Let's Encrypt rate limit problem caused by Traefik TLS onDemand when we set a DNS wildcard

Traefik Traefik v1
,
1

Hello,

As you can read on the forum Let's Encrypt here, we have reach the rate limit of 50 certs / week because of our server configuration.

As other compagnies, we've added in our DNS a wildcard to match all subdomains (excepted www) to point to our staging server. Each developer could then push their GIT branch, and our CI/CD create the container in our Kubernetes with a new Ingress rules to support TLS for this subdomain/branch (of course, there is a .htpasswd for theses subdomains).

This works fine since many months, but since few weeks we receive a lots of attacks on our servers, so we've tried to move to another server to investigate, and we've been blocked to renew some of our production TLS certs.

Someone have tried to reach some random subdomain (may be to found services and find security holes), but when they do that, Traefik seems to request to Let's Encrypt a TLS cert even if there is not Ingress route that match! So, each time this reduce our rate limit :cry:

We are temporary removed our DNS wildcard, to stop the attack and permit us in few days to recreate our production TLS certs.

Do you known how to prevent this kind of problem ? May be Traefik could check if the route/ingress exists before requesting a TLS cert ?

Thanks

2

Hello,

Could you provide your configuration?

Have you onDemand=true ?

3

Hello @ldez
Thank for your answer, here is my config:


apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "INFO"
    defaultEntryPoints = ["http","https"]
    passHostHeader = true
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      passHostHeader = true
        [entryPoints.http.proxyProtocol]
          trustedIPs = ["127.0.0.1/8", "10.0.0.1/8", "192.168.1.1/8", "10.3.73.88", "51.83.88.183", "51.75.193.43"]
          insecure = true
        [entryPoints.http.forwardedHeaders]
          trustedIPs = ["127.0.0.1/8", "10.0.0.1/8", "192.168.1.1/8", "10.3.73.88", "51.83.88.183", "51.75.193.43"]
        [entryPoints.http.redirect]
          regex = "^http://(.*)"
          replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.proxyProtocol]
          trustedIPs = ["127.0.0.1/8", "10.0.0.1/8", "192.168.1.1/8", "10.3.73.88", "51.83.88.183", "51.75.193.43"]
          insecure = true
        [entryPoints.https.forwardedHeaders]
          trustedIPs = ["127.0.0.1/8", "10.0.0.1/8", "192.168.1.1/8", "10.3.73.88", "51.83.88.183", "51.75.193.43"]
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
    [kubernetes]
    [traefikLog]
      format = "json"
    [acme]
    email = "our@email.com"
    storage = "/acme/acme.json"
    entryPoint = "https"
    onDemand = true
    onHostRule = true
      [acme.tlsChallenge]
kind: ConfigMap