I receive notifications from Cloudflare regarding ssl certificates being issued. I had 11 hit my domain today all using non DNS-registered sub domains. I checked with my web developer and they did not do this. All of the sub domains are odd and would never be used - the one that concerned me has owa in it. I'm sure this is nothing new but wanted to hear input from the group.
Let's Encrypt only issues certificates that were explicitly requested by a subscriber who was able to validate control of the domain name. There's no hidden magic.
Cloudflare is known to issue various certificates for itself. These may not be actively used by CF, but are kept on standby. The Cloudflare CT monitoring tool still alerts you on these certificates. So if you have any subdomains in your Cloudflare DNS, it's likely that the issuance was made in the background by Cloudflare itself.
None of the issued sub domains are contained in my CF DNS which is why this raised some red flags. I checked with our web developer and they did not do this either. I'm the only person who has the ability to validate control and i'm not aware of any of this. The attached image shows all of the sub domains issued certificates.
Are you using a system like caddy or even Apache mod_md ?
They will acquire certs for configured domains without you specifically asking for one.
You have a wildcard entry in your DNS for the A record so all those subdomains resolve to you. Actually, you have two A addresses for your registered name and three for the www
subdomain. The wildcard DNS entry just has the one IP. So, it resolves to your openresty server but a "home" page request gets a 403.
I outline this only to help identify what could be requesting these certs. There are just the three challenge types - HTTP, TLS-ALPN, or DNS
It looks like you have a wildcard DNS entry set up (anything I tried followed by .brayman.com
resolved for me), so it might that Cloudflare is creating certificates whenever anyone goes to a new name.
While Certificate Transparency may have helped you detect the issue, I don't think it's really a problem with certificates, just that your configuration is allowing for any subdomain to be used. If that's not what you intend, then you should probably work with your web developer and Cloudflare to change it.
Ah, the wildcard is interesting.
If one uses a wildcard DNS and combines that with, for example, caddy's on-demand TLS feature, your webserver will acquire certificates for any random subdomain requested by a TLS client.
Meaning that if a random internet scanner probes common/random subdomains, your webserver will acquire certificates for those subdomains in order to provide HTTPS services for them.
Interesting - our Marketing Dept manages the websites/developers so all I know is they are using WebFlow. I know I have a wildcard SSL in Cloudflare so I'll reach out to them.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.