Who is trying to request a certificate for my domain?


#1

Is it possible to gain information about the entity trying to request a certificate for a domain from the HTTP request on the well-known URI?
On my server logs I see Let’s Encrypt HTTP validation requests as shown below and I would like to know who is doing them.

:80 174.138.54.72 - - “GET /.well-known/pki-validation/29432C7C737A4B77CCA80275CABF5CC7.txt HTTP/1.1” 301 648 “-” “COMODO DCV”
:443 174.138.54.72 - - “GET /.well-known/pki-validation/29432C7C737A4B77CCA80275CABF5CC7.txt HTTP/1.1” 404 3826 “-” “COMODO DCV”

P.S. I do have an idea on who it might be but want to make sure.


#2

Hi @jupy

Who is trying to request a certificate for my domain?

Nobody. Because the file Letsencrypt want’s to check

has no file extension and a token like

_auTTDlrpaGVcbpT3zVaNa0w_v2_7YmcqygiHFCO9yw

with 43 characters.

PS: And the folder is

/.well-known/acme-challenge/

#3

/.well-known/pki-validation/ is the generic path prefix that any CA may use.

In this case, you (or somebody) have your domain added on the cPanel server hosted at https://ghost.mxroute.com:2083 .

cPanel will automatically perform local DCV validation to see if it is able to issue a certificate. These requests are not coming from the CA, they are just preflight requests by cPanel to see whether it might be possible to pass domain validation.


#4

Thanks @JuergenAuer and @_az for the explanation.

This is what I was looking for, how did you get the information below?


#5

I just tried to connect to the listed IP address over port 2083 to identify it as a cPanel server. I already knew that cPanel does preflights in this way and just used that to confirm my theory.

If the IP address instead pointed to Comodo’s servers, then the explanation would have been something else.


#6

I see!

Now to make this question useful, if it actually was a request from letsencrypt/comdo was there anything we could understand from the “29432C7C737A4B77CCA80275CABF5CC7.txt” part?


#7

That may be a hex coded value. But the result

29 43 2C 7C 73 7A 4B 77 CC A8 02 75 CA BF 5C C7

=

)C,|szKw̨uÊ¿\Ç

isn’t so really good :wink:

So it looks more like a random sequence.


#8

It wouldn’t have been a Let’s Encrypt request. Let’s Encrypt uses the ACME protocol which uses a different path, not pki-validation.


#9

The value is opaque, it might be totally random or be a hash digest of some other set of values.

You can read https://github.com/cabforum/documents/blob/master/docs/BR.md#32246-agreed-upon-change-to-website to see what is acceptable.


#10

If I understand correctly, in the HTTP validation method, Let’s Encrypt checks for a unique random URL. Now the questions is, do they keep a publicly available log book that corresponds each generated URL to the requester?


#11

Even if Let’s Encrypt did such a thing, how would it help you? As said multiple times before, these requests aren’t from Let’s Encrypt…


#12

The unique random value is the token of the challenge.

There is no public token list.


#13

I understood that the log entries I provided are not from Let’s Encrypt but Let’s Encrypt does access URLs of the form /.well-known/acme-challenge/TOKEN.txt doesn’t it?
I wanted to know if I can figure out the entity making the request to Let’s Encrypt by knowing the token.
I wanted to know that because I wanted to make sure no malicious person is trying to get a certificate for my domain.


#14

More or less. Let’s Encrypt URLs don’t end in .txt.

Under similar circumstances, Let’s Encrypt would be able to determine what’s going on from their private logs. I’m not sure how much they could tell you about it, due to privacy concerns.

But Let’s Encrypt isn’t involved in this situation. The traffic seems to be coming from a cPanel installation using the AutoSSL feature configured to try to get a certificate from Sectigo (formerly known as Comodo). Not Let’s Encrypt.

I don’t know how cPanel AutoSSL works. cPanel or Sectigo might have logs, or the pre-validation check might happen before the cPanel installation actually makes any requests to any cPanel or Sectigo central servers.

You do have one lead – the cPanel installation’s IP address.

Maybe. It’s more likely to be an accident than malicious. It could be a web hosting company you previously used, or someone who previously owned your domain used, or maybe someone misspelled their own domain as yours. And in any case validation shouldn’t succeed.


#15

Someone is able to create a certificate for your domain, if he is able to create a file under /.well-known/acme-challenge.

So if your server / website is hacked: Yes, then it’s possible to create a certificate.

Same if your dns provider account is hacked.

But then the certificate is the smallest problem.