Let's Encrypt cert hacked. Redirects to spam site

My host went down and while I don’t use Let’s Encrypt, the ssl for some odd reason grabbed the cert from Let’s Encrypt and stored it on my computer. Now I cannot access my site. (https://cloud.carltonfamily.org) How do I purge the Let’s Encrypt cert from my computer (WIn 8.2) I’ve used the certification manager to delete the DST Root CA X3 cert, but it keeps getting rewritten to the computer. Checking my site via other computer or ssl checkers shows a valid ssl cert by cpanel. Now my site is being redirected to b-bam.com, which appear to be a spam site. I’m not impressed with Let’s Encrypt if you allow stuff liek this to happen.

Why do you think this is a certificate problem? A certificate has absolutely nothing to do with your site redirecting you anywhere. In fact, it literally cannot have that effect, it’s just not possible. Either your web server is still serving redirects, or your browser has cached the redirect.

Also, what effect did you think deleting the root certificate would have?

Hi @dannycarlton1

then you should ask your hoster. If your site is hacked, your hoster should be able to reset your password.

It's also possible that your local pc has a virus / keylogger, so the hacker used this way to get your password.

But all that has nothing to do with a certificate.

The DST root certificate is stored on your computer because it's part of Microsoft's set of trusted root certificates. That's normal. You're seeing the Let's Encrypt certificate on b-bam.com because they obtained a certificate from Let's Encrypt, presumably legitimately because they control that domain. There has been plenty of discussion about a Certificate Authority's role in fighting phishing and malware on this forum already, see the topic linked below. If you believe b-bam.com to be malicious, please submit it to Google SafeBrowsing for inclusion on their blacklist. There's nothing Let's Encrypt or any other CA could reasonably do in this instance. It's up to your server and host to manage.

Because I cannot remove the cert. Every time I do, it reappears. When I go to the page it says the cert id tfor b-bam, and half the time redirects me there. The host says it’s not their problem.

The site’s not hacked, the cert is. I can;t delete it. Each time I do it reappears.

When I use browsers other than my main one it does the exact same thing, so it's not a browser cache thing. I've tried it in browsers I haven't used in months and I still get the cert error, but only on that computer. And I've never visited b-bam except when I was redirected the by the bad cert.

Your site doesn't have a redirect:

D:\temp>download https://cloud.carltonfamily.org/ -h
SSL-Zertifikat is valide
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: oct8fj7o1f5j=dntnev1t5lj8udop9eb24jqbg1; path=/; secure; HttpOnly,oc_sessionPassphrase=1lfZBkvo6VNWVHpk%2FQRSSZrC1veKGwf3wPLibZ1syFEGJmfUZqx9pC5I7dao90I9taONSe8oV6v%2FkhFUPQpLYnxbCC9AaDPWGF78OsCAi1AczokZ9n0FgpBbDv3RYdaq; path=/; secure; httponly
X-Powered-By: PHP/5.6.38
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Location: https://cloud.carltonfamily.org/index.php/login
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Date: Tue, 25 Sep 2018 20:29:49 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close

Status: 302 Redirect

1032,07 milliseconds
1,03 seconds

Your root redirects to /index.php/login. There you get

D:\temp>download https://cloud.carltonfamily.org/index.php/login -h
SSL-Zertifikat is valide
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: oct8fj7o1f5j=col35qt9sbifevrlgpo2me8i34; path=/; secure; HttpOnly,oc_sessionPassphrase=ahkyjJ97H36LTW5L%2BPmx2kquqZ5QVbQKEMpcVa4LraHw1JaW39bJ4SCtmR1rQRiG9d4gAzqifVh3KGWCemQjV9CwyuL5uuGT99wmC9IUzQs9rz2kYFoBVVm88lCS2nUA; path=/; secure; httponly
X-Powered-By: PHP/5.6.38
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Cache-Control: no-cache, must-revalidate
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type: text/html; charset=UTF-8
Content-Length: 10304
Date: Tue, 25 Sep 2018 20:30:04 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close

Status: 200 OK

970,50 milliseconds
0,97 seconds

a normal http status 200.

So it's not a problem of your website.

A certificate can't create a redirect.

Looks like you have only a local pc problem.

Ok let’s break this down a bit more. Microsoft controls their set of pre-installed trusted root certificates. I’m not sure if it’s designed to not let you delete stock trusted certs or not. However, if you do delete the DST root certificate successfully, you will start getting errors for a very, very large number of websites. You definitely don’t want to do this.

