Unknown certificate issued for my domain

Help
1

Hello,

I received an email by cloudflare telling me a let's encrypt certificate was issued for my domain (I do not use let's encrypt) and I'm not the one that asked for it.

What should I do ?
Sorry if it's not the correct category

Thanks in advance for your help

1 Like
2

Welcome @Zarby

I would first check if a cert was actually issued. Are you sure that is a legit email?

Use the site crt.sh to lookup your domain name and see if any certs show up. All Let's Encrypt certs appear in the Certificate Transparency list. It may take an hour though to appear in that list after cert was issued (sometimes much longer but that is rare).

If there is a cert you can contact Cloudflare support at
https://support.cloudflare.com/hc/en-us

I would avoid clicking any links in the email until you confirm it's not spam.

Note: I recategorized your post as a Help topic

3 Likes
3

Thank you for your quick response.

I am 100% sure that it is a legitimate cloudflare email (it is their new option that looks for certificates registered for your domain)

I checked on crt.sh and there are 3 certificates.

According to their webpage on that topic I could contact let's encrypt to suspend or revoke them but I couldn't find any contact for that.

Is there an email address for that ?
Could that become a security issue ?

Thank you for your help

2 Likes
4

Welcome to the Let's Encrypt Community :slightly_smiling_face:

When were these certificates issued (what are their notBefore dates)?

3 Likes
5

One is 2022-02-02 and the two others 2021-12-05.

1 Like
6

If you use Cloudflare CDN they may issue Let's Encrypt certs on your behalf. LE is one of the providers of certs for them. Other hosting services also use Let's Encrypt on their customers behalf.

Also, note on the crt.sh that you will see two entries for each cert - one is a precert and the other a leaf. Likely the one created on 12/05 was one cert and the one today is likely just the precert and the leaf appearing later.

The roughly 2 months between certs is pretty normal for renewal of Let's Encrypt certs.

It is not possible to get an LE cert without showing proof of control of your domain either through DNS or your web server.

Could Cloudflare CDN be issuing these on your behalf? Or your hosting service?

If you share the domain here we can use our expertise to maybe dig and provide further details. Otherwise we are stuck giving general advice.

7 Likes
7

Thank you for your help I believe that it's indeed cloudflare issuing those certificates (I thought that they issued their own).

2 Likes
8

Hi Zarby,

At the present time (February 2022), there are two reasons why you might have received an email from Cloudflare stating that Let's Encrypt has issued a certificate for your domain—

  1. You have configured an Email Notification for SSL events in your Cloudflare account for the SSL certificate products you're currently using (https://developers.cloudflare.com/ssl/notifications)
  2. Or you have signed up for our Certificate Transparency (CT) monitoring service (https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-transparency-monitoring). This service simply notifies the subscriber that a certificate for a hostname belonging to your domain was issued, but not who issued it or why (it can't know those details from CT logs).

Cloudflare is not a publicly-trusted certification authority (CA) and partners with existing CAs— including Let's Encrypt— to issue SSL certificates.

Let's Encrypt is an issuing CA for a handful of our products—

  • Universal SSL
  • Advanced Certificate Manager
  • Custom Hostnames

The first two— Universal SSL and Advanced Certificate Manager— would be issued as the result of some action the you (or another user who has been given access) took on your Cloudflare account and you should be able to identify that action in your Cloudflare audit logs (https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs).

Custom Hostnames is a product used by Cloudflare customers who are SaaS providers. If the you have used DNS to delegate one or more hostnames belonging to your domain to a SaaS provider that uses Cloudflare and that SaaS provider has chosen to issue a certificate issued by Let's Encrypt, then this is one possible way Let's Encrypt could issue a certificate for a hostname belonging to your domain.

Of course, a SaaS provider may not be using Cloudflare at all and still choose to issue certificates via Let's Encrypt, which will have CT logs and the you would still receive an email about it if you're subscribed to our CT monitoring service.

In another reply on this post, Mike gave good advice— checking CT logs using crt.sh or Censys is a good starting point, but might be insufficient to answer the question of "who" as there's little to differentiate (or brand) certs issued by Let's Encrypt. As a next step, I'd recommend the you check the DNS entry for the hostname to see which servers or services (blog provider, storefront, help center, etc.) respond for that hostname and that might be more indicative as to who and why the certificate was issued.

Hope this helps!

5 Likes
9

Very glad to have you join the community @max-cloudflare

Thanks much for the added details. Hope to see you around more often :slight_smile:

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.