Please Fix: Crowdsec Health Check Config

[oschwartz10612]

Hey Everyone!

Due to a misconfiguration of the default Crowdsec install with the Pangolin installer we are hammering Crowdsec's API with health checks! If everyone could please update their installs as soon as possible that would really help out the team over there.

An update from Crowdsec: crowdsecurity/crowdsec#4165

Edit your docker-compose.yml and update the health check section of the Crowdsec section to be the following:

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

Then run docker compose up -d to apply the changes.

Note the change to lapi and an increased interval.

[ghosthvj]

Hello,
I updated my docker-compose.yml file following these instructions, and after running docker compose up -d, the crowdsec container doesn't start, and therefore neither does Pangolin.
Is there any way to resolve this?

[oschwartz10612]

What is the error that that you see when this happens? Does the crowdsec container remain unhealthy?

[ghosthvj]

These are the container logs; after performing the check 3 times, it restarts in a loop.

crowdsec  | Local agent already registered
crowdsec  | Check if lapi needs to register an additional agent
crowdsec  | sqlite database permissions updated
crowdsec  | /etc/crowdsec was found in a volume
crowdsec  | Running hub update
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | level=warning msg="Failed to check last modified: bad HTTP code 403 for https://cdn-hub.crowdsec.net/crowdsecurity/v1.7.3/.index.json?with_content=true" url="https://cdn-hub.crowdsec.net/crowdsecurity/v1.7.3/.index.json?with_content=true"
crowdsec  | Downloading /etc/crowdsec/hub/.index.json
crowdsec  | Error: cscli hub update: failed to update hub: bad HTTP code 403 for https://cdn-hub.crowdsec.net/crowdsecurity/v1.7.3/.index.json?with_content=true
crowdsec  | /var/lib/crowdsec/data was found in a volume
crowdsec  | Running hub upgrade
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | level=warning msg="scenarios:crowdsecurity/http-probing is tainted, use '--force' to overwrite"
crowdsec  | level=warning msg="collections:crowdsecurity/base-http-scenarios is tainted, use '--force' to overwrite"
crowdsec  | level=warning msg="collections:crowdsecurity/traefik is tainted, use '--force' to overwrite"
crowdsec  | Action plan:
crowdsec  | 🔄 check & update data files
crowdsec  | 
crowdsec  | level=warning msg="Failed to check last modified: bad HTTP code 403 for https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb" url="https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb"
crowdsec  | downloading https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
crowdsec  | Error: cscli hub upgrade: while downloading data for /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml: while getting data: bad HTTP code 403 for https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
crowdsec  | Running: cscli  parsers install "crowdsecurity/docker-logs" 
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | Nothing to install or remove.
crowdsec  | Running: cscli  parsers install "crowdsecurity/cri-logs" 
crowdsec  | Nothing to install or remove.
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | Object collections/crowdsecurity/traefik is tainted, skipping
crowdsec  | Running: cscli  collections install "crowdsecurity/appsec-virtual-patching" 
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | Nothing to install or remove.
crowdsec  | Running: cscli  collections install "crowdsecurity/appsec-generic-rules" 
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | Nothing to install or remove.
crowdsec  | Running: cscli  parsers install "crowdsecurity/whitelists" 
crowdsec  | level=warning msg="A new CrowdSec release is available (v1.7.4). Your version is 'v1.7.3'. Please update it to use new parsers/scenarios/collections."
crowdsec  | Nothing to install or remove.
crowdsec  | time="2025-12-19T19:57:37Z" level=info msg="Enabled feature flags: none"
crowdsec  | time="2025-12-19T19:57:37Z" level=info msg="Crowdsec v1.7.3-c8aad699"
crowdsec  | time="2025-12-19T19:57:37Z" level=info msg="Loading CAPI manager"
crowdsec  | time="2025-12-19T19:57:37Z" level=info msg="attempt 1 out of 2"
crowdsec  | time="2025-12-19T19:57:38Z" level=info msg="attempt 2 out of 2"
crowdsec  | time="2025-12-19T19:57:38Z" level=info msg="max attempts reached for status code 403"
crowdsec  | time="2025-12-19T19:57:38Z" level=fatal msg="api server init: unable to run local API: authenticate watcher (524e1d154a6c4a6b858dc9b6aa3df8e9IjNvBLPU633YLPYo): API error: Forbidden"
crowdsec  | /var/lib/crowdsec/data was found in a volume

[ArinL]

You are most likely still rate-limited. As per crowdsecurity/crowdsec#4165, wait 24 hours or reach out to remove rate limit.

