CrowdSec•6mo ago

Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance

It looks like some Let's Encrypt IPs are being blocked at the CAPI level I am using the CrowdSec NGINX bouncer. As a result, certificate issuance/renewal is failing. Could you please advise on a proper workaround or whitelist method to allow these? Below are the IPs that were recently banned:

23.178.112.219  
16.171.112.52  
13.51.47.36  
18.117.223.154  
47.129.118.160  
13.212.185.202  
66.133.109.36

Any recommendations on whitelisting them permanently or excluding Let's Encrypt infrastructure would be greatly appreciated.

9 Replies

CrowdSec•6mo ago

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

bui•6mo ago

Hey, having a look 🙂 normally we're excluding LE IPs from BLs etc. based on RDNS oh somehow, LE might have messed something up, the reverse dns doesn't match:

host 23.178.112.219
219.112.178.23.in-addr.arpa domain name pointer outbound2r.letsencrypt.org.

host outbound2r.letsencrypt.org.
outbound2r.letsencrypt.org has address 23.178.112.217

host 23.178.112.219
219.112.178.23.in-addr.arpa domain name pointer outbound2r.letsencrypt.org.

host outbound2r.letsencrypt.org.
outbound2r.letsencrypt.org has address 23.178.112.217

the others don't have a RDNS point to outbound[a-z0-9].letsencrypt.org

bui•6mo ago

let me see how we can flag them. For now, the best might be to use https://doc.crowdsec.net/docs/next/cscli/cscli_allowlists/

cscli allowlists | CrowdSec

cscli allowlists

bui•6mo ago

(or directly via console if you have ent acc) ps: we're actively working on improving this to allow us to also tag IPs from LE that don't have RDNS or such

thatwhiffOP•6mo ago

Great, Thanks

CrowdSec•6mo ago

Resolving Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance This has now been resolved. If you think this is a mistake please run /unresolve

thatwhiffOP•5mo ago

23.178.112.219
13.61.9.235
16.16.220.36
3.147.78.34
23.178.112.219
13.215.183.158
23.178.112.219
3.21.75.240
13.61.9.235
13.60.84.235
16.171.61.25
3.144.1.220
47.129.109.99
18.117.177.114

Some fresh list of ips which have got banned

Loz•5mo ago

here a quick report, out of those ips 1 is classified as fake RNS which means rdns came to LE, but then a forward DNS did not result in the same output

Report ID                    4
Report Name                  Pulse-Quantum-Report
Creation Date                2025-07-30 22:51:48
File path                    /tmp/ips.txt
SHA256                       e1537fb95d2f6f6bad022f316cdf77708161fe3630a1553bf6e065ec061ba0dd
Number of IPs                11
Number of known IPs          1 (9%)
Number of IPs in Blocklist    1 (9%)

:star2: Top Reputation             
     Unknown                                                 10 (91%)
     Malicious                                               1 (9%)

:dividers: Top Classifications       
     CrowdSec Community Blocklist                            1 (9%)
     Fake RDNS                                               1 (9%)

:robot: Top Behaviors              
     HTTP Scan                                               1 (9%)
     Scan attempt                                            1 (9%)
     HTTP Crawl                                              1 (9%)
     HTTP DoS                                                1 (9%)
     HTTP Exploit                                            1 (9%)

:no_entry: Top Blocklists             
     CrowdSec Intelligence Blocklist                         1 (9%)


:globe_with_meridians: Top IP Ranges              
     unknown                                                 10 (91%)
     23.178.112.0/24                                         1 (9%)

:satellite_orbital: Top Autonomous Systems    
     unknown                                                 10 (91%)
     Cloudflare London, LLC                                  1 (9%)

:earth_americas: Top Countries              
     unknown :flag_white:                                              10 (91%)
     US :flag_us:                                                   1 (9%)

Report ID                    4
Report Name                  Pulse-Quantum-Report
Creation Date                2025-07-30 22:51:48
File path                    /tmp/ips.txt
SHA256                       e1537fb95d2f6f6bad022f316cdf77708161fe3630a1553bf6e065ec061ba0dd
Number of IPs                11
Number of known IPs          1 (9%)
Number of IPs in Blocklist    1 (9%)

:star2: Top Reputation             
     Unknown                                                 10 (91%)
     Malicious                                               1 (9%)

:dividers: Top Classifications       
     CrowdSec Community Blocklist                            1 (9%)
     Fake RDNS                                               1 (9%)

:robot: Top Behaviors              
     HTTP Scan                                               1 (9%)
     Scan attempt                                            1 (9%)
     HTTP Crawl                                              1 (9%)
     HTTP DoS                                                1 (9%)
     HTTP Exploit                                            1 (9%)

:no_entry: Top Blocklists             
     CrowdSec Intelligence Blocklist                         1 (9%)


:globe_with_meridians: Top IP Ranges              
     unknown                                                 10 (91%)
     23.178.112.0/24                                         1 (9%)

:satellite_orbital: Top Autonomous Systems    
     unknown                                                 10 (91%)
     Cloudflare London, LLC                                  1 (9%)

:earth_americas: Top Countries              
     unknown :flag_white:                                              10 (91%)
     US :flag_us:                                                   1 (9%)

here is the problem

$ dig -x 23.178.112.219
; <<>> DiG 9.20.11 <<>> -x 23.178.112.219
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;219.112.178.23.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
219.112.178.23.in-addr.arpa. 300 IN     PTR     outbound2r.letsencrypt.org.

$ dig outbound2r.letsencrypt.org.
; <<>> DiG 9.20.11 <<>> outbound2r.letsencrypt.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9920
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;outbound2r.letsencrypt.org.    IN      A

;; ANSWER SECTION:
outbound2r.letsencrypt.org. 300 IN      A       23.178.112.217

;; Query time: 31 msec
;; SERVER: 10.72.1.1#53(10.72.1.1) (UDP)
;; WHEN: Thu Jul 31 07:32:40 BST 2025
;; MSG SIZE  rcvd: 71

$ dig -x 23.178.112.219
; <<>> DiG 9.20.11 <<>> -x 23.178.112.219
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;219.112.178.23.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
219.112.178.23.in-addr.arpa. 300 IN     PTR     outbound2r.letsencrypt.org.

$ dig outbound2r.letsencrypt.org.
; <<>> DiG 9.20.11 <<>> outbound2r.letsencrypt.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9920
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;outbound2r.letsencrypt.org.    IN      A

;; ANSWER SECTION:
outbound2r.letsencrypt.org. 300 IN      A       23.178.112.217

;; Query time: 31 msec
;; SERVER: 10.72.1.1#53(10.72.1.1) (UDP)
;; WHEN: Thu Jul 31 07:32:40 BST 2025
;; MSG SIZE  rcvd: 71

both rdns and forward dns (name to ip) need to match or else we open ourselves to spoofing hence fake rdns tag

thatwhiffOP•5mo ago

Ok Got it

Gaming

Programming

Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance

Did you find this page helpful?