I got an approveDomains for www.ggoogle.com which is not my site

I got an approveDomains for www.ggoogle.com which is not my site.

I am using node.js with letsencrypt-express module.

I got a request for /robots.txt, then a bunch of requests for my index page, then /nice%20ports%2C/Tri%6Eity.txt%ebak
Then I got a approveDomains call for the domain of my ip address
Then I got a approveDomains call for ‘www.ggoogle.com’ which is obviously a phishing misspelling of google.com

Is this normal? Does Let’s Encrypt want to blacklist www.ggoogle.com from ever registering?

What do you mean by “I got an approveDomains for” ? using letsencrypt-express? or where did you get this message ?

From the look of letsencrypt-express you call “approveDomains” with your website. Did you call it for ggoogle.com ? or what commands did you run ?

ggoogle.com seams owned by google (and the https version seams to use certificate valid only for google.com)

I’m similarly confused about the “approveDomains”.

@RefinedSoftwareLLC Can you be clearer on what you think the problem is here?

Based on the server side logs there are only failed authorizations for www.ggoogle.com. You haven’t issued a certificate for this site and we definitely wouldn’t approve a certificate issuance request for a site that isn’t yours and that you can’t prove control over.

I have never written any node.js code but it appears that approveDomains is a function/ method in the node-letsencrypt software. I think the idea is that you run this code on your servers, and then code can call into it and it’ll go get certificates issued for the names requested. Obviously this won’t actually work if you don’t own those names, and the author of the node.js code explicitly calls this out, but presumably @RefinedSoftwareLLC felt it was important we be told that some bad guys tried to abuse this feature on their site.

The “nice ports Trinity” (U+006E is a simple Latin ‘n’) line just means a scanner was used to identify what software was running on @RefinedSoftwareLLC’s system, it’s a cultural reference to a scene in The Matrix. Perhaps this letsencrypt-express module has some known vulnerability. Certainly people who install it should read the author’s cautionary notes and behave accordingly if using it on a site that’s accessible from the public Internet.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.