We purchased a domain about 60 days ago, and were just notified, via Certificate Transparency Notification from Cloudflare, that a wildcard certificate was issued for our domain, using Let's encrypt.
Log date: 2022-04-23 14:13:17 UTC
Issuer: CN=E1,O=Let's Encrypt,C=US
Validity: 2022-04-23 13:13:17 UTC - 2022-07-22 13:13:16 UTC
DNS Names: *..com, .com
How can we prevent this from reoccurring?
This is probably cloudflare itself, not the previous owner.
Check if you have universal ssl active.
(In the cloudflare dashboard, SSL/TLS -> Edge Certificates)
Interesting, I didn't realize Cloudflare used Let's Encrypt for edge certificates. I got a CTR report from Google too, so if Cloudflare is using Let's Encrypt, then yeah, that makes sense. We do, in fact, have universal SSL active. Thank you for your help!
Cloudflare uses several CAs. They even add the appropriate CAA records to your domain, if needed.
As you can see from the following documentation, Cloudflare says they issue certificates from Comodo, Digicert, and Let's Encrypt:
They recently started issuing multiple certificates as a backup in event there's a problem with one of those CAs:
I don't see how that explains issuing a wildcard cert - very sus from my paranoid chair.
nborror mentioned having Cloudflare Universal SSL active, which can issue wildcard certificates.
Maybe I should rephrase:
I don't see how that explains WHY Cloudflare should issue a wildcard cert.
[very suspicious action]
Cloudflare's primary certificates for many years have been in this format:
sni.cloudflaressl.comexample.com, *.example.com, sni.cloudflaressl.comThis allows them to simplify storage and deployment to (typically) a single certificate per domain, allowing traffic to be instantly routed onto their network as new sub-domains are added.
The backup certificates are issued from a second CA (never the first CA) to avoid timeouts from a dogpile effect if there is a mass revocation against the first CA.
They offer paid upgrades to have more control over the SSL certificates, such as dedicated domain certificates. As a free default option for all paid and free accounts, their current behavior is pretty spectacular.