Rate limiting triggered by "malicious" precertificates


#1

My domain is: dyster.net

I ran this command: certbot certonly --webroot -w /path/to/dir --cert-name dyster.net -d dyster.net -d booksonic.flap.pro -d cloud.frag.farm -d duplicati.frag.farm -d flap.pro -d frag.farm -d gitlab.dyster.net -d plex.flap.pro -d rld.cc -d ttrss.dyster.net -d www.dyster.net -d syncthing.hesse.guru -d marianne.hesse.guru

It produced this output: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: dyster.net: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): nginx/1.14.0

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: /

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Hello,

I just tried to add a domain name to my certificate, only to be denied by the rate limiting.

I did not do anything (except for certbot renew executions by cron) since 2018-Jun-11.
In fact, checking with lectl ignoring precertificates it show me:

I have found 60 non expired certificates (2 final certs and 58 pre certs) (max number of certs searched: 100) for domain dyster.net and its subdomains *.dyster.net

CRT ID CERT TYPE DOMAIN (CN) VALID FROM VALID TO EXPIRES IN
520278291 Final cert dyster.net 2018-Jun-11 21:35 CEST 2018-Sep-09 21:35 CEST 12 days
520273505 Final cert dyster.net 2018-Jun-11 21:31 CEST 2018-Sep-09 21:31 CEST 12 days

You have issued 0 certificates in last 7 days so you could issue 50 more certificates now.

Now, checking for all certificates (including precertificates) results in a rather strange list (list below).

So it seems someone included my domain name in their certificates and got issues precertificates (TBH I have no idea what the difference between a final and a pre certificate is). I have never seens the domain name 123.itdevs.tk.

Checking the certificates in question it seems someone just got a lot of precertificates for quite a bunch of (random) subdomains.

My DNS hoster account seems fine and the subdomain on my domain that was registered there does not even exist.

Now, this prevents me from actually using my domains with letsencrypt SSL as I want to and I have no idea how this happened.

Question now would be, is there anything I can do in terms of preventing this in the future, also in terms of maybe not being subject of the rate limiting anymore that was not even caused by me?

Thanks a bunch for you help!
Nils

List including precertificates:
2018/August/28 15:16:54 - Checking all certs for dyster.net

I have found 60 non expired certificates (2 final certs and 58 pre certs) (max number of certs searched: 100) for domain dyster.net and its subdomains *.dyster.net

