Persistent hits on well-known/acme-challenge

I have half a dozen letsencrypt certificates on sites hosted an apache web server. I have no problem renewing the certificates and they perform as expected.

One site ONLY gets 4 hits per day on /.well-known/acme-challenge/ completed within a second or so and recurring approximately every 24 hours. Depending on the site’s setenv and modsecurity setup it returns either 404 or 403. This has been happening since I set up letsencrypt on that domain several months ago.

I thought it might be due to a dual-domain certificate I set up when first applying letsencrypt to the server. I subsequently applied individual certificates for each domain and yesterday I found and deleted the dual certificate. The hits still arrive.

The hits are to www.bristol-acupuncture.com

The dual-domain certificate was issued to that domain and to www.bristol-web.org.uk (I am not sure if the www was included in either case).

I am not especially concerned but it’s annoying, as modsecurity issues errors for them.

Is there anything particularly/noticebly common to the requests?
[same source IP or same destination file or same time of day]

The IP seems to be 50.87.144.0/24 - it may be tighter than that. The part after /.well-known/acme-challenge/ is, as far as I’ve traced it, different for every hit, even within the group of four. Time of day seems to be appoximately 24 hours but reducing a few minutes per day.

I’ve just seen a new IP in the log - a single hit from 85.215.2.227 to /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de with the UA “Server-Daten Check your Website (https://check-your-website.server-daten.de/)”. I haven’t seen this before - is it from “you”?

Hey @dstiles,

That's not one of the IP address ranges that Let's Encrypt would use for HTTP-01 validation requests. Doing a whois on it shows that it's owned by Endurance.com

They're a large webhoster with a Let's Encrypt integration. Are you one of their customers? You may want to contact their support to ask about the frequent validation requests. I can confirm they aren't coming from Let's Encrypt.

Hi @dstiles

that's

my tool, see my profile or follow the link. I've checked your domain, but didn't found something.

What says

certbot certificates

Perhaps there is a not renewed certificate and certbot tries it every day.

PS: Perhaps there is a wrong configured client with something like a pre-check. What client do you use?

Thanks for the information. No, I have no connection to them at all. One thing, though, the domain name is second-hand so possibly they had a previous connection to the domain. I will follow it up.

Ok. Thanks. I think cpu has nailed it, though.

There are some older certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-11-11 2020-02-09 www.bristol-acupuncture.com, www.bristol-web.org.uk
2 entries
Let's Encrypt Authority X3 2019-10-16 2020-01-14 bristol-acupuncture.com, www.bristol-acupuncture.com
2 entries
Let's Encrypt Authority X3 2019-09-12 2019-12-11 www.bristol-acupuncture.com, www.bristol-web.org.uk
2 entries
Let's Encrypt Authority X3 2019-08-17 2019-11-15 bristol-acupuncture.com, www.bristol-acupuncture.com
2 entries
Let's Encrypt Authority X3 2019-07-14 2019-10-12 www.bristol-acupuncture.com, www.bristol-web.org.uk
2 entries
Let's Encrypt Authority X3 2019-07-13 2019-10-11 bristol-acupuncture.com, www.bristol-acupuncture.com
2 entries
Let's Encrypt Authority X3 2019-05-15 2019-08-13 www.bristol-acupuncture.com, www.bristol-web.org.uk
2 entries
Let's Encrypt Authority X3 2019-03-15 2019-06-13 www.bristol-acupuncture.com, www.bristol-web.org.uk
2 entries

Did you create one of these?

Aha! I bet they're trying to do "pre-flight" validation checks for a domain that used to be hosted with them. I would definitely try contacting their customer support to see if they can address the problem. Unfortunately we won't be able to help from our side since they aren't requests we're making ourselves.

If you'd like to block that source IP range at your firewall it won't affect your Let's Encrypt renewals (as long as you don't intend to host with Endurance!)

Good luck,

1 Like

All of those are me, but thanks for the effort. :slight_smile:

1 Like

Oh, what’s that.

Search the ip address table of “check your website” to see, if the ip part 50.87.144.% can be found.

There is exact one domain with a curious domain name.

Opening that domain:

This Account has been suspended.

A cPanel info page.

Sorry, you’ve lost me there. Where can I find that?

That information isn't published. See the detail pages. There are some informations about a domain, but there is no public reverse search ip -> domain name.

1 Like

Ok. Thanks for the information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.