Certificate issued by previous domain owner

Issuance Policy
1

We purchased a domain about 60 days ago, and were just notified, via Certificate Transparency Notification from Cloudflare, that a wildcard certificate was issued for our domain, using Let's encrypt.

Log date: 2022-04-23 14:13:17 UTC
Issuer: CN=E1,O=Let's Encrypt,C=US
Validity: 2022-04-23 13:13:17 UTC - 2022-07-22 13:13:16 UTC
DNS Names: *..com, .com

How can we prevent this from reoccurring?

2 Likes
2

This is probably cloudflare itself, not the previous owner.

Check if you have universal ssl active.

(In the cloudflare dashboard, SSL/TLS -> Edge Certificates)

4 Likes
3

Interesting, I didn't realize Cloudflare used Let's Encrypt for edge certificates. I got a CTR report from Google too, so if Cloudflare is using Let's Encrypt, then yeah, that makes sense. We do, in fact, have universal SSL active. Thank you for your help!

6 Likes
4

Cloudflare uses several CAs. They even add the appropriate CAA records to your domain, if needed.

6 Likes
5

As you can see from the following documentation, Cloudflare says they issue certificates from Comodo, Digicert, and Let's Encrypt:

https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ#h_645975761191543365946939

They recently started issuing multiple certificates as a backup in event there's a problem with one of those CAs:

7 Likes
6

I don't see how that explains issuing a wildcard cert - very sus from my paranoid chair.

4 Likes
7

nborror mentioned having Cloudflare Universal SSL active, which can issue wildcard certificates.

5 Likes
8

Maybe I should rephrase:
I don't see how that explains WHY Cloudflare should issue a wildcard cert.
[very suspicious action]

3 Likes
9

Cloudflare's primary certificates for many years have been in this format:

  • Subject Common Name: sni.cloudflaressl.com
  • SubjectAltNames: example.com, *.example.com, sni.cloudflaressl.com

This allows them to simplify storage and deployment to (typically) a single certificate per domain, allowing traffic to be instantly routed onto their network as new sub-domains are added.

The backup certificates are issued from a second CA (never the first CA) to avoid timeouts from a dogpile effect if there is a mass revocation against the first CA.

They offer paid upgrades to have more control over the SSL certificates, such as dedicated domain certificates. As a free default option for all paid and free accounts, their current behavior is pretty spectacular.

5 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.