IP Blocked [Rate Limit Request]


#1

Hello,

I’m spinning up a new service in Kubernetes using the kube-cert-manager tool. I made a developer mistake, where I accidentally set the tls domain name to be foo.bar.com instead of foo.environment.bar.com.

I use Google Cloud domains, and I did not have a cloud domain for bar.com, but instead have environment.bar.com. I created the deployment and got several errors that in turn rate-limited me:

kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 14:17:28 Error while processing certificate during sync: Error while obtaining certificate for new domain foo.bar.com: Error presenting token: No matching GoogleCloud domain found for domain bar.com.

when I fixed my mistake, I was already rate limited:

kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:45 Creating ACME client for googlecloud provider for foo.environment.bar.com
kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:46 [INFO] acme: Registering account for foo@email.com
kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:46 Error while processing certificate during sync: Error while registering user for new domain foo.environment.bar.com: acme: Error 429 - urn:acme:error:rateLimited - Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/

(stating the obvious: removed e-mails and domains for privacy)

Is there any way to undo the IP rate limit? I apologize for the mistake, this was for a dev environment and I assumed we had were using the staging let’s encrypt server but the dev environment was configured to also use the production server.


#2

From the rate limit documentation available at https://letsencrypt.org/docs/rate-limits/

If you’ve hit a rate limit, we don’t have a way to temporarily reset it.

However, the accounts per IP limit expires after three hours, so just give it a bit. However, I would recommend configuring your client in such a way that it doesn’t register a new account every time. You shouldn’t need to do this.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.


#3

Ah, so I don’t need to add the account e-mail if my IP is already registered? I had the email in my spec for each Certificate object.

Thanks!


#4

Registration is handled by a keypair, which ideally your client will be re-using. I don’t know anything about Kube-cert-manager and how it handles this, however.


#5

Understood. Thanks for the response, Jared!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.