[ghosthvj]

Okay, I'll wait. Thanks for replying.

[bigjdunham]

Wow, that was rough. I had to disable Crowdsec in the Pangolin/Traefik docker-compose.yml traefik-config.yml dynamic-config.yml to get Pangolin back up, just so I could use my password manager. So now I need to wait 24 hours to see if I'm no longer blocked by Crowdsec, in order to re-enable it? Ugh.

[synologyy]

Have the Same Problem Cant reach my Site anymore

crowdsec                | /var/lib/crowdsec/data was found in a volume
crowdsec                | Local agent already registered
crowdsec                | Check if lapi needs to register an additional agent
crowdsec                | sqlite database permissions updated
crowdsec                | /etc/crowdsec was found in a volume
crowdsec                | Running hub update
crowdsec                | level=warning msg="Failed to check last modified: bad HTTP code 403 for https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json?with_content=true" url="https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json?with_content=true"
crowdsec                | Downloading /etc/crowdsec/hub/.index.json
crowdsec                | Error: cscli hub update: failed to update hub: bad HTTP code 403 for https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json?with_content=true
crowdsec                | /var/lib/crowdsec/data was found in a volume
crowdsec                | Running hub upgrade
crowdsec                | Action plan:
crowdsec                | 🔄 check & update data files
crowdsec                | 
crowdsec                | level=warning msg="Failed to check last modified: bad HTTP code 403 for https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb" url="https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb"
crowdsec                | downloading https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
crowdsec                | Error: cscli hub upgrade: while downloading data for /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml: while getting data: bad HTTP code 403 for https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
crowdsec                | Running: cscli  parsers install "crowdsecurity/docker-logs" 
crowdsec                | Nothing to install or remove.
crowdsec                | Running: cscli  parsers install "crowdsecurity/cri-logs" 
crowdsec                | Nothing to install or remove.
crowdsec                | Running: cscli  collections install "crowdsecurity/traefik" 
crowdsec                | Nothing to install or remove.
crowdsec                | Running: cscli  collections install "crowdsecurity/appsec-virtual-patching" 
crowdsec                | Nothing to install or remove.
crowdsec                | Running: cscli  collections install "crowdsecurity/appsec-generic-rules" 
crowdsec                | Nothing to install or remove.
crowdsec                | Running: cscli  parsers install "crowdsecurity/whitelists" 
crowdsec                | Nothing to install or remove.
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="Enabled feature flags: none"
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="Crowdsec v1.7.4-db3efdbf"
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="Loading CAPI manager"
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="attempt 1 out of 2"
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="attempt 2 out of 2"
crowdsec                | time="2025-12-20T04:44:33Z" level=info msg="max attempts reached for status code 403"
crowdsec                | time="2025-12-20T04:44:33Z" level=fatal msg="api server init: unable to run local API: authenticate watcher (f9483bbe8e3c47d5aa8290b9d4fcf2c2dWXxmrgk0Nxx): API error: Forbidden"
crowdsec exited with code 1 (restarting)

[tczee36]

can this be resolved by removing crowdsec or something?

[synologyy]

tried nothing changed HTTP ERROR 403 this is a big issue for me

[tczee36]

tried nothing changed HTTP ERROR 403 this is a big issue for me

yes, this is breaking my setup big time.

