Mysterious GET Commands in my Access Logs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.flystore.net

I ran this command:

It produced this output:

My web server is (include version): Apache v?

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Mediatemple.net

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My issue is odd. I'm not running Let's Encrypt any more but I continue to get mysterious GET commands such as this:

2600:1f18:2469:d900:b53:ceaa:9bd:6fb6, 172.70.134.216 - - [07/Oct/2022:00:00:42 -0700] "GET /flystore.net/.well-known/acme-challenge/BBvTFZ4wF6UKTm9n943DoYLaBO7GXmkA79BAjOdNrW4 HTTP/1.0" 404 61268 "-" "SSLMate-certmgr-DCV"

The .well-known directory doesn't exist anymore.

Where is this GET command coming from. Happens many times a day.

Dave

1 Like

Not from Let's Encrypt anyway. The log entry clearly states "SSLMate-certmgr-DCV".

The weird thing is, is that there is no reason to start the path of such an ACME-like validation request with the hostname of the site.. I.e., the request should be GET /.well-known/... and not GET /flystore.net/.well-known/....

Anyway, not Let's Encrypt, perhaps you should ask SSLMate.

10 Likes

Hello @8one8, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is the list of issued certificates for crt.sh | flystore.net most recent being 2022-09-21

However the certificate being used is from Cloudflare Inc ECC CA-3 according to Firefox

And Let's Debug results all reference ".. being served through Cloudflare CDN ..."

  1. HTTP-01 Let's Debug
  2. DNS-01 Let's Debug
  3. TLS-ALPN-01 Let's Debug
3 Likes

And SSL Server Test: www.flystore.net (Powered by Qualys SSL Labs) is showing the certificate is issued by Cloudflare Inc ECC CA-3 as well.

3 Likes

I would block that UserAgent ("SSLMate-certmgr-DCV") ... and see what breaks / who yells!

4 Likes

Thanks. Blocking like this in my .htacess file

# Block useragent folder and files
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} SSLMate-certmgr-DCV [NC]
RewriteRule .* - [F,L]

So far, nobody upset? I'll watch the logs for any new GET logs

I'll post back with results. Thanks for your idea.

Dave

1 Like

Nope. Still getting GET traffic. This was from today's log

54.236.181.46, 172.70.135.166 - - [08/Oct/2022:04:38:50 -0700] "GET /flystore.net/.well-known/acme-challenge/BBvTFZ4wF6UKTm9n943DoYLaBO7GXmkA79BAjOdNrW4 HTTP/1.0" 403 268 "-" "SSLMate-certmgr-DCV"
54.236.181.46, 172.70.135.22 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/BBvTFZ4wF6UKTm9n943DoYLaBO7GXmkA79BAjOdNrW4 HTTP/1.0" 403 268 "-" "SSLMate-certmgr-DCV"
2600:1f18:2469:d900:b53:ceaa:9bd:6fb6, 172.70.174.181 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/BBvTFZ4wF6UKTm9n943DoYLaBO7GXmkA79BAjOdNrW4 HTTP/1.0" 403 268 "-" "SSLMate-certmgr-DCV"
2600:1f18:2469:d900:b53:ceaa:9bd:6fb6, 172.70.34.3 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/BBvTFZ4wF6UKTm9n943DoYLaBO7GXmkA79BAjOdNrW4 HTTP/1.0" 403 268 "-" "SSLMate-certmgr-DCV"
54.236.181.46, 172.70.134.4 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/IGeTLaf6nBScEjpmx9bgNcy9Rxf1pOMjGJwEENlxqYQ HTTP/1.0" 403 272 "-" "SSLMate-certmgr-DCV"
54.236.181.46, 172.70.175.19 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/IGeTLaf6nBScEjpmx9bgNcy9Rxf1pOMjGJwEENlxqYQ HTTP/1.0" 403 272 "-" "SSLMate-certmgr-DCV"
2600:1f18:2469:d900:b53:ceaa:9bd:6fb6, 172.70.134.72 - - [08/Oct/2022:04:38:51 -0700] "GET /flystore.net/.well-known/acme-challenge/IGeTLaf6nBScEjpmx9bgNcy9Rxf1pOMjGJwEENlxqYQ HTTP/1.0" 403 272 "-" "SSLMate-certmgr-DCV"
2600:1f18:2469:d900:b53:ceaa:9bd:6fb6, 172.70.174.202 - - [08/Oct/2022:04:38:52 -0700] "GET /flystore.net/.well-known/acme-challenge/IGeTLaf6nBScEjpmx9bgNcy9Rxf1pOMjGJwEENlxqYQ HTTP/1.0" 403 272 "-" "SSLMate-certmgr-DCV"

It's coming from 54.236.181.46 which is an Amazon IP. Going to block this IP and see what happens

Dave

Also from this IPv6 address. And, also from an EC2 instance in AWS.

It looks like someone is using SSLmate to get a cert for your domain. And, it tries repeatedly when it fails. Those GET requests look like an ACME client doing a pre-validation test before submitting the actual request to the Certificate Authority (like Let's Encrypt).

There is nothing we can do to stop those requests. You should try contacting SSLMate.

4 Likes

As I said earlier, the actual path used, which includes the hostname, is not conforming to the ACME protocol at all.. So very weird requests.

6 Likes

Thank You, Mike. Will Do. I appreciate your time. - Dave

3 Likes

Yes, I agree it is wrong format.

But, the pattern still looks like an actual ACME client rather than a random bot. Perhaps the client is just misconfigured but could be outright faulty.

I say this because there are 4 requests using two IPv4 and two IPv6 source IPs. And, the DNS for that domain happens to have 4 IP addresses (2 for IPv4 and two IPv6, Cloudflare actually). So, it looks like one (faulty) request per DNS IP address.

And, there are two groupings of 4 requests. Each group has its own token value that stays consistent within that group.

This leads me to believe it was something explicitly setup for this domain.

I also agree with you that SSLmate is best place to ask :slight_smile:

5 Likes

The requests can't be blocked/stopped from the receiving end.
They can only be denied.
To which, your .htaccess has done its' job: The 404 replies are now 403.

I do see that the requested file does change, so that implies an active client making new requests [daily].

Although the presence of "/flystore.net/" in the request in rather odd, it can be due to some URL redirection within those external systems. Perhaps at some point in time you hosted your domain elsewhere (and they haven't turned it off) ???

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.