Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LE: Too many invalid authorizations recently #587

Closed
tamalsaha opened this issue Oct 6, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@tamalsaha
Copy link
Member

commented Oct 6, 2017

conditions:

  • lastUpdateTime: 2017-10-06T10:49:11Z
    reason: 'failed to create certificate. Reason: example.com: acme: Error 429
    • urn:acme:error:rateLimited - Error creating new authz :: Too many invalid
      authorizations recently.'
      type: RateLimited
@leonth

This comment has been minimized.

Copy link

commented Dec 27, 2017

i am trying to issue cert using the HTTP-01 challenge, and I have created the cert but validation failed acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://example.com/.well-known/acme-challenge/ajaKN1Y6M3629Xr5EKHSJ4SgM1Ti89Gv2Owf_JI-5u8 (404 not found follows)

when looking at the configmap generated for haproxy, the frontend section is as such:

frontend http-0_0_0_0-80
  bind *:80 
  mode http
  option httplog
  option forwardfor
  acl is_proxy_https hdr(X-Forwarded-Proto) https
  acl host_acl_example.com hdr(host) -i example.com
  acl host_acl_example.com hdr(host) -i example.com:80
  use_backend adminer.default:4180-jjppyc if host_acl_example.com
  acl host_acl_ww2.example.com hdr(host) -i ww2.example.com
  acl host_acl_ww2.example.com hdr(host) -i ww2.example.com:80
  use_backend arthur-oauth-protected.core:80-uzzpm5 if host_acl_ww2.example.com
  acl url_acl___.well-known_acme-challenge_ path_beg /.well-known/acme-challenge/
  use_backend voyager-common-ingress.default:56791-tekat2 if  url_acl___.well-known_acme-challenge_

so it seems that /.well-known/acme-challenge/ does not get matched early enough in the haproxy config.

I am using 5.0.0-rc8.

@leonth

This comment has been minimized.

Copy link

commented Dec 27, 2017

I can confirm that rolling back to 5.0.0-rc3 fixes the issue. The generated frontend section for 5.0.0-rc3 is:

frontend http-80
  bind *:80 
  mode http

  
  option httplog
  option forwardfor
  
  
  
  
  acl url_acl_voyager-common-ingress.default:56791-sap6gs path_beg /.well-known/acme-challenge/
  use_backend voyager-common-ingress.default:56791-sap6gs if  url_acl_voyager-common-ingress.default:56791-sap6gs
  
  acl host_acl_adminer.default:4180-namq7y hdr(host) -i example.com
  acl host_acl_adminer.default:4180-namq7y hdr(host) -i example.com:80
  
  use_backend adminer.default:4180-namq7y if host_acl_adminer.default:4180-namq7y
  
  acl host_acl_arthur-oauth-protected.core:80-3ealro hdr(host) -i ww2.example.com
  acl host_acl_arthur-oauth-protected.core:80-3ealro hdr(host) -i ww2.example.com:80
  
  use_backend arthur-oauth-protected.core:80-3ealro if host_acl_arthur-oauth-protected.core:80-3ealro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.