Someone created a LE certificate for my domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jon.irish
My hosting provider, if applicable, is: cloudflare
I can login to a root shell on my machine (yes or no, or I don't know): yes

So I received a notice from Cloudflare:
Cloudflare has observed issuance of the following certificate for jon.irish or one of its subdomains:

Log date: 2022-03-22 01:42:40 UTC
Issuer: CN=E1,O=Let's Encrypt,C=US
Validity: 2022-03-22 00:42:39 UTC - 2022-06-20 00:42:38 UTC
DNS Names: *.jon.irish, jon.irish

I did NOT request this, and want to revoke the cert ASAP. LE support sent me to: Revoking certificates - Let's Encrypt

I then created a txt record in the domain verifying that I do own it, and followed the Using a different authorized account step as I do not have the private cert since I didn't request it. When going to crt.sh, there are a lot of entries so I downloaded the cert from 03/22/22 which matches the cloudflare notice. I then ran:

sudo certbot revoke --cert-path /tmp/6388651673.crt (which is the cert I downloaded from crt.sh)

However, I get this error:

An unexpected error occurred:
The client lacks sufficient authorization :: The key ID specified in the revocation request does not hold valid authorizations for all names in the certificate to be revoked Please see the logfiles in /var/log/letsencrypt for more details.

How can I get this certificate revoked and how was someone able to create the certificate in the first place?

It's a wildcard. Someone needs access to your authoritative nameservers to do that (ie: your cloudflare account).

I would immediately change your cloudflare password. And check that your DNS records point where you intend to.

(Your A record points to an IP belonging to AT&T, it that supposed to be so?)

As for revocation, you need to be authorised for both domain.com and *.domain.com

Also: it's the only certificate for your domain that expires in more than a month, are you sure it's not an acme client you forgot about that's renewing it? (It's issued by E1, so it's unlikely you forgot about this acme account)

As 9peppe noted, a wildcard cert requires control of the DNS account.

But, I also see the same wildcard cert issued Jan2022 which is 60 days before this Mar2022 cert. That means it is likely some system was setup earlier and is now auto-renewing every 60 days.

In fact, that same wildcard cert was also issued in Jul2021, Sep2021, and Nov2021 every 60 days before that but with R3 as the intermediate. The two most recent certs were issued by E1 which is the ECDSA cert chain.

This "feels" to me like something was setup legitimately and is running on auto-pilot. Did you just recently setup Cloudflare alerting? Could the change be in the cert alerting rather than the cert issuance?

Update: Oh, and welcome to the community @servebeer

Did you also verify the wildcard hostname? Even though it uses the same _acme-challenge.jon.irish hostname, it needs to be a separate TXT value for the wildcard hostname.

Cloudflare sometimes uses Let's Encrypt certificates and will trigger these emails when they automatically renew.

It looks like the last certificate issued by the Cloudflare CA expired July 2021, then the LE cert issuances started

That's kinda incredible, to warn you about a certificate they obtained themselves.

I'd expect them not to warn you in that case, but I've seen more unreasonable things.

I can see how this can be scary and confusing.

It looks like Cloudflare is your registrar, but you're not using them for CDN right now and routing traffic into an AT&T owned IP.

Most likely, Cloudflare's systems grabbed the wildcard, so they can serve it instantly if you enable traffic through their network. They use a few techniques to aggressively order and cache SSL Certificates across their network.

It's odd their systems didn't mention THEY grabbed this cert.

If you want to do a test to ensure it's theirs - just create a new subdomain and have that one proxied through their network. You should be able to confirm the certificate they serve is the same one that appears on crt.sh and matches your email.

I have seen numerous people mention recieving these emails on the Cloudflare forums. Even for certificates issued by the Cloudflare CA, it looks like the transparency alert system informs you of all certificates regardless of where.

Yes, the only A record points to an IP owned by AT&T (I don't have a static IP address). I don't have a web server (I only use the domain for email), so I am pretty sure that I didn't setup an ACME client.

So the Cloudflare alerting is a new "beta" feature, so this could have been going on for awhile now. What's odd is that I don't recall ever setting this up.

Ahh, if that's the case, then I am not so worried. Its odd that they wouldn't tell me that though.

I agree... I don't have a problem with them doing this, but let me know, especially after I ask about it. I'll go ahead create the subdomain and see what happens.

Cloudflare have recently announced that they will create backup certs for all proxied domains, this is so they can switch certs instead of having to do mass renewals. Their CT log notifications do indeed warn you about cert they themselves have created (it's not optional).

Would you provide a link to the info? Please.

They have a lot of information in their blog, so it takes some digging to find stuff: https://blog.cloudflare.com/introducing-backup-certificates/

Thank you @webprofusion ....
It's nice to know they are hiring! (@griffin)! {joke}
ALL server admins should have their own backup plan. And implement it. EDIT: AND TEST IT!
If my hosting company were to automatically "manage or change" my configuration I would dump them in a millisecond. For Sure.(I am a small hosting company!!!!)

With a name like @servebeer, I just had to say hi!
[and welcome to the LE community forum]

This makes me feel a lot better! I was worried that someone had hijacked my domain. That being said, I am very disappointed in CloudFlare for A) Doing this without my knowledge B) Not telling me this when I brought the issue to their attention in the first place.

Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.