[synologyy]

found a fix remove anything with crowdsec:
on docker-compose.yml

#  crowdsec:
#    command: -t
#    container_name: crowdsec
#    environment:
#      ACQUIRE_FILES: /var/log/traefik/*.log
#      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
#      ENROLL_INSTANCE_NAME: pangolin-crowdsec
#      ENROLL_TAGS: docker
#      GID: "1000"
#      PARSERS: crowdsecurity/whitelists
#    expose:
#      - 6060
#    healthcheck:
#      interval: 10s
#      retries: 3
#      start_period: 30s
#      test:
#        - CMD
#        - cscli
#        - lapi
#        - status
#      timeout: 5s
#    image: crowdsecurity/crowdsec:latest
#    labels:
#      - traefik.enable=false
#    ports:
#      - 6060:6060
#    restart: unless-stopped
#    volumes:
#      - ./config/crowdsec:/etc/crowdsec
#      - ./config/crowdsec/db:/var/lib/crowdsec/data
#      - ./config/crowdsec_logs/auth.log:/var/log/auth.log:ro
#      - ./config/crowdsec_logs/syslog:/var/log/syslog:ro
#      - ./config/crowdsec_logs:/var/log
#      - ./config/traefik/logs:/var/log/traefik

and in config/traefik/traefik_config.yml

entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http:
#      middlewares:
#        - crowdsec@file
      tls:
        certResolver: letsencrypt
    transport:
      respondingTimeouts:
        readTimeout: 30m
#  tcp-3020:
#    address: ":3020/tcp"
experimental:
  plugins:
    badger:
      moduleName: github.com/fosrl/badger
      version: v1.1.0
#    crowdsec:
#      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
#      version: v1.3.5


now do docker compose up -d and dashboard should be online now

[tczee36]

found a fix remove anything with crowdsec: on docker-compose.yml

#  crowdsec:
#    command: -t
#    container_name: crowdsec
#    environment:
#      ACQUIRE_FILES: /var/log/traefik/*.log
#      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
#      ENROLL_INSTANCE_NAME: pangolin-crowdsec
#      ENROLL_TAGS: docker
#      GID: "1000"
#      PARSERS: crowdsecurity/whitelists
#    expose:
#      - 6060
#    healthcheck:
#      interval: 10s
#      retries: 3
#      start_period: 30s
#      test:
#        - CMD
#        - cscli
#        - lapi
#        - status
#      timeout: 5s
#    image: crowdsecurity/crowdsec:latest
#    labels:
#      - traefik.enable=false
#    ports:
#      - 6060:6060
#    restart: unless-stopped
#    volumes:
#      - ./config/crowdsec:/etc/crowdsec
#      - ./config/crowdsec/db:/var/lib/crowdsec/data
#      - ./config/crowdsec_logs/auth.log:/var/log/auth.log:ro
#      - ./config/crowdsec_logs/syslog:/var/log/syslog:ro
#      - ./config/crowdsec_logs:/var/log
#      - ./config/traefik/logs:/var/log/traefik

and in config/traefik/traefik_config.yml

entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http:
#      middlewares:
#        - crowdsec@file
      tls:
        certResolver: letsencrypt
    transport:
      respondingTimeouts:
        readTimeout: 30m
#  tcp-3020:
#    address: ":3020/tcp"
experimental:
  plugins:
    badger:
      moduleName: github.com/fosrl/badger
      version: v1.1.0
#    crowdsec:
#      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
#      version: v1.3.5


now do docker compose up -d and dashboard should be online now

yep, i did this on both docker compose file + traefik config file. things are working again

[lionfish2]

Hey Everyone!

Due to a misconfiguration of the default Crowdsec install with the Pangolin installer we are hammering Crowdsec's API with health checks! If everyone could please update their installs as soon as possible that would really help out the team over there.

Edit your docker-compose.yml and update the health check section of the Crowdsec section to be the following:

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

Then run docker compose up -d to apply the changes.

Note the change to lapi and an increased interval.

This did not fix it for me. Still getting the 403.

[ste032]

It is my understanding that fixing the health-check won't immediately whitelist your IP on crowdsec's AWS WAF blacklist, you still need to wait the full 24hrs cooldown - or contact them via email.

On a different note, if you are in a hurry I found that adding the following env variables for the crowdsec's service will momentarily skip any authentication and let the container start:

services:
  crowdsec:
    ...
    environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true"

Again, this is a temp fix and you should be able to resume normal operation, removing the config above, after the ban on your IP gets lifted.

Hopefully this helps someone.

[RainerZufall00]

Awesome thanks! That fixed it and hopefully I’m able to remove it after 24hours!

[HHUBSS]

This fixed it for me while I'll wait for them to lift my IP ban. Already emailed them. Thank you.

