Expiration notifications for domains I don't own

shawnonthenet · March 1, 2019, 11:06pm

My domain is:
www.xn–h9tq4m26w4jw.top
www.toppageagency.com

The above two domains appear to be hosted on a digitalocean ip I had last year. I’ve just started getting certificate expiring messages for them but they aren’t my domains and I’ve never requested certificates for them. I’m assuming the person getting the ip after me from digitalocean wouldn’t know the email address of the previous owner of that ip so it appears LE is automatically assigning my email address to domains from an ip address I’ve previously used. Is this how it works or is there something else going on here?

schoen · March 2, 2019, 7:08am

@lestaff, could there be any sort of bug that would account for this? It seems like a pretty mysterious problem to me.

JamesLE · March 2, 2019, 8:05am

Is it possible that what those domains have in common with yours isn't a DigitalOcean IP, but a current or past Plesk installation? It's a long shot, but that's a surprising issue that we've encountered before with expiration e-mails:

shawnonthenet · March 2, 2019, 9:38am

Hi James,

No, not in this case the machines would have been standard Ubuntu 18.04 images. Only thing on them would be nginx(possibly openresty).

JamesLE · March 3, 2019, 4:02am

This is quite bizarre, then. Expiration e-mails are tied to your ACME registration (account), never based on IP addresses or any kind of auto-discovery. Could you please post one of your own domains? We won’t be able to disclose account information, but that might help us look into the cause.

shawnonthenet · March 3, 2019, 4:39am

Hi James,

Thanks for jumping in to try and figure this out.

northandsouthnomads.com is mine. Do you need all the domains on that certificate or just the one?

rg305 · March 3, 2019, 4:14pm

If you indeed used that system to get any LE certs…
It sounds like the system was reused without a complete wipe (extremely bad practice).
[leaving some cert settings behind - like your email address]

mnordhoff · March 3, 2019, 4:22pm

Even if the VPS company has an extremely bad security problem and is unexpectedly failing to wipe disks

(even worse than that other incident)

it would be a large coincidence for a new VPS to get some of the same disk blocks and the same IP address as a previous one.

rg305 · March 3, 2019, 4:36pm

It would be much more likely if it was the exact same physical system [and drive and IP].
But who are we to know what they do or how they do it.

shawnonthenet · March 3, 2019, 7:36pm

I’ve opened a support ticket with Digital Ocean to investigate but in a few years of using them and a few hundred servers created I’ve never gotten a server that wasn’t freshly imaged.

JamesLE · March 4, 2019, 7:50am

I’ve confirmed that this doesn’t look like a bug on our end. I’ll be very curious to hear what, if anything, you find out; please follow up if you can. Thanks for bringing this to our attention!

shawnonthenet · March 5, 2019, 8:04pm

Hi James,

Thank you for your time looking into it. Digitalocean has said there is no way it could be on their side as all servers are given freshly wiped disks when imaged.

So unfortunately I don’t think this will be solved. Is it possible to see all the certificates linked to my email address somehow and invalidate/block the ones that aren’t mine?

JamesLE · March 5, 2019, 8:25pm

This is very odd. Thanks for the update!

Unfortunately, we don’t have ways to unsubscribe from some expiration e-mails and not others, or to remove your e-mail address from an ACME account for which you don’t control the key. Unsubscribing from all expiration e-mails, or manually filtering ones that mention unwanted domains, may be your best bet.

I’m sorry about that, and thanks again for bringing this up. We try to keep these corner cases in mind for future improvements.

system · April 4, 2019, 8:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.