i know this is maybe a little bit off topic but i think that the implications are interesting for this ca too.
I am neither the owner of the domain “rsajeey.info” nor do i have any contact to the owner.
What make it interesting for here are two things.
- CloudFlare build an Certificate that domain and even (CN=sni181034.cloudflaressl.com , Serial 00:83:7F:6C:15:31:6D:77:B1:98:26:15:54:3B:C1:98:61) even the domain was miss-configured that it point to my server.
-> This raise for me the question how could the owner of this domain prove that he have control over that domain?
- I secured my side with “Content-Security-Policy” that deny http access , inline style or script. Now cloudflare translate the query into an http request and modify the page content.
-> This is an classical “Man In the Middle” use-case.
Now the question:
Since i am neither owner nor did i have access to the DNS-Server. It would be possible the get an LetsEncrypt Certificate for this domain, because i can place the requested challenge into the server.
So what i think there should be always an email notification went to the domain owner (based on the whois record). Since i know this is bad for dyndns the mail should contain an option to disable the notification for that domain.
What are the opinions here about these point ?