0

Setup:
Apache 2.4
Webmin/Virtualmin

I'm getting my SSL certificate with Let's encrypt, using also auto renewal.
Several hosts with SSL certificate has been created but delete since several months(~2-3 months ago).

I'm having regularly this kind of logs on my Apache and while I understand what COMODO company is, I don't understand what they are looking for when doing this kind of request : 

91.223.208.235 - - [25/Jan/2018:22:02:49 +0100] "GET /.well-known/pki-validation/C8B0D3450F449739414F4AFC99445CE0.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
185.11.140.245 - - [25/Jan/2018:23:50:45 +0100] "GET /.well-known/pki-validation/91EFEA20C04648D1DCBAC8EC148139E9.txt HTTP/1.1" 404 508 "-" "COMODO DCV"
173.249.19.6 - - [26/Jan/2018:00:23:03 +0100] "GET /.well-known/pki-validation/6BD86D10F2521E557745374BD52D0FE1.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
91.194.91.20 - - [26/Jan/2018:02:08:28 +0100] "GET /.well-known/pki-validation/433976FE01F657B35AB3741A3D45DA95.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
91.223.208.235 - - [30/Jan/2018:22:01:58 +0100] "GET /.well-known/pki-validation/9384FA26D5870B61C1607459444BC511.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
185.11.140.245 - - [30/Jan/2018:23:42:59 +0100] "GET /.well-known/pki-validation/FB18FD732A072BDF348EE478ADA6D0FE.txt HTTP/1.1" 404 508 "-" "COMODO DCV"
173.249.19.6 - - [31/Jan/2018:00:19:57 +0100] "GET /.well-known/pki-validation/4C5C6DB26E4D338B3DFA233355755FBF.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
91.194.91.20 - - [31/Jan/2018:02:08:16 +0100] "GET /.well-known/pki-validation/9FEA6F6F824D4CA810A3796F68C8FADC.txt HTTP/1.1" 404 507 "-" "COMODO DCV"

From previous verification,those IPs belongs to companies somehow dealing with domain management.

After some digging, I understand that's the way COMODO is doing the automatic (HTTP) domain validation to deliver the certificate, the other method is by e-mail. What I don't understand is that I've never dealt with this company, are they in anyway part of the let's encrypt effort ? Why do they look in my server for in my server for DCV since I'm not using their services ?

Any input would be much appreciated !

EDIT: based on comment I have added more information

Matth

Matthieu Ducorps
  • 73
  • 1
  • 9

1 Answers1

1

These requests are for domain control validation, hence DCV. I assume you are using AutoSSL with a web control panel, which is worth specifying in your question. AutoSSL is validated by Comodo although I wasn't aware that it did the check so regularly - I would guess it's daily.

Simon Greenwood
  • 1,363
  • 9
  • 12
  • It didn’t came to my mind that my control panel has responsibility here ( using Virtualmin), also still, I don’t understand what is it checking since all the request are 404... – Matthieu Ducorps Jan 31 '18 at 13:36
  • Do you have AutoSSL set up? If not it could be that your IP address has been recycled or someone else has misconfigured something. The check would return a 404 as it's looking for a file that is usually only created to verify a domain and is then deleted once it's been verified. It could be some kind of probe test disguised as the Comodo DCV user agent, and checking the IP allocation would suggest that they aren't directly allocated to Comodo, but it's hard to say what the value of such a test would be except to verify that AutoSSL or possibly other free certificate services, had been used. – Simon Greenwood Jan 31 '18 at 13:46
  • I’m not sure if I’m using AutoSSL, I’m registering my certificate through let’s encrypt, but don’t know the background mechanism. – Matthieu Ducorps Feb 01 '18 at 06:26