Unusual number of requests by LE validation server

letsdebug · July 5, 2018, 3:14pm

Hello,
i’m getting (more or less) every hour a visit on my website:

66.133.109.36 - - [05/Jul/2018:04:47:03 +0200] “GET /.well-known/acme-challenge/VFyDf2zegFRDxqg_wh_88ivDyD8E8IEej7wqY6mpMkI HTTP/1.0” 404 9297 “http://www.mydomain.tld/.well-known/acme-challenge/VFyDf2zegFRDxqg_wh_88ivDyD8E8IEej7wqY6mpMkI” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” 66.133.109.36 - - [05/Jul/2018:05:47:00 +0200] “GET /.well-known/acme-challenge/bowktI-x83nitjk1W-9MBU9R_5x1Dc5ICTcHEG3zpNQ HTTP/1.0” 404 9297 “http://www.mydomain.tld/.well-known/acme-challenge/bowktI-x83nitjk1W-9MBU9R_5x1Dc5ICTcHEG3zpNQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” 66.133.109.36 - - [05/Jul/2018:06:47:01 +0200] “GET /.well-known/acme-challenge/AureMvee6434Pm6V_dHCb-dKImENWi_u1wvQO4PdqDI HTTP/1.0” 404 9296 “http://www.mydomain.tld/.well-known/acme-challenge/AureMvee6434Pm6V_dHCb-dKImENWi_u1wvQO4PdqDI” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” 66.133.109.36 - - [05/Jul/2018:07:47:01 +0200] “GET /.well-known/acme-challenge/PYK14JuHC6lY0TIx9FTMPuqIB0LxRLNXaMd4kTFAPZM HTTP/1.0” 404 9301 “http://www.mydomain.tld/.well-known/acme-challenge/PYK14JuHC6lY0TIx9FTMPuqIB0LxRLNXaMd4kTFAPZM” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

My domain is: (don’t want to disclose)

I ran this command: none, I only keep getting this message in log files almost hourly.

It produced this output: none

My web server is (include version): apache 2.2.15

The operating system my web server runs on is (include version): centos 6.9 final x64

My hosting provider, if applicable, is: (don’t want to disclose)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): plesk 17.5.3

certificate is valid, I do not understand why I’ve been hit so frequently with requests: can you help in some way?

Thanks and best regards.

jared.m · July 5, 2018, 3:20pm

It’s pretty hard to help without the domain name in question - please bear in mind that you’re not actually keeping it secret as it’s been publicly and permanently logged to the certificate transparency logs anyway, you’re just preventing anyone from being able to help you. There are several reasons that your server could be seeing these requests. My first question would be how you obtained your certificate in the first place? Was it a Let’s Encrypt certificate? What client did you use? The command is important here.

You not even disclosing a hosting provider makes this all the more difficult, as it’s entirely possible that your hosting provider is involved somehow.

letsdebug · July 5, 2018, 3:43pm

Hello,
I understand that the informations provided does not help to solve the problem. As about certificate, it was generated by let’s encrypt. For now, I have renewed it, I will check if the problem is still here.

I’ll update you in case, thank you very much for now.
Regards.

JuergenAuer · July 5, 2018, 3:49pm

Hi @letsdebug

then check your server: Are there cronjobs? Or a systemd-job? Or starts plesk something?

Use

https://transparencyreport.google.com/https/certificates

to check if there are certificates created.

letsdebug · July 6, 2018, 12:12pm

Hello,
I think it was an issue with plesk, because after a restart I did not receive further renewal requests. Thank you very much for your support.

Regards.

system · August 5, 2018, 12:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.