Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat rejectedIdentifier as a permanent failure #2194

Closed
jsha opened this issue Oct 10, 2019 · 3 comments · Fixed by #2198
Closed

Treat rejectedIdentifier as a permanent failure #2194

jsha opened this issue Oct 10, 2019 · 3 comments · Fixed by #2198
Labels
area/acme Indicates a PR directly modifies the ACME Issuer code kind/bug Categorizes issue or PR as related to a bug.

Comments

@jsha
Copy link
Contributor

jsha commented Oct 10, 2019

We have one cert-manager client in our logs doing 10,000 requests every 15 minutes, trying to issue for this invalid domain name:

400 :: rejectedIdentifier :: Error creating new order :: Cannot issue for \"go-api-boilerplate.local\": Name does not end in a public suffix

cert-manager should internally store rejectedIdentifier errors and treat them as permanent errors, so it never tries to issue for that same identifier again.
@munnerz munnerz mentioned this issue Oct 11, 2019
Merged
@munnerz
Copy link
Member

munnerz commented Oct 11, 2019

I've opened #2198 to handle this - I think we're safe to treat all 4xx errors as something we should halt operating on (as it usually indicates bad configuration/input).

/kind bug
/area acme

@jetstack-bot jetstack-bot added kind/bug Categorizes issue or PR as related to a bug. area/acme Indicates a PR directly modifies the ACME Issuer code labels Oct 11, 2019
This was referenced Oct 11, 2019
Closed
Closed
@munnerz
Copy link
Member

munnerz commented Oct 11, 2019

To clarify here, the issue describe in #2196 I do not think is caused specifically by us not persisting this error somewhere - in the normal case, upon receiving this error we'd apply a regular 'back off' which caps out at retrying once every 30 minutes.

I think in the #2196 case, it is coincidental that they are receiving this error as well as causing a large number of requests.

@jsha
Copy link
Contributor Author

jsha commented Oct 11, 2019

Yep, agreed that #2196 is a separate issue. I saw a different client that was sending lots of requests for the invalid name go-api-boilerplate.local (which I think comes from some template code somewhere).

@jsha jsha mentioned this issue Nov 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/acme Indicates a PR directly modifies the ACME Issuer code kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Mark Order & Challenge resources as Errored if 4xx error is received munnerz/cert-manager
3 participants
@munnerz @jsha @jetstack-bot