I got SSL certificate using certbot but seen logs that Persistent hits on well-known/acme-challenge/token in period of every one min how i can verifiy it hitting from lets encrypt or some other hacker below the screenshot added
Let's Encrypt will only hit that path when you're trying to issue or renew a cert, so if you aren't trying to do that, they aren't coming from Let's Encrypt. A further indication that they aren't is that the file requested looks like a UUID, which isn't the filename format of LE's validation tokens.
4 Likes
That looks like a bot. Or, at least it is not Let's Encrypt.
The Let's Encrypt Authentication Servers have a user-agent that identifies itself. It will be very obvious.
Of course, a bot could mimic that user-agent too but it makes it easy to exclude those.
Other steps are to look at the URI but that is not even the correct format for an LE HTTP Challenge. The value after the /acme-challenge/ isn't correct
An actual Let's Encrypt HTTP Challenge will be repeated from up to 5 different places at once. So, you would see the same URI from different IP addresses. We don't see that here.
You could then further use IP mapping techniques to identify the IP and see who they belong to. This gets a little involved and I have already said plenty 
The user-agent is enough to ensure they are not LE. I mention these other for further education
Sorry Dan I had mine in process before you posted.
5 Likes
Thanks for your reply
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.