Unblock ip, ridiculously excessive traffic

Hi, I’m now in the process of updating our config.

First it was cert-manager (we got an email that we are sending ridiculously excessive traffic), then we now replace it with traefik. I point https://acme-staging-v02.api.letsencrypt.org but I got acme error 403, then I change to https://acme-v02.api.letsencrypt.org and I got the error below.

{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “domain.cloud,test.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
{“level”:“error”,“msg”:"Unable to obtain ACME certificate for domains “traefik-ui.domain.cloud” detected thanks to rule “Host:traefik-ui.domain.cloud” : cannot get ACME client get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: acme: error: 0 :: GET :: https://acme-v02.api.letsencrypt.org/directory :: urn:ietf:params:acme:error:rateLimited :: Your IP, x.x.x.x, has been blocked due to ridiculously excessive traffic. Once this is corrected you may request this be reviewed on our forum https://community.letsencrypt.org , url: ",“time”:“2019-02-08T07:15:30Z”}
10.240.0.4 - - [08/Feb/2019:07:20:36 +0000] “GET / HTTP/1.1” 301 17 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36” 1 “entrypoint redirect for http” “/” 200ms
{“level”:“warning”,“msg”:“A new release has been found: 1.7.8. Please consider updating.”,“time”:“2019-02-08T07:25:19Z”}

Can anyone from let’s encrypt review my email unblock my ip so I could test? I’ve send it to [redacted].

Regards,

Jay Amorin

Hi @jayamorin,

I’ll file a ticket to unblock your IP address. Woulf you send me the address either here or in a private message?

1 Like

I’ve sent it on private message.

Thanks,

Jay Amorin

Hi @jayamorin,

Your IP address has been unblocked.

Kudos to the coder!
"Ridiculousness" is usually quite difficult to gauge/measure precisely - LOL

I now got a different error. Do you have any idea how to fix this error?

{“level”:“debug”,“msg”:“Skipping Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:06Z”}
{“level”:“debug”,“msg”:“TLS Challenge CleanUp temp certificate for test.safelink.cloud”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “safelink.cloud,test.safelink.cloud” : unable to generate a certificate for the domains [safelink.cloud test.safelink.cloud]: acme: Error -\u003e One or more domains had a problem:\n[safelink.cloud] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n[test.safelink.cloud] acme: error: 403
:: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n”,“time”:“2019-02-09T19:44:07Z”}
{“level”:“debug”,“msg”:“Received Kubernetes event kind *v1.Endpoints”,“time”:“2019-02-09T19:44:07Z”}

$ helm list -a | grep traefik
guiding-penguin 1 Sun Feb 10 03:42:33 2019 DEPLOYED traefik-1.59.2 1.7.7 kube-system

Thanks

This seems like something other than Traefik might be listening on that port. Can you double check if anything else has the port?

With errors like this what incoming/outgoing port do I need open? incoming port 80 and 443 are already open.

Thanks.

{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: Obtaining bundled SAN certificate”,“time”:“2019-02-11T11:58:20Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/EuitfXIRH_tKBk-1F88bKODmGKXqGUpvt4TJvUc15BY",“time”:"2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1.safelinkdatarooms.com] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/2JTS1W3juPJULYN7l6tKovHgxnsEKRyTgH53vgl2tJE",“time”:"2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: use tls-alpn-01 solver”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“legolog: [INFO] [qa1-traefik-ui.safelinkdatarooms.com] acme: Trying to solve TLS-ALPN-01”,“time”:“2019-02-11T11:58:21Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :443”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :8080”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“info”,“msg”:“Server configuration reloaded on :80”,“time”:“2019-02-11T11:58:30Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1-traefik-ui.safelinkdatarooms.com” detected thanks to rule “Host:qa1-traefik-ui.safelinkdatarooms.com” : unable to generate a certificate for the domains [qa1-traefik-ui.safelinkdatarooms.com]: acme: Error -\u003e One or more domains had a problem:\n[qa1-traefik-ui.safelinkdatarooms.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}
{“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains “qa1.safelinkdatarooms.com” : unable to generate a certificate for the domains [qa1.safelinkdatarooms.com]: acme: Error -\u003e One or more domains had a problem:\n[qa1.safelinkdatarooms.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n”,“time”:“2019-02-11T11:58:35Z”}

TLS-ALPN-01 validation just uses port 443.

I can connect to it.

Even Let’s Encrypt can connect to it when Let’s Debug tries.

https://letsdebug.net/qa1-traefik-ui.safelinkdatarooms.com/22430?debug=y

Maybe there was a temporary Internet routing issue?

1 Like

Almost working now. But what is the reason why it is giving me a *.example.com certificate?

Thanks for all your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.