Hi, I’m now in the process of updating our config.
First it was cert-manager (we got an email that we are sending ridiculously excessive traffic), then we now replace it with traefik. I point https://acme-staging-v02.api.letsencrypt.org but I got acme error 403, then I change to https://acme-v02.api.letsencrypt.org and I got the error below.
{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “domain.cloud,test.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory ’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “traefik-ui.domain.cloud” detected thanks to rule “Host:traefik-ui.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory ’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
10.240.0.4 - - [08/Feb/2019:07:20:36 +0000] “GET / HTTP/1.1” 301 17 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36” 1 “entrypoint redirect for http” “/” 200ms
{“level”:“warning”,“msg”:“A new release has been found: 1.7.8. Please consider updating.”,“time”:“2019-02-08T07:25:19Z”}
Can anyone from let’s encrypt review my email unblock my ip so I could test? I’ve send it to [redacted].
Regards,
Jay Amorin
jsha
February 8, 2019, 4:31pm
2
Hi @jayamorin ,
I’ll file a ticket to unblock your IP address. Woulf you send me the address either here or in a private message?
1 Like
I’ve sent it on private message.
Thanks,
Jay Amorin
Hi @jayamorin ,
Your IP address has been unblocked.
rg305
February 8, 2019, 7:25pm
5
Kudos to the coder!
"Ridiculousness" is usually quite difficult to gauge/measure precisely - LOL
I now got a different error. Do you have any idea how to fix this error?
{“level”:“debug”,“msg”:“Skipping Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:06Z”}
{“level”:“debug”,“msg”:“TLS Challenge CleanUp temp certificate for test.safelink.cloud”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “safelink.cloud,test.safelink.cloud” : unable to generate a certificate for the domains [safelink.cloud test.safelink.cloud]: acme: Error -\u003e One or more domains had a problem:\n[safelink.cloud] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n[test.safelink.cloud] acme: error: 403
:: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“debug”,“msg”:“Received Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:07Z”}
$ helm list -a | grep traefik
guiding-penguin 1 Sun Feb 10 03:42:33 2019 DEPLOYED traefik-1.59.2 1.7.7 kube-system
Thanks
jsha
February 9, 2019, 9:08pm
7
This seems like something other than Traefik might be listening on that port. Can you double check if anything else has the port?
With errors like this what incoming/outgoing port do I need open? incoming port 80 and 443 are already open.
Thanks.
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com ] acme: Obtaining bundled SAN certificate”,“time”:“2019-02-11T11:58:20Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com ] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/EuitfXIRH_tKBk-1F88bKODmGKXqGUpvt4TJvUc15BY",“time”:"2019-02-11T11:58:21Z ”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com ] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com ] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com ] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/2JTS1W3juPJULYN7l6tKovHgxnsEKRyTgH53vgl2tJE",“time”:"2019-02-11T11:58:21Z ”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com ] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com ] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :443”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :8080”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :80”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1-traefik-ui.safelinkdatarooms.com ” detected thanks to rule “Host:qa1-traefik-ui.safelinkdatarooms.com” : unable to generate a certificate for the domains [qa1-traefik-ui.safelinkdatarooms.com ]: acme: Error -\u003e One or more domains had a problem:\n[qa1-traefik-ui.safelinkdatarooms.com ] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1.safelinkdatarooms.com ” : unable to generate a certificate for the domains [qa1.safelinkdatarooms.com ]: acme: Error -\u003e One or more domains had a problem:\n[qa1.safelinkdatarooms.com ] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}
TLS-ALPN-01 validation just uses port 443.
I can connect to it.
Even Let’s Encrypt can connect to it when Let’s Debug tries.
https://letsdebug.net/qa1-traefik-ui.safelinkdatarooms.com/22430?debug=y
Maybe there was a temporary Internet routing issue?
1 Like
Almost working now. But what is the reason why it is giving me a *.example.com certificate?
Thanks for all your help.
system
Closed
March 13, 2019, 5:58pm
11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.