At the company I work for we recently launched Let’s Encrypt integration for our customers so they can secure their sites. Part of the system includes centralized validation where customer sites forward requests for paths like /.well-known/acme-challenge/* to a central server that serves the DV file information.
In checking the logs I noticed requests, every hour, to a particular domain that a customer wants to secure but the path to the challenge is unusual: /.well-known/acme-challenge/sp_test
What is “sp_test?” Requests for that path appear many times in our logs however most of the requests are for a single domain (that eventually successfully got its certificate).
We do not. Perhaps these requests were a user testing to make sure the .well-known/acme-challenge directory was working? Do you know the user agent that was used for the sp_test requests?
Hi Nick. Those requests are test requests from ServerPilot checking if a ServerPilot customer’s domains can be authorized by Let’s Encrypt. If you’re seeing those requests coming into your servers over at WP Engine, it means a customer at ServerPilot has DNS for their domain pointed to WP Engine either because they’ve messed something up with their DNS, they’re moving from WP Engine to ServerPilot, or they’re moving from ServerPilot to WP Engine.
@jsamuel it might be polite to add something to the User Agent string used by ServerPilot to let people know who is really sending the requests. I appreciate that you want to be similar to the “real” User Agent to avoid situations where a remote server would have allowed the real Let’s Encrypt to verify, but not your test, but I think e.g. adding “ServerPilot” somewhere in the string wouldn’t go amiss ?
hat I’d guess that someone was matching the UA for some manual troubleshooting/testing.
hat I’d guess that someone was impersonating the validation server for less noble purposes.