How is this possible? Does that mean I'm compromised?
If so, how can I find out what exactly was compromised? My host is Google Firebase and DNS is Cloudflare. Both account use strong password, TOTP 2FA, and email notification when logged in from new IP, so I don't think it is likely that either of these were compromised. Is there another attack vector I'm not aware of?
What you're seeing in the two certificates you've cited is a common practice of hosting providers when they need to get a large number of certificates issued for different clients at one time.
There's not, really. I've just seen this many times.
If you don't want Google Firebase to acquire Let's Encrypt certificates for you in this fashion, I highly recommend using a Cloudflare Origin CA certificate instead on your hosted server. Those certificates last a lot longer and are usually easier to manage.
I do use Cloudflare cert, but I don't think it is possible to make Firebase stop generating these certificate, at least on my free plan. Thank a lot for the quick help!
You could develop a relatively simple script to read the SAN from the certs (here's an example in Python), use dnspython to resolve all the hostnames from the SAN and check if those IPs are Google IPs. Not water tight of course.
If the importance of solving this is in your opinion higher than the risk of something inconvenient happening, one trick you could try goes like this:
As I understand it, the certificates you actually use are from a different CA, while the Firebase certificates were issued by Let's Encrypt.
You may be able to tell your DNS provider (Cloudflare right?) to create a CAA record in DNS which says which Certificate Authorities are authorised to issue for your domain. This is effectively like a "No salesmen" sign on the property gate. It doesn't have force of law, but a legitimate outfit (such as Let's Encrypt) will obey it. You can write a CAA record that says your preferred issuer is allowed but Let's Encrypt is not.
When Firebase tries to get any new certificate, Let's Encrypt will tell them no, because it saw your CAA record when trying to issue.
Now, the risk is, I don't know what Firebase would do then. They might just not add your name to the certificate and not worry about it. But it might email you claiming there's a problem, it might even stop your service working. I guess hilariously (but still inconveniently) it might blow up service for all those other names listed with yours. None of this is your fault, you didn't want the certificate and are entitled to say so, but "I blew up my web site on a point of principle" isn't how most people want to spend the holiday season.
