.

We’ll be sending out notifications to cert-manager clients that meet those criteria over the next two months.

Version 0.8.0 is much better but we still observe excessive traffic in some cases. We’re working with Jetstack to improve these cases. As new versions of cert-manager are released, we will add the non-current versions to our block list after 3 months. We strongly encourage cert-manager users to stay up-to-date with new versions.

Also, if you are a cert-manager user, there is an opportunity to help both Let’s Encrypt and Jetstack. Check the logs for your cert-manager instances. Are they making excessive requests to Let’s Encrypt (more than, say, 10 per day over multiple days)? If so, please share details at https://github.com/jetstack/cert-manager/issues/1948.

Thanks,
Jacob

3 Likes
Letsencrypt blocking cert-manager v0.11?
Blocking old cert-manager versions - what action is required?
Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout - kubernetes cert-manager
Problem with renew certificates - The request message was malformed :: Method not allowed
Schedule for blocking older cert-manager versions
Blocking old versions of cert-manager
Letsencrypt blocking cert-manager v0.11?
Did not receive email regarding cert-manager versions less than 0.8.0 being blocked
#2

Here’s the text of the email we plan to set to users of old cert-manager versions. I welcome feedback from anyone in the community, even people who don’t use cert-manager. Is anything missing? Is there something I could say more clearly? Thanks!

Proposed email

We’ve been working with Jetstack, the authors of cert-manager, on a series of fixes to the client. Cert-manager sometimes falls into a traffic pattern where it sends really excessive traffic to Let’s Encrypt’s servers, continuously. To mitigate this, we plan to start blocking all traffic from cert-manager versions less than 0.8.0 (the current semver minor release), as of November 1. Please upgrade all of your cert-manager instances before then.

We’re sending this email because this is the contact address of your cert-manager instance at {{ client_ip }}.

Version 0.8.0 is much better but we still observe excessive traffic in some cases. We’re working with Jetstack to improve these cases. As new versions of cert-manager are released, we will add the non-current versions to our block list after 3 months. We strongly encourage cert-manager users to stay up-to-date with new versions.

Also, there is an opportunity to help both Jetstack and Let’s Encrypt. Once you’ve upgraded, please check the logs for your cert-manager instances from time to time. Are they making excessive requests to Let’s Encrypt (more than, say, 10 per day over multiple days)? If so, please share details at https://github.com/jetstack/cert-manager/issues/1948.

Thanks,
Let’s Encrypt Team

1 Like
#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.