General Blacklisting Questions

I'd just like to ask a couple of questions w.r.t. LE and possible Blacklisting pls?

As far as I understand, LE only permits 5 request attempts per Hr.

My question(s) is/are;

  1. Given number of attempts to obtain/create a cert, is there a point at which LE basically blacklists either the domain / sub-domain / email addr. attempting it? I mean if in trying to set up, you keep getting an error msg, at what point, if any, does LE block?
  2. If so, for how long pls?
  3. Multiple domain cert. requests can be made from/for the same IP, provided you use different emails, right? Not sure (https://letsencrypt.org/docs/rate-limits/) is entirely clear on it?
2 Likes

Hi @nikName,

We do sometimes block access when we've seen an extremely high (abusive) rate of retries - but this is very, very rare. It takes many retries per second to get our attention.

These blocks always have a specific error message that includes an e-mail address to contact us. These blocks are long-term (usually at least a year) but we're happy to remove them once we're contacted.

All of the automated rate limits will expire as documented, and we don't change those outside of the rate limit adjustment process.

3 Likes

Thanks the response James.

I can't genuinely tell as I'm trying to use the Synology wizard which isn't very forthcoming with error msgs.

Can just ask if someone can check the domain 'attitia.com' for any black marks pls, whether host or email addr.s?

2 Likes

Almost all our manual blocks are by IP, not by domain, and we haven't added any recently - so if you're having trouble, it is probably one of the automated rate limits.

2 Likes

As a note, I drafted a complete overhaul of the rate limits page over a month ago that is awaiting review...

2 Likes

You might want to take a look here:

3 Likes

@JamesLE,

as a matter of interest pls, how long does an IP block stay in place once instantiated.

2 Likes

Almost all IP blocks are automated rate limits. Manual ones don't stay in place for a set period; we will sometimes clean them up but we have no set procedure for that, so it's not guaranteed. That's one reason why there's an e-mail address included in those error messages.

It's very unlikely that a Synology device is encountering one of our manual blocks. All but a very few of them are related to specific (non-Synology) client misbehavior.

3 Likes

Thanks @griffin,

The Synology documentation is indeed 'shite'. I've managed to get the cmdline cmd out of them, but even the cmd itself isn't helpful.

I know that using their cmd will be subject to whatever the internal coding of their func., but can I ask; what format does the LE API call to instantiate a new cert expect for the SAN's?

This might help me work out how Synology implement it in their syno-letsencrypt func. I tried adding each SAN under its own '-d' switch, but the cmd then only focussed on the last sub-dom written on the cmdline.

2 Likes

Digging around, I've discovered the following;

"account_url" : "https://acme-v02.api.letsencrypt.org/acme/acct/<account_no>",

Is there likely to be any issue with an old account? I've been trying to get this bloody thing working over a period of a few months.

And yet, the same device does already retrieve and renew an LE cert for 'ouboco.barracu.com'.
Just stuffed if I can figure out why I can't get it to work for my main domain (not barracu.com).

2 Likes

As far as I know, the e-mail you've used to register an account doesn't matter. It's the account itself. Thus you should be able to generate multiple accounts with the same e-mail address and those accounts on their own would have account-related rate limits applied to them, if applicable.

Probably not, the longest rate limit is for a week and is not account related, but domain related.

We'd need more info about that, but as this is a "general blacklisting questions" thread, perhaps you should open a new thread and fill in the questionnaire from the Help section as best as possible.

1 Like

Yeah, no, agreed.

I have the answers to my blacklisting questions, thank you. So, won't pollute the forum with a transient thread.

3 Likes