CRT ID CERT TYPE DOMAIN (CN) VALID FROM VALID TO EXPIRES IN
687072033 Pre cert 123.itdevs.tk 2018-Aug-27 11:23 CEST 2018-Nov-25 10:23 CET 88 days
687069948 Pre cert 123.itdevs.tk 2018-Aug-27 11:19 CEST 2018-Nov-25 10:19 CET 88 days
687069034 Pre cert 123.itdevs.tk 2018-Aug-27 11:16 CEST 2018-Nov-25 10:16 CET 88 days
687067457 Pre cert 123.itdevs.tk 2018-Aug-27 11:14 CEST 2018-Nov-25 10:14 CET 88 days
687062535 Pre cert 123.itdevs.tk 2018-Aug-27 11:05 CEST 2018-Nov-25 10:05 CET 88 days
687062196 Pre cert 123.itdevs.tk 2018-Aug-27 11:04 CEST 2018-Nov-25 10:04 CET 88 days
687061115 Pre cert 123.itdevs.tk 2018-Aug-27 11:03 CEST 2018-Nov-25 10:03 CET 88 days
687058395 Pre cert 123.itdevs.tk 2018-Aug-27 10:59 CEST 2018-Nov-25 09:59 CET 88 days
687058215 Pre cert 123.itdevs.tk 2018-Aug-27 10:58 CEST 2018-Nov-25 09:58 CET 88 days
687055055 Pre cert 123.itdevs.tk 2018-Aug-27 10:52 CEST 2018-Nov-25 09:52 CET 88 days
687054531 Pre cert 123.itdevs.tk 2018-Aug-27 10:51 CEST 2018-Nov-25 09:51 CET 88 days
687053595 Pre cert 123.itdevs.tk 2018-Aug-27 10:50 CEST 2018-Nov-25 09:50 CET 88 days
687047383 Pre cert 123.itdevs.tk 2018-Aug-27 10:39 CEST 2018-Nov-25 09:39 CET 88 days
687042883 Pre cert 123.itdevs.tk 2018-Aug-27 10:32 CEST 2018-Nov-25 09:32 CET 88 days
687036492 Pre cert 123.itdevs.tk 2018-Aug-27 10:21 CEST 2018-Nov-25 09:21 CET 88 days
687010511 Pre cert 123.itdevs.tk 2018-Aug-27 09:50 CEST 2018-Nov-25 08:50 CET 88 days
687009258 Pre cert 123.itdevs.tk 2018-Aug-27 09:49 CEST 2018-Nov-25 08:49 CET 88 days
687004845 Pre cert 123.itdevs.tk 2018-Aug-27 09:44 CEST 2018-Nov-25 08:44 CET 88 days
686996216 Pre cert 123.itdevs.tk 2018-Aug-27 09:33 CEST 2018-Nov-25 08:33 CET 88 days
686991692 Pre cert 123.itdevs.tk 2018-Aug-27 09:28 CEST 2018-Nov-25 08:28 CET 88 days
686988619 Pre cert 123.itdevs.tk 2018-Aug-27 09:24 CEST 2018-Nov-25 08:24 CET 88 days
686988091 Pre cert 123.itdevs.tk 2018-Aug-27 09:22 CEST 2018-Nov-25 08:22 CET 88 days
686984499 Pre cert 123.itdevs.tk 2018-Aug-27 09:18 CEST 2018-Nov-25 08:18 CET 88 days
686980364 Pre cert 123.itdevs.tk 2018-Aug-27 09:14 CEST 2018-Nov-25 08:14 CET 88 days
686969903 Pre cert 123.itdevs.tk 2018-Aug-27 09:03 CEST 2018-Nov-25 08:03 CET 88 days
686940883 Pre cert 123.itdevs.tk 2018-Aug-27 08:18 CEST 2018-Nov-25 07:18 CET 88 days
686939417 Pre cert 123.itdevs.tk 2018-Aug-27 08:17 CEST 2018-Nov-25 07:17 CET 88 days
686807872 Pre cert 123.itdevs.tk 2018-Aug-27 04:57 CEST 2018-Nov-25 03:57 CET 88 days
686805356 Pre cert 123.itdevs.tk 2018-Aug-27 04:53 CEST 2018-Nov-25 03:53 CET 88 days
686803996 Pre cert 123.itdevs.tk 2018-Aug-27 04:51 CEST 2018-Nov-25 03:51 CET 88 days
686803221 Pre cert 123.itdevs.tk 2018-Aug-27 04:49 CEST 2018-Nov-25 03:49 CET 88 days
682417415 Pre cert 123.itdevs.tk 2018-Aug-27 11:22 CEST 2018-Nov-25 10:22 CET 88 days
682417218 Pre cert 123.itdevs.tk 2018-Aug-27 11:20 CEST 2018-Nov-25 10:20 CET 88 days
682413732 Pre cert 123.itdevs.tk 2018-Aug-27 11:18 CEST 2018-Nov-25 10:18 CET 88 days
682409823 Pre cert 123.itdevs.tk 2018-Aug-27 11:15 CEST 2018-Nov-25 10:15 CET 88 days
682408463 Pre cert 123.itdevs.tk 2018-Aug-27 11:12 CEST 2018-Nov-25 10:12 CET 88 days
682402804 Pre cert 123.itdevs.tk 2018-Aug-27 11:08 CEST 2018-Nov-25 10:08 CET 88 days
682398134 Pre cert 123.itdevs.tk 2018-Aug-27 11:01 CEST 2018-Nov-25 10:01 CET 88 days
682390015 Pre cert 123.itdevs.tk 2018-Aug-27 11:00 CEST 2018-Nov-25 10:00 CET 88 days
682386666 Pre cert 123.itdevs.tk 2018-Aug-27 10:57 CEST 2018-Nov-25 09:57 CET 88 days
682386288 Pre cert 123.itdevs.tk 2018-Aug-27 10:56 CEST 2018-Nov-25 09:56 CET 88 days
682374250 Pre cert 123.itdevs.tk 2018-Aug-27 10:49 CEST 2018-Nov-25 09:49 CET 88 days
682373656 Pre cert 123.itdevs.tk 2018-Aug-27 10:48 CEST 2018-Nov-25 09:48 CET 88 days
682369308 Pre cert 123.itdevs.tk 2018-Aug-27 10:44 CEST 2018-Nov-25 09:44 CET 88 days
682367244 Pre cert 123.itdevs.tk 2018-Aug-27 10:41 CEST 2018-Nov-25 09:41 CET 88 days
682347677 Pre cert 123.itdevs.tk 2018-Aug-27 10:29 CEST 2018-Nov-25 09:29 CET 88 days
682322209 Pre cert 123.itdevs.tk 2018-Aug-27 10:12 CEST 2018-Nov-25 09:12 CET 88 days
682288630 Pre cert 123.itdevs.tk 2018-Aug-27 10:09 CEST 2018-Nov-25 09:09 CET 88 days
682286410 Pre cert 123.itdevs.tk 2018-Aug-27 10:08 CEST 2018-Nov-25 09:08 CET 88 days
682225764 Pre cert 123.itdevs.tk 2018-Aug-27 09:47 CEST 2018-Nov-25 08:47 CET 88 days
682186555 Pre cert 123.itdevs.tk 2018-Aug-27 09:34 CEST 2018-Nov-25 08:34 CET 88 days
682151298 Pre cert 123.itdevs.tk 2018-Aug-27 09:20 CEST 2018-Nov-25 08:20 CET 88 days
682135064 Pre cert 123.itdevs.tk 2018-Aug-27 09:17 CEST 2018-Nov-25 08:17 CET 88 days
682089703 Pre cert 123.itdevs.tk 2018-Aug-27 09:01 CEST 2018-Nov-25 08:01 CET 88 days
681303937 Pre cert 123.itdevs.tk 2018-Aug-27 04:55 CEST 2018-Nov-25 03:55 CET 88 days
681302594 Pre cert 123.itdevs.tk 2018-Aug-27 04:52 CEST 2018-Nov-25 03:52 CET 88 days
520278291 Final cert dyster.net 2018-Jun-11 21:35 CEST 2018-Sep-09 21:35 CEST 12 days
520278246 Pre cert dyster.net 2018-Jun-11 21:35 CEST 2018-Sep-09 21:35 CEST 12 days
520274016 Pre cert dyster.net 2018-Jun-11 21:31 CEST 2018-Sep-09 21:31 CEST 12 days
520273505 Final cert dyster.net 2018-Jun-11 21:31 CEST 2018-Sep-09 21:31 CEST 12 days

