Frequent Cloudflare Transparency Emails

I've received emails yesterday and today from Cloudflare saying...

Cloudflare has observed issuance of the following certificate for [my domain] or one of its subdomains:

Log date: 2022-02-19 19:01:08 UTC
Issuer: CN=R3,O=Let's Encrypt,C=US
Validity: 2022-02-19 18:01:07 UTC - 2022-05-20 18:01:06 UTC
DNS Names: *.mydomain.co, mydomain.co

Not sure why this has happened. My cert is good through May 7.

Two weeks ago I received such a notice, and I discovered my cert had been updated, only a month since I initially opened it.

What does this mean to me? The DNS names all look fine, and come back to my IP.

SInce I'm not on a fixed IP, would an IP change by my ISP trigger this?

That sounds like an ACME client that is setup wrong and renewing too frequently.

You can view your cert history at a site like https://crt.sh

Your request is not a Feature Request. It is a better fit for Help topic and I moved it to there. If you had submitted as Help initially you would have been asked the questions below. If you answer them as best you can we can give more specific advice.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

OK... here are responses the best I can do. As I don't have a "web server" most answers are "not applicable". I appreciate your help to clean up this mess.

My domain is:
jellonation.co

I ran this command:
No command. I frequently get transparency reports from Cloudflare, and also a cert update on 2/9/2022 that I did not request.

It produced this output:
Email content posted above.

I ran this command:
I did not run a command

It produced this output:
Not applicable

My web server is (include version):
I don't have a web server.

The operating system my web server runs on is (include version):
Not applicable

My hosting provider, if applicable, is:
Domain is registered with Cloudflare DNS (originally acquired through Namecheap)

I can login to a root shell on my machine (yes or no, or I don't know):
Not applicable

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I don't manage a site. Only the domain name for access to my NAS.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I originally used a nginx docker to request the cert (December 2021).

My web server is (include version):
No web server

The operating system my web server runs on is (include version):
No web server

My hosting provider, if applicable, is:
No web server

I can login to a root shell on my machine (yes or no, or I don't know):
On my NAS yes... but there is no web server

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No site. Only a domain to access my NAS.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not applicable.

Was that a typo? I see a cert issued on Feb19 but nothing on Feb9. I'll assume Feb19.

I see a variety of certificates issued for various names. Most importantly, your domain name DNS all point to Cloudflare's CDN. With a CDN, there is an HTTPS connection between the CDN edge and the client (browser, curl, ...). There is a certificate in the CDN edge for that. Cloudflare may use Let's Encrypt to create this certificate as LE is one of their providers. I see your domain's wildcard cert when connecting to the Cloudflare CDN which confirms it is used there. The puzzling thing is Cloudflare normally renews these on a set schedule yet the wildcard cert is renewed more frequently than that. Are you forcing it early?

See your full cert history here

If you no longer wish to use their CDN you can disable it. See Cloudflare docs.

You also have individual certs for names of:

abk.jellonation.co	
alpha.jellonation.co	

The most recent renewal for the abk name was exactly 60 days after the prior one for that name. That is a standard auto-renew period for an ACME client. Could this be related to the docker setup you describe from Dec? Do you remember which ACME client you used?

The alpha name showed up just once. It is still valid but will expire soon. Was this perhaps a one-time test you did?

What do you think ... does this help explain what is happening?

3 Likes

The Feb 9 was a typo. You are correct.

I created abk.jellonation.co and alpha.jellonation.co in December before I understood how to obtain a wildcard.

Later, I finally got the wildcard cert using nginx proxy manager (replacing the December 11 attempt).

nginx is a docker container. AFAIK, it only has a manual renew feature (I just rechecked that).

Since then (December 21) I have never knowingly requested a cert renewal, as the Dec 21 cert was good until March). My intent was to let the "abk" and "alpha" subdomains certs expire and cover those subdomains with the wildcard. But apparently they are auto-renewed somehow by Cloudflare ???

