Cert issued by 3rd party with no DNS entry


#1

Someone issued a LE cert for one of my personal domains, under a subdomain for which there is no DNS entries (cname, TXT, A/AAAA)

https://crt.sh/?q=parse.imperialus.house

my DNS zone is on cloudflare.

I can’t seem to be able to track down who or where this cert is being issued, not how it is being validated as there is not DNS records for it.


#2

Anything stand out if you check Cloudflare’s audit logs?


#3

When did you first notice this started/happened?

[the CT logs shows it like its’ been on a (normal) 60 day renewal cycle for the past year]


#4

thank you.
wasnt aware of the audit logs.

it pointed me to 138.68.187.48, a digital ocean VM

i’ve rotated my key just in case


#5

i first saw it last year… first i ignored it… then tried to find what it was but with no success.
then i rotated my key, and it still happened.

so i’m a bit more worried now


#6

Well the name doesn’t resolve to an IP, so it was most likely obtained via DNS auth.

That leaves only CloudFlare.


#7
$ dig +short -x 138.68.187.48
csgogems.com.

and http://138.68.187.48:4040/login is running https://github.com/parse-community/parse-dashboard (which explains parse.imperialus.house).

Sound familiar at all? CS skins/betting sites are all shady as shit, but I don’t know why anyone would hijack another user’s domain for this purpose.


#8

Not the single bit familiar with it

Good find, especially on the port.

If they have my (now rotated, twice) cloudflare api key, I’m more worried how they are obtaining it

One of the few places I use LE must be compromised


#9

by the way You should revoke that cert.


#10

i cant revoke something i didnt issue :slight_smile:


#11

Sure you can.


#12

didn’t know that technique. will give it a go later. thanks