Maybe a big Thank You is in order, but from my end, from my website logs, this has been "thrust upon me". With my logs filling up with "/.well-known/acme-challenge/STUFF" requests that are totally irrelevant to me. (My website is static, with no need for such "security".)
Rant:
Along with .env and other "stuff to help" things like this just add useless traffic. The problem may be that the Internet gets slower and slower as time goes by as well meaning programmers keep coming up with these kinds of things that help themselves more than little people with little websites.
Sorry to hear that you are seeing this unwanted traffic. There are several possible reasons for this. While I don't have any immediate solutions to offer, I will ask around to see what options are available. Thanks much for bringing this to our attention.
You could add an empty CAA resource record to your domain. AFAIK the validation server first checks the CAA record and when it finds Let's Encrypt isn't authorized to issue for your domain, it'll stop there. So it shouldn't continue with the validation, so no entries in your log. I was wrong, see below.
I thought that CAA was checked last, as it's the last-ditch effort to try to stop unexpected issuance.
In any event, I'm kind of confused at the issue here. @JohnGwot, are you saying that you don't use Let's Encrypt (or other ACME-based CA) certificates, but see regular traffic at .well-known/acme-challenge? How much traffic are you talking about to be "filling up" logs? If it's substantial, my guess is that it's much more likely to be people running vulnerability-scan-type things (which check every URL one might think of) than somebody trying to get a certificate for your domain name. There may not be much anyone at Let's Encrypt can do about it, as I have a hunch that it's not actually from them.
Well, I'd argue that all sites would have advantages from switching to HTTPS (as it helps your users' privacy to not advertise to every router in-between which specific page on your site is being visited, and makes it harder for ISPs to manipulate your content by inserting their own ads). But I'm sure there are cases where it doesn't really matter one way or the other for most users.
(Although the code first calls checkCAA() and then calls validateChallenge(). But according to the comment, the calls are processed in parallel. I'm not a Go guy, so no idea how it works [and I don't care either ].)
This could also be a spam/scambot trying to take out a certificate on your hostname, not just plain junk traffic. But as long as they're going to you, you're perfectly safe. You might check if there's been any attempt to compromise your DNS lately.
Otherwise, every website that exists will constantly be flooded with junk traffic. You just have to filter egregious ones at the log, the webserver, or the firewall if you have DPI, if you would rather never see them.
Sure, as long as you don't care about things like:
Better search engine results
Speed improvements via HTTP/2
The ability for middle men to intercept and add/change/delete content on your site before it reaches the user's browser
Browser warnings about the site being "Not secure"
I may be forgetting some other benefits. But it's a common misconception that HTTPS is only useful for sites that have secret/private information to protect.
One thing I'd like to add on this point. Many people will argue "My site doesn't take any payment, and it's just a blog so I don't care if someone modifies it".
To counter that point, There are instances that malicious scripts could be injected that simply use your site because it's http, not because there's anything particularly interesting on it.
...but you're regularly inspecting your access logs? That in itself seems somewhat odd.
But if you're seeing this traffic, someone is requesting certs from some certificate authority (not necessarily Let's Encrypt; there are at least two others) that uses ACME and HTTP validation. If that someone isn't you, ignore it. I guess I'm not seeing the problem.
].)