LE validation server sending multiple verification requests

Apologies for lack of specific information in this post, but I just noticed that since ~1830 UTC, there are now multiple challenge verification requests for /.well-known/acme-challenge/ URL per site from 3 different IP addresses at the same second ({66,18,34}.xxx.xxx.xxx).

Context: I have a custom LE client which relied on the fact that there will be only single challenge-verification request for a site, and is now kind of broken, as while one of the request gets answered successfully, but subsequent requests fail.

Is this on purpose or some anomaly ?


Yes, it’s intentional. It helps mitigate MITM attacks against Let’s Encrypt’s validation procedure, and probably some other benefits.

I believe the plan is to bring it to production as well, but no idea what the timeline on that is.

The FAQ mentions it too:

What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

1 Like

Alright, thanks for confirmation. It's already in production from what I see.

1 Like

In production we're making multiple validation requests to collect some data but are not yet enforcing results based on the observed consensus.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.