[Akenjeru]

I wonder what people should do in this case with a dynamic IP

[preetpatel]

If you're facing container start issues after updating your health checks, look at the logs, you may see a 403 indicating a ban on Crowdstrikes side.

Solution is to wait, or do what I did and email the address listed here: crowdsecurity/crowdsec#4165

As someone else said, their support is incredibly fast. I emailed at 9:06pm and got a reply back confirming the addition to allowlist at 10:00pm. Incredible support! 👏

[gitmotion]

can confirm all pangolin instances with crowdsec back up after 24 hours (if you'd rather not send your ips over):

• stop crowdsec container(s)
• update crowdsec healthcheck(s) in your docker-compose.yml to mentioned above
• keep your crowdsec container(s) down for 24+ hours
• redeploy with crowdsec container after 24 hours with the new healthcheck mods

heads up:

• [BUG] release 1.4.7 is currently broken maxlerebourg/crowdsec-bouncer-traefik-plugin#298
• at the time of this writing, crowdsec-bouncer-traefik-plugin v1.4.7 appsec is broken and advised to downgrade to v1.4.6 in your traefik_config.yml under traefik_config.yml > experimental > plugins > crowdsec
• but looks like a fix to v1.4.7 is coming soon

    crowdsec:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.4.6

[MykalMachon]

Hey all, I followed the advice here and

1. updated my healtcheck in docker-compose.yml
2. waited 24 hours for CrowdSec to stop rate-limiting my VPS IP
3. restarted the docker compose stack

At first everything worked, but after 3 hours of the services running without issue again, CrowdSec went down with the exact same errors discussed in this thread.

downloading https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
Error: cscli hub upgrade: while downloading data for /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml: while getting data: bad HTTP code 403 for https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb
# ... 
time="2025-12-21T05:52:04Z" level=info msg="Enabled feature flags: none"
time="2025-12-21T05:52:04Z" level=info msg="Crowdsec v1.7.4-db3efdbf"
time="2025-12-21T05:52:04Z" level=info msg="Loading CAPI manager"
time="2025-12-21T05:52:04Z" level=info msg="attempt 1 out of 2"
time="2025-12-21T05:52:04Z" level=info msg="attempt 2 out of 2"
time="2025-12-21T05:52:05Z" level=info msg="max attempts reached for status code 403"
time="2025-12-21T05:52:05Z" level=fatal msg="api server init: unable to run local API: authenticate watcher (8d576a5ffd9f4907bfaf975cc3239529Q8SCIIoRK71s6VtO): API error: Forbidden"

Does the stack re-fetch the CAPI data while running?
I'm still trying to find the logs from when the cybersec container first got into it's boot loop; I'll update my post when I have those.

Is anyone else having issues with this? I really want CrowdSec in front of my services but I can't deal with constant outages like this.

[MykalMachon]

update: services have been down and the crowdsec container has been in a restart loop since 8:30 pacific time so the original logs for the crash are gone 😮‍💨 anyone else having this problem?

[SaeedMahar2006]

Hi,

I followed the recommended fix of removing capi from the health check. My docker compose logs have only capi references that look like this

crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Crowdsec v1.7.4-db3efdbf"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Loading CAPI manager"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="flushed 168/464 alerts because they were created 168h0m0s ago or more" module=db
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="CAPI manager configured successfully"
crowdsec  | time="2025-12-22T11:48:56Z" level=error msg="Machine is not enrolled in the console, can't synchronize with the console"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Start push to CrowdSec Central API (interval: 17s once, then 10s)"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 38m32s once, then 30m0s)"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Starting community-blocklist update"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="CrowdSec Local API listening on redacted"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="capi metrics: sending"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
crowdsec  | time="2025-12-22T11:48:57Z" level=info msg="capi/community-blocklist : 0 explicit deletions"

It seems to be holding up, I will write an update in a few hours / a day if its still holding up. Hope this helps, in case your initial logs would've looked something like this.

