As of about a week ago I started getting notifications for cert renewals for domains I don't know on the .ovh TLD (which I didn't even know existed). I get these multiple times a day.
Domains seem either auto-generated and/or spammy
The only option seems to be to unsubscribe my email but it says Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates. I don't have any domains up now, but I did before and this seems like the nuclear option for a problem I didn't cause -- shouldn't these emails be validated first? Is there any other option to get my email out of these?
No, sadly, unless your email system allows flexible rules which could handle deletes automatically.
But, there may be an option after unsubscribing to still keep notifications for your future domains:
Also, there are only two emails per cert so they might just run their course. I checked the first 3 and they were well-behaved with certs until recently. They now all use a self-signed Traefik cert so are out of practical service. Depending how many certs were connected to your email (wrongly) waiting it out is another option.
If you are in full control of the IP all those names resolve to, then you might not be the only one with such control.
I would suspect that someone has exploited your system and is using it to create secure SPAM/Malware sites.
Can assure you system wasn't compromised. It just seems in error. It's a common name and the gmail associated with that has become spammed over the years from people mistyping the email. Which, again, some modicum of email validation would have prevented.
I don't see the direct relation between your email being randomly spammed and certificates having been created for that same domain and while using your email address or account.
You do realize that for someone trying to effectively use any of those certificates, they would have to use them at the IP the names resolve to: 184.108.40.206
And for the emails to reach you about such certificate expirations, they would have had to have used your IP, your email address, and/or your ACME account/client.
I don't think so. Their only complaint is receiving emails. The domains are not theirs.
Someone could use the wrong email when creating an ACME account such that expiry emails go to that wrong email. There is no validation of email address when registering to catch such mistakes. That appears to be what is happening here.
I see, you are wondering whether their server was compromised.
Their first post said they had no domains running which I took to mean they have no server running. And, those domains return a result now even on port 443 with a default Traefik cert so I figured they are some other server. But, maybe not and it's worth checking for a possible vulnerability.
No. Domains, sites, or anything hosted on those IPs is not mine. As mentioned above, this is more about people registering certs with the wrong, or mistyped, email and me getting loads of notifications. I did unsubscribe and if I make a cert in the future I'll just use a different email. Was just inquiring about alternative approaches. Feel free to close this thread.
If that IP is not yours, then has it ever been?
Why would someone at that IP start an ACME client and use your email address for it?
If you don't use that email address for LE certs, then I would unsubscribe it.
Just read that you did unsub it.
That said, there is no current way of reusing any email address, that has been unsubscribed, for LE notifications.
That said, you can use "Plus addressing" to make a new entry that looks different but ends up at the same mailbox.