What are the requests to <domain>/.well-known/acme-challenge/sp_test


#1

At the company I work for we recently launched Let’s Encrypt integration for our customers so they can secure their sites. Part of the system includes centralized validation where customer sites forward requests for paths like /.well-known/acme-challenge/* to a central server that serves the DV file information.

In checking the logs I noticed requests, every hour, to a particular domain that a customer wants to secure but the path to the challenge is unusual: /.well-known/acme-challenge/sp_test

What is “sp_test?” Requests for that path appear many times in our logs however most of the requests are for a single domain (that eventually successfully got its certificate).

Thanks.


#2

It sounds as if there is an error in that users config. As far as I’m aware there is no challenge for “sp_test”


#3

I checked the logs on the site that received the original request and it came in as sp_test. Does LE host any of its infrastructure on Google Cloud?


#4

We do not. Perhaps these requests were a user testing to make sure the .well-known/acme-challenge directory was working? Do you know the user agent that was used for the sp_test requests?


#5

Here is an example from the logs. I x’d out the customer’s domain

104.197.34.52 xxx.org - [11/Oct/2016:15:49:28 +0000] "GET /.well-known/acme-challenge/sp_test HTTP/1.0" 302 154 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

#6

While these “sp_test” requests do share the UA we use I can confirm they definitely didn’t originate from the Let’s Encrypt validation servers.

If I put on my :sunny: hat I’d guess that someone was matching the UA for some manual troubleshooting/testing.

If I put on my :thunder_cloud_rain: hat I’d guess that someone was impersonating the validation server for less noble purposes.


#7

Hi Nick. Those requests are test requests from ServerPilot checking if a ServerPilot customer’s domains can be authorized by Let’s Encrypt. If you’re seeing those requests coming into your servers over at WP Engine, it means a customer at ServerPilot has DNS for their domain pointed to WP Engine either because they’ve messed something up with their DNS, they’re moving from WP Engine to ServerPilot, or they’re moving from ServerPilot to WP Engine.


#8

Thanks for the update @jsamuel! Great to know.


#9

Thank you Justin! Much appreciated.


#10

Thanks for looking into this with me everyone!


#11

@jsamuel it might be polite to add something to the User Agent string used by ServerPilot to let people know who is really sending the requests. I appreciate that you want to be similar to the “real” User Agent to avoid situations where a remote server would have allowed the real Let’s Encrypt to verify, but not your test, but I think e.g. adding “ServerPilot” somewhere in the string wouldn’t go amiss ?


#12

I think if if the path had been “/.well-known/acme-challenge/serverpilot_test” I would have had an easier time figuring out what it was.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.