C
CrowdSecβ€’3mo ago
thatwhiff

Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance

It looks like some Let's Encrypt IPs are being blocked at the CAPI level I am using the CrowdSec NGINX bouncer. As a result, certificate issuance/renewal is failing. Could you please advise on a proper workaround or whitelist method to allow these? Below are the IPs that were recently banned: 23.178.112.219 16.171.112.52 13.51.47.36 18.117.223.154 47.129.118.160 13.212.185.202 66.133.109.36 Any recommendations on whitelisting them permanently or excluding Let's Encrypt infrastructure would be greatly appreciated.
9 Replies
CrowdSec
CrowdSecβ€’3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❀️
bui
buiβ€’3mo ago
Hey, having a look πŸ™‚ normally we're excluding LE IPs from BLs etc. based on RDNS oh somehow, LE might have messed something up, the reverse dns doesn't match: 
host 23.178.112.219
219.112.178.23.in-addr.arpa domain name pointer outbound2r.letsencrypt.org.

host outbound2r.letsencrypt.org.
outbound2r.letsencrypt.org has address 23.178.112.217
host 23.178.112.219
219.112.178.23.in-addr.arpa domain name pointer outbound2r.letsencrypt.org.

host outbound2r.letsencrypt.org.
outbound2r.letsencrypt.org has address 23.178.112.217
the others don't have a RDNS point to outbound[a-z0-9].letsencrypt.org
bui
buiβ€’3mo ago
let me see how we can flag them. For now, the best might be to use https://doc.crowdsec.net/docs/next/cscli/cscli_allowlists/
cscli allowlists | CrowdSec
cscli allowlists
bui
buiβ€’3mo ago
(or directly via console if you have ent acc) ps: we're actively working on improving this to allow us to also tag IPs from LE that don't have RDNS or such
thatwhiff
thatwhiffOPβ€’3mo ago
Great, Thanks
CrowdSec
CrowdSecβ€’3mo ago
Resolving Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance This has now been resolved. If you think this is a mistake please run /unresolve
thatwhiff
thatwhiffOPβ€’5w ago
23.178.112.219 13.61.9.235 16.16.220.36 3.147.78.34 23.178.112.219 13.215.183.158 23.178.112.219 3.21.75.240 13.61.9.235 13.60.84.235 16.171.61.25 3.144.1.220 47.129.109.99 18.117.177.114 Some fresh list of ips which have got banned
iiamloz
iiamlozβ€’5w ago
here a quick report, out of those ips 1 is classified as fake RNS which means rdns came to LE, but then a forward DNS did not result in the same output 
Report ID                    4
Report Name                  Pulse-Quantum-Report
Creation Date                2025-07-30 22:51:48
File path                    /tmp/ips.txt
SHA256                       e1537fb95d2f6f6bad022f316cdf77708161fe3630a1553bf6e065ec061ba0dd
Number of IPs                11
Number of known IPs          1 (9%)
Number of IPs in Blocklist    1 (9%)

:star2: Top Reputation             
     Unknown                                                 10 (91%)
     Malicious                                               1 (9%)

:dividers: Top Classifications       
     CrowdSec Community Blocklist                            1 (9%)
     Fake RDNS                                               1 (9%)

:robot: Top Behaviors              
     HTTP Scan                                               1 (9%)
     Scan attempt                                            1 (9%)
     HTTP Crawl                                              1 (9%)
     HTTP DoS                                                1 (9%)
     HTTP Exploit                                            1 (9%)

:no_entry: Top Blocklists             
     CrowdSec Intelligence Blocklist                         1 (9%)


:globe_with_meridians: Top IP Ranges              
     unknown                                                 10 (91%)
     23.178.112.0/24                                         1 (9%)

:satellite_orbital: Top Autonomous Systems    
     unknown                                                 10 (91%)
     Cloudflare London, LLC                                  1 (9%)

:earth_americas: Top Countries              
     unknown :flag_white:                                              10 (91%)
     US :flag_us:                                                   1 (9%)
Report ID                    4
Report Name                  Pulse-Quantum-Report
Creation Date                2025-07-30 22:51:48
File path                    /tmp/ips.txt
SHA256                       e1537fb95d2f6f6bad022f316cdf77708161fe3630a1553bf6e065ec061ba0dd
Number of IPs                11
Number of known IPs          1 (9%)
Number of IPs in Blocklist    1 (9%)

:star2: Top Reputation             
     Unknown                                                 10 (91%)
     Malicious                                               1 (9%)

:dividers: Top Classifications       
     CrowdSec Community Blocklist                            1 (9%)
     Fake RDNS                                               1 (9%)

:robot: Top Behaviors              
     HTTP Scan                                               1 (9%)
     Scan attempt                                            1 (9%)
     HTTP Crawl                                              1 (9%)
     HTTP DoS                                                1 (9%)
     HTTP Exploit                                            1 (9%)

:no_entry: Top Blocklists             
     CrowdSec Intelligence Blocklist                         1 (9%)


:globe_with_meridians: Top IP Ranges              
     unknown                                                 10 (91%)
     23.178.112.0/24                                         1 (9%)

:satellite_orbital: Top Autonomous Systems    
     unknown                                                 10 (91%)
     Cloudflare London, LLC                                  1 (9%)

:earth_americas: Top Countries              
     unknown :flag_white:                                              10 (91%)
     US :flag_us:                                                   1 (9%)
here is the problem 
$ dig -x 23.178.112.219
; <<>> DiG 9.20.11 <<>> -x 23.178.112.219
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;219.112.178.23.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
219.112.178.23.in-addr.arpa. 300 IN     PTR     outbound2r.letsencrypt.org.

$ dig outbound2r.letsencrypt.org.
; <<>> DiG 9.20.11 <<>> outbound2r.letsencrypt.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9920
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;outbound2r.letsencrypt.org.    IN      A

;; ANSWER SECTION:
outbound2r.letsencrypt.org. 300 IN      A       23.178.112.217

;; Query time: 31 msec
;; SERVER: 10.72.1.1#53(10.72.1.1) (UDP)
;; WHEN: Thu Jul 31 07:32:40 BST 2025
;; MSG SIZE  rcvd: 71
$ dig -x 23.178.112.219
; <<>> DiG 9.20.11 <<>> -x 23.178.112.219
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;219.112.178.23.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
219.112.178.23.in-addr.arpa. 300 IN     PTR     outbound2r.letsencrypt.org.

$ dig outbound2r.letsencrypt.org.
; <<>> DiG 9.20.11 <<>> outbound2r.letsencrypt.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9920
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;outbound2r.letsencrypt.org.    IN      A

;; ANSWER SECTION:
outbound2r.letsencrypt.org. 300 IN      A       23.178.112.217

;; Query time: 31 msec
;; SERVER: 10.72.1.1#53(10.72.1.1) (UDP)
;; WHEN: Thu Jul 31 07:32:40 BST 2025
;; MSG SIZE  rcvd: 71
both rdns and forward dns (name to ip) need to match or else we open ourselves to spoofing hence fake rdns tag
thatwhiff
thatwhiffOPβ€’5w ago
Ok Got it

Did you find this page helpful?