Request to unblock rate limit

Hello!
A couple month ago we was banned because of our cert-manager generated a lot of “bad” traffic.
Now I don’t see the message about the ban but I still can’t catch how to resolve an errors in the cluster issuer.
Could you please help me to understand where might be an issue?

Errors:

Warning ErrInitIssuer 49m (x128 over 1d) cert-manager Error initializing issuer: Post https://acme-v02.api.letsencrypt.org/acme/acct/54901904: dial tcp: i/o timeout
Warning ErrInitIssuer 30m (x179 over 1d) cert-manager Error initializing issuer: Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
Warning ErrVerifyACMEAccount 22m (x181 over 1d) cert-manager Failed to verify ACME account: Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: i/o timeout
Warning ErrVerifyACMEAccount 16m (x133 over 1d) cert-manager Failed to verify ACME account: Post https://acme-v02.api.letsencrypt.org/acme/acct/54901904: dial tcp: i/o timeout
Warning ErrInitIssuer 1m (x98977 over 2d) cert-manager-controller Error initializing issuer: Head : unsupported protocol scheme “”
Warning ErrVerifyACMEAccount 22s (x99063 over 2d) cert-manager-controller Failed to verify ACME account: Head : unsupported protocol scheme “”

Cert-manager: v0.7.1

Hi,

This request need to be processed by one of Let’s Encrypt staff, mentioning them now @lestaff .

Since (I believe) most of them are in U.S., you probably won’t heard back until tomorrow.

Thank you

1 Like

Hi @joyjey

that doesn’t look like a rate limit problem.

Can your server talk with Letsencrypt?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

I agree this doesn’t match up with a policy ban of an IP address.

I suspect there’s a normal missconfiguration here and it doesn’t require staff to process an unblock to fix.

Hello @JuergenAuer
I work in a company that supports kubernetes clusters and these errors happening with one of our clients but on others clusters everything is ok. The issue appeared when we had 0.41 version of cert-manager and after an update to 0.71 it’s still here.
We use a helm chart that installs https://github.com/jetstack/cert-manager
Yes it can talk with Letsencrypt. I’ve checked an availability with curl for URL’s that mentioned in error logs.
The more interesting that certificates continue to renew but I see errors in the clusterissuer.
Example of domain name that we use here: freedom.conomy.ru

pinging @munnerz but they are not U.S. based so you may not hear back for a while. I think this might be something with how you are using cert-manager/your environment… can you find the ACME error message you are receiving?

Another great place to go for help with cert-manager specifically is in the Kubernetes Slack instance there is a cert-manager channel.

Hope this is helpful!

-JP

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.