Unblock ip, ridiculously excessive traffic


#1

Hi, I’m now in the process of updating our config.

First it was cert-manager (we got an email that we are sending ridiculously excessive traffic), then we now replace it with traefik. I point https://acme-staging-v02.api.letsencrypt.org but I got acme error 403, then I change to https://acme-v02.api.letsencrypt.org and I got the error below.

{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “domain.cloud,test.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “traefik-ui.domain.cloud” detected thanks to rule “Host:traefik-ui.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
10.240.0.4 - - [08/Feb/2019:07:20:36 +0000] “GET / HTTP/1.1” 301 17 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36” 1 “entrypoint redirect for http” “/” 200ms
{“level”:“warning”,“msg”:“A new release has been found: 1.7.8. Please consider updating.”,“time”:“2019-02-08T07:25:19Z”}

Can anyone from let’s encrypt review my email unblock my ip so I could test? I’ve send it to [redacted].

Regards,

Jay Amorin


#2

Hi @jayamorin,

I’ll file a ticket to unblock your IP address. Woulf you send me the address either here or in a private message?


#3

I’ve sent it on private message.

Thanks,

Jay Amorin


#4

Hi @jayamorin,

Your IP address has been unblocked.


#5

Kudos to the coder!
“Ridiculousness” is usually quite difficult to gauge/measure precisely - LOL


#6

I now got a different error. Do you have any idea how to fix this error?

{“level”:“debug”,“msg”:“Skipping Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:06Z”}
{“level”:“debug”,“msg”:“TLS Challenge CleanUp temp certificate for test.safelink.cloud”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “safelink.cloud,test.safelink.cloud” : unable to generate a certificate for the domains [safelink.cloud test.safelink.cloud]: acme: Error -\u003e One or more domains had a problem:\n[safelink.cloud] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n[test.safelink.cloud] acme: error: 403
:: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“debug”,“msg”:“Received Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:07Z”}

$ helm list -a | grep traefik
guiding-penguin 1 Sun Feb 10 03:42:33 2019 DEPLOYED traefik-1.59.2 1.7.7 kube-system

Thanks


#7

This seems like something other than Traefik might be listening on that port. Can you double check if anything else has the port?


#8

With errors like this what incoming/outgoing port do I need open? incoming port 80 and 443 are already open.

Thanks.

{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: Obtaining bundled SAN certificate”,“time”:“2019-02-11T11:58:20Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/EuitfXIRH_tKBk-1F88bKODmGKXqGUpvt4TJvUc15BY",“time”:"2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/2JTS1W3juPJULYN7l6tKovHgxnsEKRyTgH53vgl2tJE",“time”:"2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :443”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :8080”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :80”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1-traefik-ui.safelinkdatarooms.com” detected thanks to rule “Host:qa1-traefik-ui.safelinkdatarooms.com” : unable to generate a certificate for the domains [qa1-traefik-ui.safelinkdatarooms.com]: acme: Error -\u003e One or more domains had a problem:\n[qa1-traefik-ui.safelinkdatarooms.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1.safelinkdatarooms.com” : unable to generate a certificate for the domains [qa1.safelinkdatarooms.com]: acme: Error -\u003e One or more domains had a problem:\n[qa1.safelinkdatarooms.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}


#9

TLS-ALPN-01 validation just uses port 443.

I can connect to it.

Even Let’s Encrypt can connect to it when Let’s Debug tries.

https://letsdebug.net/qa1-traefik-ui.safelinkdatarooms.com/22430?debug=y

Maybe there was a temporary Internet routing issue?


#10

Almost working now. But what is the reason why it is giving me a *.example.com certificate?

Thanks for all your help.


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.