Let’s Encrypt Certificate Transparency Logs

For a new project, I was setting up a new website including a new certificate using Let’s Encrypt. For many years, getssl is the tool of choice for me. It is a is a complete bash script that fits my needs. When Let’s Encrypt started, the tools provided required compilers and other dependencies I didn’t want on a production server.

Getssl runs on an internal server and requires bash and ssh to push everything to my production servers. Twice a month it checks if the certificates need an update and an alerts is send when the script has not run.

While setting up the new server there is some bootstrapping needed and I was looking at the logs of my webserver. Looking for the requests to fetch the challenge to validate the ownership of the domain entry.

[20/Jan/2024:22:38:16 +0100] "GET /.well-known/acme-challenge/6CmjC41mfIT9ktRCAdd2JK_F0Y9eJW4d2A-_BHtAZgU HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
[20/Jan/2024:22:38:16 +0100] "GET /.well-known/acme-challenge/6CmjC41mfIT9ktRCAdd2JK_F0Y9eJW4d2A-_BHtAZgU HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
[20/Jan/2024:22:38:16 +0100] "GET /.well-known/acme-challenge/6CmjC41mfIT9ktRCAdd2JK_F0Y9eJW4d2A-_BHtAZgU HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

What I didn’t expect was that blast of request coming right after the validation. More than 800 request flooded my webservers log. Some were just for the root page others tried to discover the website further including admin pages and with some trying URLs for some known vulnerabilities in some CMS systems.

2a03:b0c0:3:d0::dc2:2001 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 301 162 "-" "-"
2a03:b0c0:3:d0::dc2:2001 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3"
2a03:b0c0:3:d0::14a4:1001 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 403 146 "-" "-"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 301 162 "-" "-"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA51840) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.8229.98 Mobile Safari/537.3"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /.vscode/sftp.json HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /about HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /debug/default/view?panel=config HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 403 146 "-" "-"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /v2/_catalog HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /server-status HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /login.action HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /_all_dbs HTTP/1.1" 301 162 "-" "Mozilla/5.0 (l9scan/2.0.4353e20353e23313e29343; +https://leakix.net)"
2a03:b0c0:3:d0::14a4:1001 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 403 548 "-" "Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /.DS_Store HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /.env HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /.git/config HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /s/4353e20353e23313e29343/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /config.json HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET / HTTP/1.1" 403 548 "-" "Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA51840) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.8229.98 Mobile Safari/537.3"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /telescope/requests HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
46.101.103.192 - - [20/Jan/2024:22:38:36 +0100] "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 301 162 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /.vscode/sftp.json HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /about HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /debug/default/view?panel=config HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /v2/_catalog HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /server-status HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /login.action HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /_all_dbs HTTP/1.1" 404 146 "-" "Mozilla/5.0 (l9scan/2.0.4353e20353e23313e29343; +https://leakix.net)"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /.DS_Store HTTP/1.1" 404 146 "-" "Go-http-client/1.1"
161.35.27.144 - - [20/Jan/2024:22:38:36 +0100] "GET /.env HTTP/1.1" 404 146 "-" "Go-http-client/1.1"

Intriguing! Why is that happening and why so fast? Let’s do a bit of research on this… Very quickly I discovered the following post on the Let’s Encrypt forum. Which explained that all new issued certificates are added into a “Certificate Transparency (CT) Logs”. There is even tools created to research the issuance of certificates.

At first, I was a bit hesitant and felt exposed. But thinking about it a little gave me the assurance this is a good thing. The IPv4 address space is scanned continuously. Any website you add to the will be discovered sooner than you think.

So, what can we do about this? Well make sure your website and hosting is secure by default by reducing your attack surface:

  • Harden your server with only the minimum of software needed
  • Only allow strong enough encryption
  • Remove any data, applications you don’t need anymore
  • Create an environment that is easy to upgrade and maintain
  • Once deployed, secure any (admin) pages with strong authentication
  • Regularly review your access and error logs. Tools can help to detect trends and outliers
  • Scan your website with a vulnerability scanner (not the end all be all but helps with low hanging fruit)

Mystery solved! Another day learning something new.

jvhoof Written by:

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.