Edge Certificate issued without my Authorization

Domain: rioco.com

I received a notification that Let's Encrypt issued a certificate for my domain..
As the owner and maintainer of this domain, I did not authorize the issuance of this this certificate.
I suspect fraud or misrepresentation.

I need help finding out who did this and how. I already have certificates, and dont need/want this currently.

$ dig ns rioco.com +short
jonah.ns.cloudflare.com.
lorna.ns.cloudflare.com

It appears that you are using Cloudflare services, they are also able to issue certificates on behalf of your domain.

4 Likes

Cloudflare is the one that gave me the notice.

" Cloudflare has observed issuance of the following certificate for [rioco.com] or one of its subdomains "

Yes, as odd as it sounds Cloudflare may warn even when they acquired the cert for you. You might ask about this on the Cloudflare forum to see if a fix is planned.

You could also use a tool like https://crt.sh to look at cert history and see if all is in order. Just note sometimes there is as much as a 24H or more delay in crt.sh showing certs.

UPDATE: That said, I just looked at your cert history on crt.sh and don't see anything odd. I see a regularly issued cert for the www subdomain which I assume is your origin server. There are certs from Google and Sectigo which I assume is Cloudflare's CDN obtaining certs for itself.

8 Likes

Yes, Cloudflare will issue certificates for itself (which since your DNS points to them is correct), and then alert you through its certificate transparency monitoring service that a new certificate has been issued, without telling you that it's one that they asked for themselves. Definitely a common source of confusion; you're not the first person to be asking about it here:

Would certainly be nice if Cloudflare made things clearer.

7 Likes

thank you

2 Likes

Adding:

To add to this confusion, Cloudflare will typically request TWO certificates per domain.

The First Certificate is used as the active certificate in their network and is signed by a First CA.

The Second Certificate is used as a backup certificate and is signed by a different Second CA. This Certificate is obtained in case there is an issue with the First CA's root, amongst several other reasons, so they can immediately update their entire network.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.