Finding certificates with my E-Mail address that I did not request

I received an E-Mail today saying that an older client library (identified as “Go-http-client”) has sent 115 requests to the Let’s Encrypt API and that I need to update my client.

Here is the problem - the IP address that this E-Mail says the requests came from is not an IP address that I use or have ever used. This E-Mail makes me think that an unknown person is attempting to request certificates with my E-Mail address as the identifier.

I have looked at crt.sh for the domains that I own or manage but I have not found any certificates I do not control. However, I do not know if the person using my E-Mail address is issuing certificates for my domains or other domains.

So, my questions are:

  1. Is there a way to locate certificates that Let’s Encrypt has issued based on the E-Mail address provided as contact information?
  2. Is there a way to prevent others from using my E-Mail address to request certificates? Possibly a security token, ID number, revocation list, etc… that could restrict certificates that are issued without authorization?

Thank you for any assistance you can provide.

 --David

Email addresses are linked to ACME accounts, rather than certificates.

There’s no way (currently) to prevent somebody from using your email address to register an ACME account. By itself, this does not generate any email messages, nor is any email address used for any certificate issuance decisions, but it also doesn’t require any verification/double-opt-in.

You can find an email address to write to on https://letsencrypt.org/privacy/ , under the “Subscriber” and GDPR sections.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.