Your site has a certificate issued by Comodo, and it’s currently providing that certificate when I test connecting to the site. Your site is now serving me a 302 redirect to https://cloud.carltonfamily.org/index.php/login, which sounds like what you want. So, the website is working fine as far as I can tell.

The server hosting b-bam.com is serving a Let’s Encrypt certificate, and there’s no reason that’s a problem inherently. If the owner of b-bam.com successfully completed the authentication challenges to prove their control of that domain name, then they should have received a certificate. Unless, of course, they’re blacklisted on Google SafeBrowsing. When the certificate was issued, they were not. I haven’t bothered to check if they are currently.

I don’t know why you’re getting redirected, but it’s neither your site nor Let’s Encrypt doing it. You have a misunderstanding of the role certificates play in this whole scenario. At this point, it actually seems to be an issue with your computer, as two people have now verified that we are not seeing the redirects when accessing your site.

There is a www.carltonfamily.org, is this your website?

There is also no redirect. And there are the standard - cPanel - certificates:

DNS-Name: carltonfamily.org
DNS-Name: autodiscover.carltonfamily.org
DNS-Name: cpanel.carltonfamily.org
DNS-Name: mail.carltonfamily.org
DNS-Name: webdisk.carltonfamily.org
DNS-Name: webmail.carltonfamily.org
DNS-Name: www.carltonfamily.org

Again, to reiterate in the clearest possible terms, a certificate cannot, in any way, shape, or form, cause your browser to redirect to another page or website. That is literally impossible.

Technically, this is 100% off-topic for the forum. To give an analogy, if someone robs you and drives away in a white Toyota, then asking the manufacturer of Toyota’s white paint for help isn’t going to do any good. That’s about the same role that Let’s Encrypt plays in this situation.

I’m very convinced, given the evidence, that your issues are with your PC specifically.

Given the remarkably close addressing between the two domains, this smells more like a misconfiguration somewhere, perhaps stale DNS after a sever migration or a a local /etc/hosts entry.

$ dig +short b-bam.com
162.244.254.217
$ dig +short cloud.carltonfamily.org
162.244.254.216

b-bam.com also happens to be the default SNI site of .217. So a combination of wrong IP address and a stale 301/HSTS header could easily have caused this.

2 Likes

Believe what you want. It happened. I deleted the subdomain and will have to recreate the site. But I don’t trust Let’s Encrypt and I’m glad I never used it.

@dannycarlton1

As @_az wrote: Did you modify your hosts - file?

c:\Windows\system32\drivers\etc\hosts

Perhaps there is the wrong ip.

Oh I definitely believe that it’s happening, I’m just narrowing down the list of possible causes given the fact that it’s not happening to us, and the cert has nothing to do with it.

You seem convinced it’s Let’s Encrypt’s fault, but you’d be wasting your time trying to solve the issue that way. It’s just not how this works. We all want to help, but going down the “certificate is hacked” road will not be productive.

I think @_az’s idea about the very, very similar IP addresses is an excellent one. (Good eye!) First, check your hosts file (C:\Windows\System32\drivers\etc\hosts, open it in notepad) to make sure you don’t have that IP hard-coded. Then, open a command prompt and run ipconfig /flushdns - this will clear any cached DNS lookups. From that command window, run ping cloud.carltonfamily.org and paste the results here.

Yep - the wrong host entry produces exact your problem.

Changed my local hosts - file, added the wrong

162.244.254.217 cloud.carltonfamily.org

And now - Chrome:

This is exact the problem.

With Opera (english):

Jumping to conclusions…, everything’s been already explained above, it’s actually quite funny how you blame letsencrypt for redirection issue,
Exactly matches with the Toyota white paint example, please be aware of how certificates work.

No offence, but this reaction is mostly an emotional one and quite frankly, probably fuled by a lack of knowledge and some degree of ignorance. Although it has been stated multiple times, Let's Encrypt does not and cannot be a cause of the problems you're having now.

Please read the posts here carefully, as there probably is a configuration issue on your PC as @JuergenAuer and @_az are explaining.

Hi @dannycarlton1

As mentioned by the helpful community forum members who have engaged in this thread so far your problem is most definitely unrelated to a Let’s Encrypt certificate.

Since there has been some good advice given about how to track down the issue/misconfiguration with your PC that is the root of this problem I’m going to close this thread for further discussion. Helping diagnose PC malware/misconfiguration issues is off-topic for the forum and it seems like you’re unwilling to compromise on your belief that Let’s Encrypt is at fault here.

Thanks! Good luck!