I'm wondering if the 12/9, 12/11 and 12/21 wildcard certs are each being updated by Cloudflare. I assumed (oops) that when I created the 12/11 wildcard cert that it would replace the 12/9 wildcard cert (and that the 12/21 wildcard cert would replace the 12/11 wildcard cert). Maybe that's not how this cert thing works. Maybe Cloudflare sees 12/9, 12/11 and 12/21 as 3 individual certs and it is updating each of these after 2 months.

Is that possible? And how would I undo that?

On theCloudflare site, only the wildcard cert is "managed" under "Edge Certificates" (does that mean autorenewed w/LE). This is a "free" Cloudflare account.

Yes, Cloudflare normally auto-renews its edge certificate automatically. It only knows about certs it requested. If you also requested a wildcard it has no awareness of that.
Note that Let's Encrypt only issues certs when someone requests them. It takes no initiative on its own.

A key point is your abk cert was renewed recently after 60 days. You must have something on your system to have requested that. You have not explained what method you used but look for a cron job or a systemd timer that is renewing.

Focus on finding what on your system renewed abk after exactly 60 days and that may lead to answers to your other questions.

3 Likes

Thank you for your response. At this point I am bewildered. The abk cert is only tied to a nginx proxy manager docker. There is no cron job, and there is no GUI option to set an auto-renew (and I'm sure I wasn't on the CLI for this docker container).

I deleted the abk cert from nginx. The only other reference to abk is as a CNAME entry on Cloudflare. It's possible I don't even need that CNAME since a wildcard cert exists for this domain (that's something yet to sink into my understanding).

1 Like

I would only start repeating my info from post #4

I think you should review Cloudflare CDN docs. See here

I also think you need to fully appreciate that there are two connections with the CDN. One is between the client (browser, curl, ...) and the CDN Edge. There is another from the Edge to your server. Both of these can be HTTPS and both the Edge and your Server will need a cert for that. You may be able to use a Cloudflare Origin CA cert on your server and not even need to request Let's Encrypt certs for it.

While the CDN Edge connection from a client is working something is wrong with the connection between the Edge and your server. They fail with http 503. Cloudflare has good help for such problems in their community and Help system.

curl -I https://jellonation.co

HTTP/2 503
date: Mon, 21 Feb 2022 23:12:08 GMT
content-type: text/html; charset=UTF-8
...
server: cloudflare
cf-ray: 6e13a8637f335814-IAD
2 Likes

I'm not running a web server. I primarily use sub-domains (such as the one mentioned earlier... abk.jellonation.co) to access docker containers running on a NAS, via reverse proxy. For example, jellyfin. I also have various softwares (piwego, joplin, nextcloud...) which sync across my devices using various subdomains. There is no domain website.

The DNS records for your apex domain and subdomains all point to Cloudflare CDN. Shown below is the DNS just for abk subdomain but all are the same.

I do not understand what problem with Let's Encrypt you want help with. If you provide a sample URL that would clarify what exactly is working or not.

nslookup abk.jellonation.co

Address: 172.67.220.4
Address: 104.21.51.28
Address: 2606:4700:3031::ac43:dc04
Address: 2606:4700:3037::6815:331c
2 Likes

I think we've gotten off track. This thread is about LE cert renewals that I did not manually initiate. You've pointed out some places to check that might be a cause, which was helpful.

Otherwise my connectivity is fine. All domain and subdomains connect and authenticate securely. I have no problem with the LE cert itself. I'm only puzzling out what may be the cause of cert renewals. Thanks for your input

Is it possible cloudflare is initiating the issuances?

They generate certificates for the domains you point at them, using a few different CAs (at least three).

If you go there you'll see a cloudflare page with a Let's Encrypt certificate for *.jellonation.co

(Which is probably not the certificate you made, it's one cloudflare asked for -- check the serial number)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.