Receiving unknown file-based verifications

on our production website we receive HTTP GET requests

/.well-known/acme-challenge/Q56W201s2iaPvXnhQHKPYvmMvMa-bjbPskOmInr4Yww

I’m not able to ignore it. Is it possible to investigate its origin?

I know boulder originates this one but I’d like to get to the person starting the process and tell him to stop.

Are you sure the requests are coming from Let’s Encrypt? Are they coming from the right IP addresses?

(The validation servers’ IP addresses aren’t documented, but currently they don’t change frequently and aren’t very secret.)

1 Like

Yes the PTR says ***.letsencrypt.org. and they are in VIAWEST

Also found the IP in this very forum

Anyone could initiate a validation on any random hostname. I’m not sure if Let’s Encrypt is able to help you in this case, perhaps because of privacy reasons or something.

Thank you.

Could I get the initiator’s IP or AS number at least?

What is the host associated to that GET request? It may or may not help, but better to know.

It is possible that there is no person behind, just a cron job. Analyse the timing/frequency how regular it is. Even possible that you have an ACME client somewhere forgotten in a corner.

1 Like

Thank you very much for the frequency thing!

I do not trust robots with SSL issuance :slight_smile:

We receive these requests every 12 hours.

1 Like

That sounds like a certbot on a standard twice a day cronjob trying to renew. Chances are, it’s one of your own. certbot wouldn’t try a renew if it didn’t succeed at least once. Therefore, it has had control over the domain that instance, but now hasn’t any longer.

2 Likes

Thank you.
The website recently moved to a proper world-class cloud instance.

It must be the previous shared hosting provider.

1 Like

@lestaff could look up from the logs which account triggered the given challenge value. Then, they could send notification to the e-mail of that account about the misuse. I do not think that it would be appropriate to communicate to you the ACME client IP or the account e-mail address. On the other hand, if the they wish to do so they could act as a proxy to your complaint.

2 Likes

Hi @szepeviktor,

If you have a previous hosting provider, I agree that it’s likely they are still trying to do validations on your hostname. I’ve seen a number of hosting providers that don’t notice when a customer moves their DNS away. My recommendation is that you reach out to them directly.

Thanks,
Jacob

2 Likes

Thank you @jsha. I've talked to our former shared hosting provider: they told us they do not run an automatic cert. issuing robot.
Our current hosting provider is UpCloud: they provide only empty cloud instances I do all the things on this server: I use a manual python client for LE but currently we have a paid wildcard certificate for 1 year.

I'd like you to send a message to the initiator: Please stop requesting certificates to our domain: voiz.hu
Could you do it for me?

latest traffic

52.28.236.88    [28/Apr/2020:10:23:23 +0000]    GET /.well-known/acme-challenge/piJV9wGPQLJ-xlDNy4GK17W_3lpgfc4yv7zZh9OFYfA HTTP/1.1    404
34.222.229.130  [28/Apr/2020:10:23:23 +0000]    GET /.well-known/acme-challenge/piJV9wGPQLJ-xlDNy4GK17W_3lpgfc4yv7zZh9OFYfA HTTP/1.1    404
64.78.149.164   [28/Apr/2020:10:23:23 +0000]    GET /.well-known/acme-challenge/piJV9wGPQLJ-xlDNy4GK17W_3lpgfc4yv7zZh9OFYfA HTTP/1.1    404

According to crt.sh, there was a Let's Encrypt certificate issued for voiz.hu as recently as 2019-08-05: https://crt.sh/?q=voiz.hu. And there are Let's Encrypt certificates for subdomains like api.voiz.hu being actively issued through today.

If you are in control of api.voiz.hu and the other subdomains, and want to make sure you are not using Let's Encrypt in your infrastructure, I would recommend that you replace the certificates on those hostnames with certificates from a different CA, and install a CAA record requesting that Let's Encrypt not issue for any subdomain of voiz.hu. You should probably also find any automation you may have running on those subdomains and shut it down.

As far as the main hostname, voiz.hu, can you tell me what hosting provider you were using on 2019-08-05? Is that the same hosting provider that recently told you they do not issue Let's Encrypt certificates?

Yes! It was https://elin.hu/

Yes it is.

Thanks! elin.hu either misunderstood your request or gave you inaccurate information. They're still attempting issuance for your domain name. You should reach out to them again.

Thank you very much.
You've just resolved my issue, the search is over :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.