Getting emails about a certificate i never ordered/created

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
26lqg24j2h15kcbv64edbpm4qyq4q9w7.ui.nabu.casa

I ran this command:
None(received email)

It produced this output:
your cert is about to expire

My web server is (include version):
Don’t have one

The operating system my web server runs on is (include version):
N/A

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
N/A I do not host a site

please help me understand whether my email is compromised, and how to redress the issue of someone else using my info to order certificates.

Looks like some sort of new kind of spam to me: https://crt.sh/?q=ui.nabu.casa

Perp. creates new ACME account with e-mail address he/she wants to spam. Perp. creates a single certificate with this account with a random hostname. After a day of 75 (I think Let’s Encrypt starts to e-mail reminders 15 days before expiry, but not sure) perp. sees the effect of its efforts when reminder e-mails are send to the victims.

Not sure what the goal there is. I haven’t surfed nor will I surf to that link. Perhaps it’s just to try and see if the e-mail address of the victim is active: by surfing to the link, the perp. knows someone is active behind that e-mail address. He’d have to filter out webcrawler bots who might crawl the certificate logs and also crawl the hostnames in the certificates though, because otherwise the perp. has a 100 % rate of active victims with a lot of false positives :stuck_out_tongue:

Hi @andyzuzu

why is this your domain?

Is this domain used internal? nabu.casa is something like a “Home Assistant Cloud”.

May be you use a service with a domain name, so every user has a certificate.

I’m pretty sure that’s not actually his domain, but the hostname copy/pasted from the expiry e-mail.

Extremely unlikely. When someone requests a certificate from Let’s Encrypt, they ask for an email address, but no validation at all is done on that address–anyone could attach your email address to a request without an account compromise.

You’ll get at most two or three of these expiration emails. If you want to change that number to zero in the future, click the unsubscribe link from that email–but only do that if you don’t ever expect to use the Let’s Encrypt services yourself, because that will permanently block that email address. IMO, both the “subscribe” and the “unsubscribe” features are badly broken, but that’s how they work.

thanks guys after some digging, i realized that a while back I had indeed signed up to begin an RPI-based smart home project, which apparently procures a certificate for the remote web interface it satnds up for you. That wasn’t entirely clear at first, but at least their scripts go that far and attempt to secure your remote access with SSL/TLS, just wish it had been more transparent that it would be doing that with my email.

Thanks for your responses which put me at ease during a bit of a panic over thinking I’d been compromised somehow.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.