Hi, we’ve been happily using Let’s Encrypt across our infrastructure for more than a year and have had no issues building automation for the renewal of ~100 certificates using HTTP and DNS validation across a number of environments.
Recently we started seeing intermittent monitoring errors on our primary server that handles ACME challenge responses for HTTP validation.
It turned out that we had too many files open and upon further investigation (lsof) we noticed thousands of established connections with:
ec2-13-238-131-82.ap-southeast-2.compute.amazonaws.com
Although our AWS accounts are also based in the AWS ap-southeast-2 region, we’re fairly sure that IP does not belong to any of our instances or network interfaces - although it’s possible we’re mistaken.
In addition to adding idle connection timeouts to our server to mitigate the too many open files issue, we added additional logging and noted hundreds of requests for:
/.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
(e.g. with timestamps in UTC for the past hour:)
2019/02/26 00:01:19 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:02:19 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:03:38 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:05:21 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:07:35 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:08:20 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:10:17 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:03 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:04 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:05 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:07 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:09 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:11 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:14 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:19 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:24 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:31 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:39 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:14:50 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:15:07 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:15:26 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:15:53 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:16:26 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:17:06 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:18:06 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:19:19 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:20:47 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:22:41 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:25:19 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:49 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:50 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:51 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:52 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:54 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:28:57 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:00 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:05 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:10 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:17 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:25 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:37 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:29:51 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:30:12 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:30:35 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:31:10 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:31:49 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:32:50 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:34:04 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:35:39 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:37:51 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:40:21 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:44 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:45 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:46 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:48 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:50 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:52 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:43:55 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:00 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:05 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:12 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:22 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:34 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:44:48 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:45:07 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:45:33 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:46:05 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:46:51 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:47:50 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:49:03 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:50:35 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:52:43 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
2019/02/26 00:55:23 404 /.well-known/acme-challenge/kEwZvvvDENtLnHYAT5ZUIbLn11GNB4i5rh7ug1lmvBQ
Our frontend HAProxy actually redirects to this server, so while we don’t capture the host header here, we added additional logging to our HAProxy in an attempt to capture the host header for which this repeated challenge is issued, however although when we manually issue a browser request the host header is capture and logged, it does not seem to appear for these requests, suggesting perhaps (?) it isn’t being set?
Appreciate any help in tracking down. So far as we are aware, all of our certs are good and accounted for - we’re not sure what is initiating this request or making it repeat so often.
My domain is: we’re unsure!
I ran this command: n/a
It produced this output: n/a
My web server is (include version): HAProxy
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: CloudFoundry on AWS with our own HAProxy based TLS termination in front.
I can login to a root shell on my machine (yes or no, or I don’t know): yes