Certificate expiration notice for subdomains I have never registered

I keep getting emails about expiring subdomains that I have not regsitered like postmaster, shop, cart etc. There does not seem to be a website at those sites (or any other ports open) but I don’t understand how, or why, someone is registering all these subdomains. You can see them all at crt.sh - I switched from jwilder’s reverse proxy to traefik recently and it looks like maybe the registrations have stopped but any help on why they were all being registered and how someone could do it would be helpful. I register the main domain and www and those never send emails because traefik renews them in time.

The emails looks like: Let’s Encrypt certificate expiration notice for domain - Your certificate (or certificates) for the names listed below will expire in 19 days

My domain is: fincalamaroma.com

My web server is (include version): Wordpress 5.3.2 running behind Traefik 2.1.4

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Traefik 2.1.4

Hi @dirls

crt.sh shows pre- and leaf-certificates, so every certificate has two entries.

Checking via https://check-your-website.server-daten.de/?q=fincalamaroma.com#ct-logs - that removes duplicated certificates:

A lot of magento - subdomains.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-14 2020-05-14 fincalamaroma.com, www.fincalamaroma.com
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 fincalamaroma.com, www.fincalamaroma.com
2 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 magento2.webmail.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 magento.cart.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 shop.cart.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 store.cart.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 magento2.w.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-16 2020-03-15 www.magento.crm.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 www.magento2.store.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 magento2.test.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 magento2.sql.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 store.catalog.fincalamaroma.com
1 entries
Let’s Encrypt Authority X3 2019-12-15 2020-03-14 magento.fincalamaroma.com
1 entries

Looks like someone has tested a magento solution.

And there is a wildcard defined:


Name: *.fincalamaroma.com

Perhaps you have a “too open configuration” with a DNS wildcard and a vHost wildcard.

I have a DNS wildcard and the reverse proxy (traefik) redirects anything that isn’t currently being used (any vhost I suppose) to a simple 404 page but what I don’t understand is how someone is requesting the certificates? And why?

Check your server. Looks your server is hacked if someone is able to create certificates via http validation.

And change your “too open configuration”.

Why? Phishing sites, sending mail spam, there are a lot of reasons.

There’s nothing in the logs to indicate anyone else has access. I can account for the time, IP, username and key of everyone who accessed the site. Traefik also does not list any of these certificate requests. Is there a way to see what IP address the requests came from and which validation method they used?

On your other point how does having wildcard DNS allow mail spam or phishing sites? It points to my server not to anything else, and then the reverse proxy serves up a blank page to any request without a valid domain. This stack overflow discussion seems to say the worst that can happen is you can have i-hate.company.com and suffer some SEO problems but as I serve a 404 that doesn’t seem like a major problem.

That’s not what I have written.

The wildcard dns and the wildcard vHost allows to create certificates via http validation if someone has server access.

Without a wildcard dns that wouldn’t work.

“Why” is the answer what to do with these certificates. To use it to pish …

Ok thanks for the explanation. I’ve asked the client to change the DNS setup with their registrar.

None of the domains have ever had any content on them so it doesn’t seem like phishing, or an early failed attempt at it. Is there a way to figure out who requested the certificates? Is there a way to find the IP address and validation method used to request them?

This information isn’t public, but you can write to security@letsencrypt.org describing your situation and see if the security team can help investigate the possible abuse or compromise related to these subdomains.

It’s not your domain, it’s the domain of a client?

Then first step: Ask the client if someone has tested with these magento-subdomains.

If traefik has “on demand” certificate issuance an attacker, or just a curious user could trigger it to request a certificate for any subdomain they want just by accessing a subdomain (I don’t use this but remember reading about it before, so I may be incorrect)

If this is indeed the case it wouldn’t indicate any sort of compromise of your system, but could lead to rate limit problems and result in a form of denial of service.

1 Like

Ah, thanks, good to know. In combination with a wildcard dns entry that’s bad.

Checked - now that doesn’t work. Only a


is returned, not a new certificate with the used subdomain.

Yes the client doesn’t know who those subdomains might be from. I’ve had it happen with several domains, some are wordpress, some not. The only thing in common is they are all using Traefik to get certificates from Let’s Encrypt.

Going to a subdomain doesn’t issue a certificate so that can’t be it.

I will contact the security team on Monday and see if I can get to the bottom of it that way.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.