Excessive cert renew notifications for domains I don't know

As of about a week ago I started getting notifications for cert renewals for domains I don't know on the .ovh TLD (which I didn't even know existed). I get these multiple times a day.

Domains seem either auto-generated and/or spammy
Screen Shot 2023-03-27 at 17.46.25

The only option seems to be to unsubscribe my email but it says Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates. I don't have any domains up now, but I did before and this seems like the nuclear option for a problem I didn't cause -- shouldn't these emails be validated first? Is there any other option to get my email out of these?

No, sadly, unless your email system allows flexible rules which could handle deletes automatically.

But, there may be an option after unsubscribing to still keep notifications for your future domains:

Also, there are only two emails per cert so they might just run their course. I checked the first 3 and they were well-behaved with certs until recently. They now all use a self-signed Traefik cert so are out of practical service. Depending how many certs were connected to your email (wrongly) waiting it out is another option.


If you are in full control of the IP all those names resolve to, then you might not be the only one with such control.
I would suspect that someone has exploited your system and is using it to create secure SPAM/Malware sites.


Can assure you system wasn't compromised. It just seems in error. It's a common name and the gmail associated with that has become spammed over the years from people mistyping the email. Which, again, some modicum of email validation would have prevented.


Are you in full control of that IP?

I don't see the direct relation between your email being randomly spammed and certificates having been created for that same domain and while using your email address or account.

You do realize that for someone trying to effectively use any of those certificates, they would have to use them at the IP the names resolve to:
And for the emails to reach you about such certificate expirations, they would have had to have used your IP, your email address, and/or your ACME account/client.

So, I restate my assumption:


I don't think so. Their only complaint is receiving emails. The domains are not theirs.

Someone could use the wrong email when creating an ACME account such that expiry emails go to that wrong email. There is no validation of email address when registering to catch such mistakes. That appears to be what is happening here.


Then they missed that part where I specifically tied the two together:

If they are not, then you may be right.
But I've made the IP clear here too:

So, my question becomes [now more clearly]:

@nulls, do you control the IP: ?

[that is the IP all those names resolve to]


I see, you are wondering whether their server was compromised.

Their first post said they had no domains running which I took to mean they have no server running. And, those domains return a result now even on port 443 with a default Traefik cert so I figured they are some other server. But, maybe not and it's worth checking for a possible vulnerability.


They said they have none on that TLD:

So, I took that in the other direction.

I recon the names where disposable and they have moved on to other names from that same TLD and pointing to that same server IP.
[if that is the case, then they are still being used and abused]

A quick cert check will show if there are any such named certs still being issued today.


Well, they said they didn't know that TLD existed. Later, they said:

I already did and noted it earlier that they were not renewed and https requests to those domains respond with a default Traefik cert.

That expiry emails are an offshoot of the certs not being renewed.


crt.sh is having difficulty with that domain.
More suspicion, on my part, that it has very many certs issued.
Which leads me to believe the server has been compromised.


Are you focused on the names shown above?
'cuz I'm not.
I'm looking for new similar names that are still being issued.
But crt.sh isn't working for me on that domain.


Maybe. And worth checking if that IP belongs to OP. But, it could belong to someone else.

Yes. The stated domains were "well behaved" issuing certs for about a year and recently stopped.

I see a cert issued Mar6 for sweet-mayer.ktm.ovh (using censys) which points to same IP. So, someone has a server handling many domain names. (This domain also now returns a default Traefik cert)

@nulls It's worth checking that is not yours (as Rudy previously noted)


No. Domains, sites, or anything hosted on those IPs is not mine. As mentioned above, this is more about people registering certs with the wrong, or mistyped, email and me getting loads of notifications. I did unsubscribe and if I make a cert in the future I'll just use a different email. Was just inquiring about alternative approaches. Feel free to close this thread.


If that IP is not yours, then has it ever been?
Why would someone at that IP start an ACME client and use your email address for it?

If you don't use that email address for LE certs, then I would unsubscribe it.
Just read that you did unsub it.
That said, there is no current way of reusing any email address, that has been unsubscribed, for LE notifications.
That said, you can use "Plus addressing" to make a new entry that looks different but ends up at the same mailbox.

your+abc@addre.ss      => your@addre.ss
your+123@addre.ss      => your@addre.ss
your+whatever@addre.ss => your@addre.ss

The simplest and preferred way to close a topic is for a solution to be chosen.
If no solution has been provided, then maybe some more discussion is required.


The IP appears to be assigned to Hetzner. Another option is to contact Hetzner and complain that IP was using your email address by mistake.

Maybe Hetzner could contact the server subscriber to get it fixed.


Those are randomly generated Docker container names.

So I would not be alarmed about them, although that also doesn't help with the underlying problem of the misdirected renewal notices.

I found a company and person's name in whois which might be the name of the owner of these hosts; I'll send it in a PM to @nulls.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.