Who is trying to request a certificate for my domain?

jupy · November 3, 2018, 9:37pm

Is it possible to gain information about the entity trying to request a certificate for a domain from the HTTP request on the well-known URI?
On my server logs I see Let’s Encrypt HTTP validation requests as shown below and I would like to know who is doing them.

:80 174.138.54.72 - - “GET /.well-known/pki-validation/29432C7C737A4B77CCA80275CABF5CC7.txt HTTP/1.1” 301 648 “-” “COMODO DCV”
:443 174.138.54.72 - - “GET /.well-known/pki-validation/29432C7C737A4B77CCA80275CABF5CC7.txt HTTP/1.1” 404 3826 “-” “COMODO DCV”

P.S. I do have an idea on who it might be but want to make sure.

JuergenAuer · November 3, 2018, 9:53pm

Hi @jupy

Who is trying to request a certificate for my domain?

Nobody. Because the file Letsencrypt want's to check

has no file extension and a token like

_auTTDlrpaGVcbpT3zVaNa0w_v2_7YmcqygiHFCO9yw

with 43 characters.

PS: And the folder is

/.well-known/acme-challenge/

_az · November 3, 2018, 9:56pm

/.well-known/pki-validation/ is the generic path prefix that any CA may use.

In this case, you (or somebody) have your domain added on the cPanel server hosted at https://ghost.mxroute.com:2083 .

cPanel will automatically perform local DCV validation to see if it is able to issue a certificate. These requests are not coming from the CA, they are just preflight requests by cPanel to see whether it might be possible to pass domain validation.

jupy · November 3, 2018, 10:12pm

Thanks @JuergenAuer and @_az for the explanation.

This is what I was looking for, how did you get the information below?

_az · November 3, 2018, 10:15pm

I just tried to connect to the listed IP address over port 2083 to identify it as a cPanel server. I already knew that cPanel does preflights in this way and just used that to confirm my theory.

If the IP address instead pointed to Comodo’s servers, then the explanation would have been something else.

jupy · November 3, 2018, 10:27pm

I see!

Now to make this question useful, if it actually was a request from letsencrypt/comdo was there anything we could understand from the “29432C7C737A4B77CCA80275CABF5CC7.txt” part?

JuergenAuer · November 3, 2018, 10:35pm

That may be a hex coded value. But the result

29 43 2C 7C 73 7A 4B 77 CC A8 02 75 CA BF 5C C7

=

)C,|szKwÌ¨uÊ¿\Ç

isn't so really good

So it looks more like a random sequence.

Osiris · November 3, 2018, 10:37pm

It wouldn't have been a Let's Encrypt request. Let's Encrypt uses the ACME protocol which uses a different path, not pki-validation.

_az · November 3, 2018, 10:41pm

The value is opaque, it might be totally random or be a hash digest of some other set of values.

You can read https://github.com/cabforum/documents/blob/master/docs/BR.md#32246-agreed-upon-change-to-website to see what is acceptable.

jupy · November 3, 2018, 10:49pm

If I understand correctly, in the HTTP validation method, Let’s Encrypt checks for a unique random URL. Now the questions is, do they keep a publicly available log book that corresponds each generated URL to the requester?

Osiris · November 3, 2018, 11:07pm

Even if Let's Encrypt did such a thing, how would it help you? As said multiple times before, these requests aren't from Let's Encrypt..

JuergenAuer · November 3, 2018, 11:21pm

The unique random value is the token of the challenge.

There is no public token list.

jupy · November 3, 2018, 11:38pm

I understood that the log entries I provided are not from Let’s Encrypt but Let’s Encrypt does access URLs of the form /.well-known/acme-challenge/TOKEN.txt doesn’t it?
I wanted to know if I can figure out the entity making the request to Let’s Encrypt by knowing the token.
I wanted to know that because I wanted to make sure no malicious person is trying to get a certificate for my domain.

mnordhoff · November 4, 2018, 12:03am

More or less. Let's Encrypt URLs don't end in .txt.

Under similar circumstances, Let's Encrypt would be able to determine what's going on from their private logs. I'm not sure how much they could tell you about it, due to privacy concerns.

But Let's Encrypt isn't involved in this situation. The traffic seems to be coming from a cPanel installation using the AutoSSL feature configured to try to get a certificate from Sectigo (formerly known as Comodo). Not Let's Encrypt.

I don't know how cPanel AutoSSL works. cPanel or Sectigo might have logs, or the pre-validation check might happen before the cPanel installation actually makes any requests to any cPanel or Sectigo central servers.

You do have one lead -- the cPanel installation's IP address.

Maybe. It's more likely to be an accident than malicious. It could be a web hosting company you previously used, or someone who previously owned your domain used, or maybe someone misspelled their own domain as yours. And in any case validation shouldn't succeed.

JuergenAuer · November 4, 2018, 12:18am

Someone is able to create a certificate for your domain, if he is able to create a file under /.well-known/acme-challenge.

So if your server / website is hacked: Yes, then it's possible to create a certificate.

Same if your dns provider account is hacked.

But then the certificate is the smallest problem.

system · December 4, 2018, 12:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there a way to check who issued a request for a certificate? Help	6	3871	August 24, 2019
Trouble issues a certificate via cpanel Help	2	662	September 5, 2018
Is it possible to know what challenge was used to validate a domain before issuing a certificate? Issuance Tech	4	891	June 12, 2018
Let's Encrypt certificate Expired in cpanel Help	3	337	April 2, 2024
Invalid certificate Help	4	1091	November 26, 2021

Who is trying to request a certificate for my domain?

Related topics