Spent over an hour debugging cryptic TLS x509 certificate errors on Docker pulls from a self-hosted GitLab CI runner, only to discover Spanish ISPs were blocking Cloudflare IPs under a football piracy court order. Their firsthand experience demonstrates how IP-level blocks on shared CDN addresses silently break critical developer infrastructure with no clear error messaging.
The editorial explains that Cloudflare's anycast architecture means thousands of unrelated domains share the same IP addresses, so blocking one piracy site's IP also blocks Docker Hub, npm, and countless other services. The mechanism isn't a clean DNS sinkhole but an IP-level TLS interception that causes certificate validation failures, making the breakage especially hard to diagnose.
The editorial notes that the Hacker News discussion triggered a flood of confirmations from Spanish developers experiencing the same issue across multiple ISPs. This pattern indicates a systematic court-ordered blocking regime rather than a single provider's mistake, suggesting the problem will recur with every new football piracy injunction.
The editorial argues that courts issuing these blocking orders don't understand that Cloudflare uses SNI-based routing on shared IPs, meaning an IP block intended for one piracy domain inevitably takes out thousands of legitimate services. The orders treat IP addresses as if they map one-to-one with websites, a model that hasn't been accurate for over a decade.
A developer in Spain spent over an hour debugging why their self-hosted GitLab CI runner suddenly couldn't pull Docker images. The symptom: cryptic TLS errors — `x509: certificate is not valid for any names` — on every `docker pull` attempt. No configuration had changed. No Docker Hub outage was reported. The culprit turned out to be their Spanish ISP, which was blocking Cloudflare IP addresses under a court order aimed at stopping illegal football streaming.
Spanish ISPs are injecting themselves into TLS connections to Cloudflare IPs, causing certificate validation failures that break Docker Hub, and potentially any developer service sitting behind Cloudflare's CDN. The block isn't a clean DNS sinkhole — it's an IP-level intervention that causes the TLS handshake to fail or return an invalid certificate, which is why the error manifests as an x509 validation failure rather than a simple "host not found."
The Hacker News post (281 points and climbing) triggered a flood of responses from Spanish developers confirming the same issue across multiple ISPs. This isn't a one-off misconfiguration. It's a systematic, court-ordered block that happens to share IP space with half the internet's infrastructure.
To understand why this is so destructive, you need to understand how Cloudflare's infrastructure works — and why IP-level blocking of a major CDN is fundamentally different from blocking a single-purpose server.
Cloudflare operates on shared IP addresses. When you visit a site behind Cloudflare, your DNS query returns one of Cloudflare's anycast IPs. Thousands — sometimes tens of thousands — of unrelated domains resolve to the same IP address. Cloudflare uses SNI (Server Name Indication) in the TLS handshake to route the connection to the correct origin.
When a Spanish court orders ISPs to block the IP address serving an illegal football stream, that same IP address is also serving Docker Hub, npm registry endpoints, PyPI packages, GitHub Pages, and countless SaaS APIs. The ISP can't selectively block one domain on a shared IP without deep packet inspection of the SNI field — and most are apparently not doing SNI-level filtering. They're doing the cheap thing: blocking the IP entirely.
The result is that the ISP's network equipment intercepts the TCP connection to the blocked IP and either drops it, resets it, or — in the worst case — responds with its own certificate that obviously doesn't match the requested domain. That's where the `x509: certificate is not valid for any names` error comes from. Docker's TLS client correctly rejects the bogus certificate, but the error message gives zero indication that a government-ordered network block is the cause.
The immediate impact — broken `docker pull` — is bad enough for any developer or CI system in Spain. But the second-order effects are what make this genuinely dangerous for production infrastructure.
CI/CD is the blast radius. Any CI pipeline running on Spanish infrastructure that pulls images from Docker Hub, installs npm packages from the registry, or fetches dependencies from PyPI could fail intermittently depending on which Cloudflare IP their DNS resolves to. The failures aren't consistent because DNS responses rotate across Cloudflare's IP pool. One build works, the next doesn't. This is the worst kind of infrastructure failure: non-deterministic and invisible to monitoring that checks from outside Spain.
The blocks are dynamic. LaLiga's anti-piracy operation doesn't maintain a static blocklist. They identify IPs serving pirate streams in real-time during matches and push block requests to ISPs. This means the set of blocked Cloudflare IPs changes over time, potentially every matchday. A workaround that works on Tuesday might fail on Saturday afternoon when the next match starts.
Error attribution is nearly impossible. The developer who reported this spent over an hour debugging GitLab, Docker, and their runner configuration before realizing the network itself was the problem. TLS certificate errors don't scream "your government is blocking football piracy." For less experienced developers or automated systems, these failures would likely be attributed to Docker Hub outages, misconfigured certificates, or local network issues.
This pattern has historical precedent. In 2018, Russia's attempt to block Telegram by targeting Amazon and Google Cloud IP ranges caused widespread collateral damage to unrelated services. Iran has experienced similar issues with blanket IP blocks. The common thread: regulators treat IP addresses like street addresses — one building, one tenant — when modern CDN architecture means a single IP is more like a skyscraper with thousands of tenants.
If you have infrastructure, developers, or CI runners in Spain — or any jurisdiction prone to blunt IP-level blocking — this demands specific mitigations:
Set up a registry mirror. Docker Hub, npm, and PyPI all support mirroring or alternative registries. For Docker specifically, configure a pull-through cache (Docker's registry supports this natively) or use a cloud-hosted mirror in a region not subject to these blocks. Your `daemon.json` should have explicit `registry-mirrors` configured, not just the default Docker Hub endpoint.
VPN your CI traffic. If your CI runners are in an affected region, routing their egress through a VPN endpoint in a different country is the most reliable workaround. This is ugly but effective. Several commenters on the HN thread confirmed this resolves the issue immediately.
Monitor for network-level interference. Standard uptime monitoring from external locations won't catch this. You need health checks that run *from the same network path as your production/CI traffic*. A simple cron job that attempts `docker pull hello-world` and alerts on failure would have caught this in minutes instead of hours.
Pin your DNS. Some developers reported that switching from their ISP's default DNS to Cloudflare's 1.1.1.1 or Google's 8.8.8.8 didn't fully resolve the issue (since the block is IP-level, not DNS-level), but it did help in cases where ISPs were also doing DNS-level blocking as a first layer. If you're relying on ISP-provided DNS in any production context, this is yet another reason to stop.
This incident sits at the intersection of two trends that are only going to intensify: increasingly aggressive government intervention in internet infrastructure, and developer tooling's increasing dependence on shared CDN infrastructure. Cloudflare, Fastly, and AWS CloudFront collectively front a significant percentage of all developer-facing services. Any jurisdiction that reaches for IP-level blocking as an enforcement tool — whether for piracy, censorship, or sanctions compliance — will inevitably break developer infrastructure as collateral damage. The question isn't whether this will happen in more countries, but when. The fix isn't political (good luck convincing LaLiga to care about your Docker builds). The fix is architectural: treat your dependency fetching infrastructure with the same geographic redundancy you'd give a production database.
I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debu
→ read on Hacker NewsThey block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.There's even a website made for checking if the match is on: https://ha
This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs
Barring an Internet giant suing them in court, it really feels like this is unlikely to change as most just don’t understand the why or the effect.Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route.
This is far from the first time that I see on HN indignation on LaLiga blockings. Sadly all this rage does not seem to lead to any change.I'd like to suggest some steps that might/should be followed, which I will not pursue personally but in my defense - I do not live in Spain and not affe
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".Every response and comment from LaLiga, the football organization responsible for this, has been so far that this