CAPI 403
ContainerHey, I've been hitting a persistent CAPI 403 since a few days ago and I've read through the rate limiting announcement and troubleshooting docs. My situation doesn't match the common root causes, so hoping someone can help.
Setup:
- Distributed CrowdSec deployment - main engine in Docker behind Traefik reverse proxy
- Multiple remote agents (OPNsense, Traefik, Gitea, Vaultwarden, Nextcloud, Mailcow, Authentik) all reporting to a single central LAPI
What I've tried:
- Completely disabled CrowdSec for multiple days to let any ban window expire (well beyond the stated 50-minute window) - still 403 on restart
- cscli capi register → 403 Forbidden
- cscli console enroll → 403 Forbidden
- cscli capi status → 403 Forbidden
My entire config also disappeared from the dashboard. It doesn't just show that it is not pushing updates.
Firewall logs show normal heartbeat frequency:
My OPNsense firewall logs show CAPI connections at ~60 second intervals from my central instance, one connection per minute, no burst pattern.
I'm not running Pangolin.
Errors:
Error: cscli capi status: failed to authenticate to Central API (CAPI): API error: Forbidden
Interestingly, I found this in the support dump:
You can successfully interact with Central API (CAPI)
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled
I'll be happy to send my public IP or anything sensitive to security@crowdsec.net, if that's the right path?
Writing here in case the response is useful to others.
Thanks.
Setup:
- Distributed CrowdSec deployment - main engine in Docker behind Traefik reverse proxy
- Multiple remote agents (OPNsense, Traefik, Gitea, Vaultwarden, Nextcloud, Mailcow, Authentik) all reporting to a single central LAPI
What I've tried:
- Completely disabled CrowdSec for multiple days to let any ban window expire (well beyond the stated 50-minute window) - still 403 on restart
- cscli capi register → 403 Forbidden
- cscli console enroll → 403 Forbidden
- cscli capi status → 403 Forbidden
My entire config also disappeared from the dashboard. It doesn't just show that it is not pushing updates.
Firewall logs show normal heartbeat frequency:
My OPNsense firewall logs show CAPI connections at ~60 second intervals from my central instance, one connection per minute, no burst pattern.
I'm not running Pangolin.
Errors:
Error: cscli capi status: failed to authenticate to Central API (CAPI): API error: Forbidden
Interestingly, I found this in the support dump:
You can successfully interact with Central API (CAPI)
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled
I'll be happy to send my public IP or anything sensitive to security@crowdsec.net, if that's the right path?
Writing here in case the response is useful to others.
Thanks.
crowdsec-support.zip1.1MB
