Naked domain edge certificate not validating flooding logs

Hello everyone,
We have a WordPress Multisite setup with a lot of domains bound to it.
We recently enabled CloudFlare on all of them and it works great! (through www, just like we want it)

Our issue is that non-www edge certificates are polling our servers constantly for a very long time (trying to validate the SSL certificate) before they timeout. Our error logs are unusable due to the high amount of “openat()” errors generated by this process.

For example, it’s poking us with GET requests like these: http://ramonagebsl.ca/.well-known/pki-validation/ca3-c0a40cd347d041328fc05350c4005f29.txt
(which naturally gives a 404 since SiteGround doesn’t manage naked domains for CloudFlare’s integration)

Is there a way (through the API or other means) to keep the www edge certificate, but cancel/remove the non-www one? We don’t need it and it’s flooding our logs. :slight_smile:

Cloudflare shouldn’t be hitting your website for certificate validation. Especially considering that Cloudflare has no access to the files on your server.

Have you traced the IP address that’s making these requests?

Yes, I checked again and there are many CloudFlare IPs. Not sure if it’s CloudFlare directly, or bad bots going through a CloudFlare server. Here’s one for example: 172.69.27.10

By checking, I noticed that many of these IPs are not “well-identified” and could be anybody (another lead that I’ll follow).

Are you sure your server is configured to restore visitor IP addresses using the x-forward-for or cf-connecting-ip headers?

1 Like

I’m not sure, probably not. Assuming no; does that mean those IPs are most likely CloudFlare users poking those URLs? (not CloudFlare itself?)

For reference, here is a censored log. We have a lot of these in our logs constantly. That IP also identifies as CloudFlare.

2020-09-21 10:24:18 UTC [nginx][error] 38091#0: *139783 openat() “/home/path/fake/public_html/.well-known/pki-validation/ca3-300646c67bdd489e8843983b353ad9cd.txt” failed (2: No such file or directory), client: 172.69.26.15, server: rossboudreaultnotaires.com, request: “GET /.well-known/pki-validation/ca3-300646c67bdd489e8843983b353ad9cd.txt HTTP/1.1”, host: “rossboudreaultnotaires.com

image

Change the :orange: for the root domain in Cloudflare to :grey: for the zones/records in question or remove the record from Cloudflare DNS entirely since it isn’t being served by Cloudflare.

It’s a partner plan (SiteGround), the whole DNS section of CloudFlare is not available.

Then you’ll want to ask Siteground to do the same. They are the ones requesting the cert issuance for the root domain.

1 Like

Yeah, that’s where I started from. You’re correct in the sense that it would be the cleanest option, but it doesn’t seem possible to them (?).

I also thought about exploring the API to see if we can access the API validation request and automate the file ourselves through a PHP snippet. We wanted to check here if there was a cleaner option.

Well that’s fun… technically the file exists at root.domain.cdn.cloudflare.net/.well-known/pki-validation/ca3-some-guid.txt (whatever the path being called on the well known PKI is… so if it’s possible to just proxy that request to Cloudflare I guess it would validate or you could call out to the path being requested and then create the file locally.

That helps me understand it better. Maybe I can rewrite the URL for that!

This topic was automatically closed after 30 days. New replies are no longer allowed.