[SaeedMahar2006]

Hi,

I followed the recommended fix of removing capi from the health check. My docker compose logs have only capi references that look like this

crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Crowdsec v1.7.4-db3efdbf"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Loading CAPI manager"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="flushed 168/464 alerts because they were created 168h0m0s ago or more" module=db
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="CAPI manager configured successfully"
crowdsec  | time="2025-12-22T11:48:56Z" level=error msg="Machine is not enrolled in the console, can't synchronize with the console"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Start push to CrowdSec Central API (interval: 17s once, then 10s)"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Start sending metrics to CrowdSec Central API (interval: 38m32s once, then 30m0s)"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Starting community-blocklist update"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="CrowdSec Local API listening on redacted"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="capi metrics: sending"
crowdsec  | time="2025-12-22T11:48:56Z" level=info msg="Loading grok library /etc/crowdsec/patterns"
crowdsec  | time="2025-12-22T11:48:57Z" level=info msg="capi/community-blocklist : 0 explicit deletions"

It seems to be holding up, I will write an update in a few hours / a day if its still holding up. Hope this helps, in case your initial logs would've looked something like this.

Can confirm it hasn't fallen over so far. So I reckon you may have had another source hammering the api / your config didn't actually remove CAPI from health check.

[gitmotion]

interesting. just to confirm, did you stop your crowdsec container for 24 hours after updating your healthchecks?

[Suspectxyzz]

crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="Enabled feature flags: none"
crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="Crowdsec v1.7.4-db3efdbf"
crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="Loading CAPI manager"
crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="attempt 1 out of 2"
crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="attempt 2 out of 2"
crowdsec  | time="2025-12-21T19:20:25Z" level=info msg="max attempts reached for status code 403"
  crowdsec  | time="2025-12-21T19:20:25Z" level=fatal msg="api server init: unable to run local API: authenticate watcher (6b9ecbb38bcbadqwwV0wGHK): API error: Forbidden"
Container pangolin Healthy
Container crowdsec Waiting
Container pangolin Waiting
Container pangolin Healthy
Container crowdsec Error dependency crowdsec failed to start
dependency failed to start: container crowdsec is unhealthy

updated my healtcheck in docker-compose.yml
same

services:
  crowdsec:
    command: -t
    container_name: crowdsec
    environment:
      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
      ENROLL_INSTANCE_NAME: pangolin-crowdsec
      ENROLL_TAGS: docker
      GID: "1000"
      PARSERS: crowdsecurity/whitelists
    healthcheck:
      interval: 10s
      retries: 3
      test:
        - CMD
        - cscli
        - lapi
        - capi
        - status
      timeout: 10s

[MykalMachon]

Having the same issue. Even after waiting for 24 hours for the rate limit to reset it ran fine for a few hours then got cut again

[Bundas18]

exactly the same for me too

[Larosen]

Remove capi and wait 24h.

[MykalMachon]

Remove capi and wait 24h.

We have already done this. See my comment above. Even with the suggested changes the service will eventually come down again.

[Larosen]

Remove capi and wait 24h.

We have already done this. See my comment above. Even with the suggested changes the service will eventually come down again.

Could you post your current healthcheck from docker-compose please?

[A4alli]

I have these logs

docker logs crowdsec
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
Error: cscli capi register: api client register ('https://api.crowdsec.net/'): api register (https://api.crowdsec.net/) http 403 Forbidden: API error: Forbidden
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent
level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing login field)"
Error: cscli console enroll: the Central API (CAPI) must be configured with 'cscli capi register'
/var/lib/crowdsec/data was found in a volume
Local agent already registered
Check if lapi needs to register an additional agent

[A4alli]

is this rate limiting or what

[Discolor3182]

I have also experienced this even after applying the new settings. No choice but to disable Crowdsec for now.

[gitmotion]

check out pangolin dir > config > crowdsec > online_api_credentials.yaml (don't post it here)

• do you see all three fields for url, login, password?

if the above is true and your crowdsec container is still running / not constantly restarting

• you can check if you're able to connect to the central api with: docker exec crowdsec cscli capi status

if not you may have to reenroll again on the crowdsec console dashboard

[SiriusLightning21]

After this changes my Traefik won't start anymore. I need to comment out the crowedsec health check for pangolin, than everything is up and running.

  traefik:
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    container_name: traefik
    depends_on:
#      crowdsec:
#        condition: service_healthy
      pangolin:
        condition: service_healthy
    image: docker.io/traefik:v3.6.5
    network_mode: service:gerbil
    restart: unless-stopped

Hey Everyone!