Sorry, you can’t issue any certificate, you already issued 50 certificates on last 7 days
You could issue next certificate on Monday 2018-Sep-03 10:48:00 CEST


#2

Hi @irrenhaus

there are a lot more certificates: crt.sh is very slow. Use Google:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:dyster.net&lu=cert_search

Searching dyster.net + subdomains:

A lot of certificates (100) with the name dyster.net.

It look that you have a lot of certificates you don’t really use, but they are renewed.

So you hit the 50 certificates per domain - limit.

PS: Looks like you have created 92 certificates yesterday. You should cleanup your certificate list.


#3

I wonder if perhaps you have misunderstood what “private” means in the context of FreeDNS:

https://freedns.afraid.org/queue/explanation.php

2). Shared: Private - If you add your domain as private, this is the area you will screen your domains of which you decide to keep, or deny. While domains are in the queue they will function . By choosing this, you agree to only deny those that you deem offensive, or slanderous.

So, this allows other people to create subdomains of your domain, which in turn allows them to create certificates for those subdomains.


Unknown Certificates against my domain
#4

Thanks a bunch to you both!

@JuergenAuer Its a good tip to use google for that, thanks!
@jmorahan You are actually correct, I mistunderstood that. I always thought that it would mean that no one is allowed to create subdomains. I will ASAP fix that, and I guess I will then have to wait until next week when my rate limits are lifted again.

Thank you very much!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.