My domain unexpectedly on someone else's certificate


#1

Hi all,

I run an Apache 2.4.34 web server and a separate Postfix/Dovecot mail server, each with 3 domains at present. Both virtual machines run Arch Linux, share the same public IP and have been running for years and are frequently updated.

Using certbot, I have recently (and finally) replaced the self signed certificates on the mail server with Lets Encrypt certificates. I’ve also implemented webmail on the web server, also secured the same way.

The domain I have the problem with is mail.malphite.com.au.

After trying to add another domain to my shared mail server certificate (https://crt.sh/?id=721261346), I was suprised that I’d hit the rate limit for malphite.com.au.

On further investigation, I found on crt.sh that the non-existent sub domain fzjm.malphite.com.au has been included on 75 certificates issued by Let’s Encrypt with the common name ajul.bellatori.co.uk (https://crt.sh/?q=%.malphite.com.au).

My first thought - had my web server been hacked? But I haven’t found any evidence in the logs of this. There has to be proof of domain ownership to add a domain as a SAN, right?

DNS is hosted on FreeDNS. There’s definitely no TXT record in there and I’ve never put one in either.

The symptoms are similar to Unexpected certificate for my domain, except I’m hosting it myself. I can log in to a root shell on my machine.

I hope it’s not too dire…

Thanks for your support.


#2

I think your domain is set so that other FreeDNS users can create subdomains on your domain.

https://freedns.afraid.org/domain/registry/?sort=5&q=malphite.com.au&submit=SEARCH

https://freedns.afraid.org/faq/#3

The certificates were presumably legitimate, for some definition of the word.


#3

That’s exactly what it is!
I totally misunderstood what public/private meant in FreeDNS.
Thanks immensely for your support, much appreciated.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.