Multiple acme-challenges every day

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | grb.dk), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
grb.dk (with around 16-21 domains inside)

My web server is:
OpenLiteSpeed

Multiple times everyday we get a lot of acme-challenges out of the blue and now it gets our server to crash - Ive checked the public_html/.well-known/acme-challenge and its empty.

Here is a few seconds of the access log (and not all the access within this "attack":

Why is there any acme-challenges without any renewal of certificate at any point and many times a day?

Did you check the crontab on that machine - or any other ones you control - to see if they are causing this?

You might also have certbot running via cron on an old server, which keeps trying to renew and always fails.

I'm pretty sure that there is nothing on our server trying to renewing certificates, we do it manually - to be sure I've checked the crontab - if it should be, it would be from this server.

Is there a way to find out where is happening from at any point?

Hi @pernielsentikaer

checking that log there are some domain names:

nordic-adventure.dk
www.greenland-travel.com.cn
etc.

All with your ip address 185.134.30.73

And a certificate - https://check-your-website.server-daten.de/?q=grb.dk#certificates - with 38 domain names:

CN=grb.dk
	28.01.2021
	28.04.2021
expires in 49 days	grb.dk, greenland-travel.com, greenland-travel.com.cn, greenland-travel.de, 
greenland-travel.dk, greenlandbooking.dk, greenlandtravel.com, greenlandtravel.com.cn, 
greenlandtravel.de, greenlandtravel.dk, groenlandsrejsebureau.com, groenlandsrejsebureau.dk, 
nordic-adventure.dk, nordicadventure.dk, www.grb.dk, www.greenland-travel.com, 
www.greenland-travel.com.cn, www.greenland-travel.de, www.greenland-travel.dk, 
www.greenlandbooking.dk, www.greenlandtravel.com, www.greenlandtravel.com.cn, 
www.greenlandtravel.de, www.greenlandtravel.dk, www.groenlandsrejsebureau.com, 
www.groenlandsrejsebureau.dk, www.nordic-adventure.dk, www.nordicadventure.dk, 
www.grønland-rejser.dk (www.xn--grnland-rejser-rqb.dk), 
www.grønlandrejser.dk (www.xn--grnlandrejser-cnb.dk), 
www.grønlands-rejsebureau.dk (www.xn--grnlands-rejsebureau-ccc.dk), 
www.grønlandsrejsebureau.com (www.xn--grnlandsrejsebureau-w7b.com), www.grønlandsrejsebureau.dk (www.xn--grnlandsrejsebureau-w7b.dk), 
grønland-rejser.dk (xn--grnland-rejser-rqb.dk), grønlandrejser.dk (xn--grnlandrejser-cnb.dk), 
grønlands-rejsebureau.dk (xn--grnlands-rejsebureau-ccc.dk), 
grønlandsrejsebureau.com (xn--grnlandsrejsebureau-w7b.com), 
grønlandsrejsebureau.dk (xn--grnlandsrejsebureau-w7b.dk) - 
38 entries

Are all of these domain names valid?

Sounds that you use something like force-renewal and one domain name is invalid.

Or you use a tool like letsdebug.net excessive. Letsdebug tries to create a test certificate, that checks your domain (and fails). (PS: I don't know if the LE stage system uses the same useragent).

But I'm nearly sure your own server creates these orders / checks.

I'm pretty sure that its not cause on our end so could be cool to find the ip thats trying to renew - for now I have setup a temporary 404 rewriteRule to catch it and when we renew the certificates we will disable this.

Let's hope its soon stopping, thanks for your advice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.