Due to a misconfiguration of the default Crowdsec install with the Pangolin installer we are hammering Crowdsec's API with health checks! If everyone could please update their installs as soon as possible that would really help out the team over there.

An update from Crowdsec: crowdsecurity/crowdsec#4165

Edit your docker-compose.yml and update the health check section of the Crowdsec section to be the following:

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

Then run docker compose up -d to apply the changes.

Note the change to lapi and an increased interval.

[BombusAlpinus]

ok, just ran also in this issue. had to disable everything in the configs (compose/traefik/dynamic) regarding crowdsec to get pangolin up and running again. i guess because i was already blocked? will try to enable everything tomorrow with the changes provided here.

[QNTV]

I got Pangolin running by adding these two entries to docker-compose. I'm waiting 24 hours to retry the CrowdSec health check.

services:
  crowdsec:
    ...
    environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true"

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

[BombusAlpinus]

I got Pangolin running by adding these two entries to docker-compose. I'm waiting 24 hours to retry the CrowdSec health check.

services:
  crowdsec:
    ...
    environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true"

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

3 days later i tried it with the provided settings again and the stack is running again
but i'm getting this error in the logs, pangolin is working.
crowdsec | time="2026-01-13T06:17:07Z" level=error msg="unexpected return type for RunTimeValue: <nil>" id=bold-paper module=parser name=child-child-crowdsecurity/traefik-logs stage=s01-parse

[AblabiX]

I got Pangolin running by adding these two entries to docker-compose. I'm waiting 24 hours to retry the CrowdSec health check.

services:
  crowdsec:
    ...
    environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true"

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

3 days later i tried it with the provided settings again and the stack is running again but i'm getting this error in the logs, pangolin is working. crowdsec | time="2026-01-13T06:17:07Z" level=error msg="unexpected return type for RunTimeValue: <nil>" id=bold-paper module=parser name=child-child-crowdsecurity/traefik-logs stage=s01-parse

same error here, seems that parser is no longer able to correctly interpret the logs and not ban, always worked, with the last update now i got 88 hits but 88 unparsed from the metrics... EDIT: fixed with crowdsecurity/hub#1643

[kylepyke]

I've updated the healthcheck, but I'm having the issue of receiving this error everytime I restart my Pangolin stack. It could be up for weeks, but if I change a config and docker compose down/up, I get the http 403 Forbidden: API error: Forbidden. error.

[Dimtar]

I feel like I am getting the same thing.

[BombusAlpinus]

as i wrote before i thought running it with the here provided paramaters work but it didn't. strange behaviours so i disabled all crowdsec related config again. will have closer look if i get some time..

[danblu3]

Same.

My VPS was fine but ran out of space and now the crowdsec container won't come back up.
I see we need to update the stack with the new health check and wait an hour.
So I shall try that, if that doesn't work I will have to disable updating via the hub in environment variables and re-add it later.

    environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true"

That will be the variables needed, but it does mean you are unprotected from new threats.

[kraizelburg]

Hi, I am having the same issue with crowdsec health check not letting pangolin stack start.
Does anyone know if there any fix yet other than disabling crowdsec entirely? thx

[rustyricky]

The instructions in the previous messages in this thread worked for me.

Disable API for 24h:

environment:
      ...
      DISABLE_HUB_UPGRADE: "true"
      DISABLE_ONLINE_API: "true" 

And update the health check to use lapi:

healthcheck:
  test:
    - CMD
    - cscli
    - lapi
    - status
  interval: 10s
  timeout: 5s
  retries: 3
  start_period: 30s

[marco79cgn]

I ran into the same problem today after updating my vps and the instructions worked for me as well. Glad I found this discussion here. Thanks!

[europacafe]

Yesterday I also had the same problem (403) upgrading Pangolin from 1.14 to 1.15, so I followed instruction above:
https://github.com/orgs/fosrl/discussions/2119#discussioncomment-15596427

Today I revert the above, and now everything is working as usual.

Thanks for all the suggestions.

[websheriff]

I was just starting my stack for a new install and I also get hit with this rate limit. Maybe it is only happening on grabbing a large amount at a time? Going to wait and try again and see if it is able to finish this time.