Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: andrewingram.com
I ran this command: N/A
It produced this output: N/A
My web server is (include version):
The operating system my web server runs on is (include version): N/A
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
I'm getting emails about certificate expiration notices for subdomains of my domain which I have not asked for. I can't see any highjacking of my domain's DNS, but is there anything I should be doing to stop this? One example that I just got an expiration notice for, but have not requested or used, would be modena.andrewingram.com
Well, somebody has certificates for
modena.andrewingram.com, and the name resolves for me. All public certificates are logged in Certificate Transparency, and sites like crt.sh allow searching through the logs. It looks like that name got a certificate on August 2 and October 1 this year, but hasn't been renewed since:
If you didn't request certificates for it, then somebody else who has control over that subdomain did. (Some servers know how to request certificates automatically, so maybe your system did request certificates but you just weren't aware of it?) But it looks like the current certificate does expire in 10 days, so presumably whatever or whomever requested the certificates has stopped.
The name (and all other names) resolve to the same IP:
So, the cert seems to have been issued at, and/or for, that IP.
But if you no longer even need to cover that name, then I would not concern myself too much about it.
Oh, it will resolve, because DNS has a wildcard for the domain. But it's not one of the domains requested for any site or anything that has existed there, that's my concern
I'm just wondering what actions to take or what this might be indicative of
I'd review the root user
history, LE folders, and LE logs for any trace of the word "modena".
As for indications...
There are more admins to the system than you might be aware of.
You are forgetful and had created that cert for some "project" that has long since been discarded.
Well, what server listens on that wildcard IP, and what does it do with unexpected names? I have a hunch that it least in some circumstances it may be requesting and using certificates automatically, or at least that it was doing so up through Nov. 29.
The crt.sh history for the apex name is even more interesting: crt.sh | andrewingram.com
Someone is create a large number of subdomains with mostly common words
But, the IP for
www.andrewingram.com is different than the others.
These 2 resolve to 22.214.171.124 but all the others are 126.96.36.199
Do you know who controls that other server?
188.8.131.52.in-addr.arpa domain name pointer bed-11.uk.clara.net.
184.108.40.206.in-addr.arpa domain name pointer cpc117830-heme13-2-0-cust185.9-1.cable.virginm.net.
Examples of these 'others':
Yes, it looks like someone has been creating a large number of common subdomains for the domain.
The 2 IPs you show above, they are known to me, nothing suspicious there.
Thanks to everyone who has responded so far, you've given me a few ideas of places to look
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.