Someone issued a LE cert for one of my personal domains, under a subdomain for which there is no DNS entries (cname, TXT, A/AAAA)
https://crt.sh/?q=parse.imperialus.house
my DNS zone is on cloudflare.
I can’t seem to be able to track down who or where this cert is being issued, not how it is being validated as there is not DNS records for it.
Anything stand out if you check Cloudflare’s audit logs?
When did you first notice this started/happened?
[the CT logs shows it like its’ been on a (normal) 60 day renewal cycle for the past year]
thank you.
wasnt aware of the audit logs.
it pointed me to 138.68.187.48, a digital ocean VM
i’ve rotated my key just in case
i first saw it last year… first i ignored it… then tried to find what it was but with no success.
then i rotated my key, and it still happened.
so i’m a bit more worried now
Well the name doesn’t resolve to an IP, so it was most likely obtained via DNS auth.
That leaves only CloudFlare.
$ dig +short -x 138.68.187.48
csgogems.com.
and http://138.68.187.48:4040/login is running GitHub - parse-community/parse-dashboard: A dashboard for managing Parse Server (which explains parse.imperialus.house).
Sound familiar at all? CS skins/betting sites are all shady as shit, but I don't know why anyone would hijack another user's domain for this purpose.
Not the single bit familiar with it
Good find, especially on the port.
If they have my (now rotated, twice) cloudflare api key, I’m more worried how they are obtaining it
One of the few places I use LE must be compromised
by the way You should revoke that cert.
i cant revoke something i didnt issue 
didn’t know that technique. will give it a go later. thanks
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.