How to revoke SSL cert that someone create for our domain

Hello,
We received a letter from Certificate Transparency Monitoring "Cloudflare has observed issuance of the following certificate for liki24.com or one of its subdomains. DNS Names: company.liki24.com "
But no one from our team created it. And our existing certificate is valid until January 25th.

How can we revoke this new malicious certificate?

1 Like

It looks like there was a certificate made on Oct. 27, and then another today Dec. 6. Are both incorrectly issued? It looks like the name does resolve to a site which is using the certificate issued today. If you are the owner of the name and this site isn't supposed to exist, then you may want to remove it from DNS entirely, but I suspect that the server running that site is just renewing certificates like it was told to.

If you do need to revoke it, if you don't have a computer running certbot or the like, it's a bit of a pain. One way would be to get a computer, install certbot, attempt to issue a certificate for the name (probably with a manual DNS challenge, if you control DNS but not the server) and probably also another fake name so that a certificate doesn't actually get issued. Then, once you've got the "authorizations" cached, you should be able to download the certificate to revoke to the system and issue the certbot revoke command. That's the basic overview, there are some slightly-more-detailed instructions in the documentation and perhaps someone else here more familiar with certbot than I am could give better step-by-step ones.

5 Likes

Your main site liki24.com is positioned behind Cloudflares CDN. However, the hostname which has issued a Let's Encrypt certificate has a non-Cloudflare IP address associated with it: 185.215.4.107.

Does that IP address look familiair? The hosting company associated with that IP address is "Tilda Publishing Ltd." based in the United Kingdom.

Maybe someone from within your own company decided to set up a new webpage and didn't inform you? He/she/they would have had access to your Cloudflare account, as the IP address for company.liki24.com is added to the Cloudflare DNS zone.

6 Likes

Thanks for the answer. We will review the information

2 Likes

It looks like you are right. Thanks for the help!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.