Edge Certificate issued without my Authorization

Domain: rioco.com

I received a notification that Let's Encrypt issued a certificate for my domain..
As the owner and maintainer of this domain, I did not authorize the issuance of this this certificate.
I suspect fraud or misrepresentation.

I need help finding out who did this and how. I already have certificates, and dont need/want this currently.

$ dig ns rioco.com +short

It appears that you are using Cloudflare services, they are also able to issue certificates on behalf of your domain.


Cloudflare is the one that gave me the notice.

" Cloudflare has observed issuance of the following certificate for [rioco.com] or one of its subdomains "

Yes, as odd as it sounds Cloudflare may warn even when they acquired the cert for you. You might ask about this on the Cloudflare forum to see if a fix is planned.

You could also use a tool like https://crt.sh to look at cert history and see if all is in order. Just note sometimes there is as much as a 24H or more delay in crt.sh showing certs.

UPDATE: That said, I just looked at your cert history on crt.sh and don't see anything odd. I see a regularly issued cert for the www subdomain which I assume is your origin server. There are certs from Google and Sectigo which I assume is Cloudflare's CDN obtaining certs for itself.


Yes, Cloudflare will issue certificates for itself (which since your DNS points to them is correct), and then alert you through its certificate transparency monitoring service that a new certificate has been issued, without telling you that it's one that they asked for themselves. Definitely a common source of confusion; you're not the first person to be asking about it here:

Would certainly be nice if Cloudflare made things clearer.


thank you



To add to this confusion, Cloudflare will typically request TWO certificates per domain.

The First Certificate is used as the active certificate in their network and is signed by a First CA.

The Second Certificate is used as a backup certificate and is signed by a different Second CA. This Certificate is obtained in case there is an issue with the First CA's root, amongst several other reasons, so they can immediately update their entire network.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.