Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): N/A
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I'm getting emails about certificate expiration notices for subdomains of my domain which I have not asked for. I can't see any highjacking of my domain's DNS, but is there anything I should be doing to stop this? One example that I just got an expiration notice for, but have not requested or used, would be modena.andrewingram.com
Well, somebody has certificates for modena.andrewingram.com, and the name resolves for me. All public certificates are logged in Certificate Transparency, and sites like crt.sh allow searching through the logs. It looks like that name got a certificate on August 2 and October 1 this year, but hasn't been renewed since:
If you didn't request certificates for it, then somebody else who has control over that subdomain did. (Some servers know how to request certificates automatically, so maybe your system did request certificates but you just weren't aware of it?) But it looks like the current certificate does expire in 10 days, so presumably whatever or whomever requested the certificates has stopped.
So, the cert seems to have been issued at, and/or for, that IP.
But if you no longer even need to cover that name, then I would not concern myself too much about it.
Oh, it will resolve, because DNS has a wildcard for the domain. But it's not one of the domains requested for any site or anything that has existed there, that's my concern
I'm just wondering what actions to take or what this might be indicative of
I'd review the root user history, LE folders, and LE logs for any trace of the word "modena".
As for indications...
There are more admins to the system than you might be aware of.
OR
You are forgetful and had created that cert for some "project" that has long since been discarded.
Well, what server listens on that wildcard IP, and what does it do with unexpected names? I have a hunch that it least in some circumstances it may be requesting and using certificates automatically, or at least that it was doing so up through Nov. 29.
Someone is create a large number of subdomains with mostly common words
But, the IP for andrewingram.com and www.andrewingram.com is different than the others.
These 2 resolve to 195.8.66.1 but all the others are 82.8.185.186
Do you know who controls that other server?
host 195.8.66.1
1.66.8.195.in-addr.arpa domain name pointer bed-11.uk.clara.net.
host 82.8.185.186
186.185.8.82.in-addr.arpa domain name pointer cpc117830-heme13-2-0-cust185.9-1.cable.virginm.net.