Is there a way to check who issued a request for a certificate?

My domain is: npi.pe (https://crt.sh/?q=npi.pe)

My hosting provider, if applicable, is: Cloudflare Proxy + Origin Server

I have this domain proxied via Cloudflare. I’m using Page Rules (https://1drv.ms/u/s!ArgTGsCWDVSnk25srVg9eTckQCnn) that I’m fairly sure will allow Let’s Encrypt challenges to bypass the proxy allowing the origin server to request certificates.

As you can see in the CT logs, there are a lot of requests for certificates recently. With Cloudflare, if you add a basic CAA record to DNS (ex: 0 iodef "mailto:caa@example.com") they’ll automatically add Let’s Encrypt for issue and issuewild, so it’s possible either Cloudflare or the origin server is making those certificate requests.

I emailed the provider for the origin server to ask if they’re making the requests. In the meantime, is there any way for me to discover which provider is requesting certificates for my domain?

Hi @ryanjaeb

crt.sh doesn’t show the domain names. Rechecked your domain - https://check-your-website.server-daten.de/?q=npi.pe

That looks wrong.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-18 2019-10-16 npi.pe - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-07-20 16:59:42
Let’s Encrypt Authority X3 2019-07-17 2019-10-15 npi.pe - 1 entries duplicate nr. 4
Let’s Encrypt Authority X3 2019-07-17 2019-10-15 npi.pe - 1 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-07-15 2019-10-13 npi.pe - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-07-13 2019-10-11 npi.pe - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-07-11 2019-10-09 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-07-10 2019-10-08 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-07-10 2019-10-08 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-07-08 2019-10-06 npi.pe - 1 entries next Letsencrypt certificate:
Let’s Encrypt Authority X3 2019-07-06 2019-10-04 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-07-02 2019-09-30 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-07-02 2019-09-30 npi.pe - 1 entries
Let’s Encrypt Authority X3 2019-06-30 2019-09-28 npi.pe - 1 entries
CloudFlare Inc ECC CA-2 2019-04-18 2020-04-18 *.npi.pe, npi.pe, sni.cloudflaressl.com - 3 entries

5 identical certificates in the last 7 days, that has hitted the limit. Same one week earlier.

Looks like you have a wrong configured cron job. Share your cronjob command.

And your configuration doesn’t work. Cloudflare sends an 526 “Origin SSL Certificate Error”. Deactivate Cloudflare, create a working vHost, then activate Cloudflare.

1 Like

Hey. Thanks for the response. I should have been clear, I don’t have any access to the origin server. It’s a link shortening service. Since it’s only a test domain for me, I purposely left things broken while I wait for the provider of the shortening service to reply.

I was hoping that since I control the domain there would be some way for me to query some more verbose logging info such as the IP address of the certificate requester. I can’t find anything like that in the docs, so I’m guessing there isn’t much chance of getting that info.

It feels like an issue on the origin server, so I might just have to wait for them to get back to me.

That’s correct, we don’t offer such a service.

However, the entries for npi.pe listed on crt.sh are not certificate requests, they are actually issued certificates. So that means whichever machine issued those certificates must have been able to successfully answer challenges. Almost certainly that means it’s one of the two IP addresses that npi.pe points to, using an HTTP-01 challenge. Do you have access to those IP addresses? If so you can check their cron jobs and systemd timers.

There’s a small chance that there is a machine with DNS credentials to update the npi.pe zone, and that machine is automatically issuing certificates over and over again. To rule out that possibility you’d need to get full control over the npi.pe zone and make sure no one else has credentials to update it.

1 Like

@jsha Thanks for the info. I’m the only one with access to update the zone. I’m fairly convinced it’ll end up being the link shortening provider that acts as the origin server. The config I’m using isn’t documented / supported by them, but should work. My best guess right now is that their automation process for requesting / installing certificates is probably getting tripped up by having Cloudflare acting as a proxy. I see they’ve started using a LE certificate from June 30th now, so there’s a good chance someone fixed it on their end and that I’ll get an email about it soon.

It might be a moot issue anyway. In the 3 months I left my test domain sit there, they’ve drastically improved their SSL configs which was the main reason I was using Cloudflare as a proxy (to avoid an F at https://www.ssllabs.com/ssltest/).

1 Like

If the domain is on your Cloudflare account, you can check Cloudflare’s Audit Logs to see if anything has been adding and removing DNS records.

If you make a lot of changes, it might be a little hard to find – a Let’s Encrypt ACME authorization is currently valid for 30 days, so you can issue excessive certificates while only modifying the DNS about once a month.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.