IP Blocked [Rate Limit Request]


I'm spinning up a new service in Kubernetes using the kube-cert-manager tool. I made a developer mistake, where I accidentally set the tls domain name to be foo.bar.com instead of foo.environment.bar.com.

I use Google Cloud domains, and I did not have a cloud domain for bar.com, but instead have environment.bar.com. I created the deployment and got several errors that in turn rate-limited me:

kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 14:17:28 Error while processing certificate during sync: Error while obtaining certificate for new domain foo.bar.com: Error presenting token: No matching GoogleCloud domain found for domain bar.com.

when I fixed my mistake, I was already rate limited:

kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:45 Creating ACME client for googlecloud provider for foo.environment.bar.com
kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:46 [INFO] acme: Registering account for foo@email.com
kube-cert-manager-3589448969-qkxfx kube-cert-manager 2018/08/06 15:01:46 Error while processing certificate during sync: Error while registering user for new domain foo.environment.bar.com: acme: Error 429 - urn:acme:error:rateLimited - Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/

(stating the obvious: removed e-mails and domains for privacy)

Is there any way to undo the IP rate limit? I apologize for the mistake, this was for a dev environment and I assumed we had were using the staging let's encrypt server but the dev environment was configured to also use the production server.

From the rate limit documentation available at Rate Limits - Let's Encrypt

If you’ve hit a rate limit, we don’t have a way to temporarily reset it.

However, the accounts per IP limit expires after three hours, so just give it a bit. However, I would recommend configuring your client in such a way that it doesn't register a new account every time. You shouldn't need to do this.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.


Ah, so I don’t need to add the account e-mail if my IP is already registered? I had the email in my spec for each Certificate object.


Registration is handled by a keypair, which ideally your client will be re-using. I don’t know anything about Kube-cert-manager and how it handles this, however.


Understood. Thanks for the response, Jared!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.