Unrecognized certificate issuance on Cloudflare controlled domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
something.limzykenneth.com

The subdomain above is reverse proxy through Cloudflare and has Cloudflare’s own SSL setup on it. I have certificate transparency report setup to monitor said domain and I’ve receive report that a certificate is issued for the above subdomain under let’s encrypt, which is not expected.

In other words, as far as I’m aware I’m not using let’s encrypt, just Cloudflare SSL, but a let’s encrypt cert was issued for my subdomain. Is there somewhere I can report this, check why and how the LE cert is issued, or ask for the cert to be revoked? Or is this not a concern for me?

I don’t have much experience handling TLS directly so would appreciate some advice here.

1 Like

I’m pretty sure certificates issued without the owner of the domain knowing about it is a pretty serious concern.

Unfortunately, as your hostname(s) point to CloudFlare IP addresses, anyone with access to CloudFlares systems could have issued such a certificate. This also includes the DNS system. Perhaps someone hacked your CloudFlare DNS credentials? Also, your server might have been hacked too. Many options for this to happen…

As far as I know, it should be possible to revoke the certificate by means of your Let’s Encrypt account. If this account has a valid validation of the hostname, it should be possible to revoke the certificates for which this validation is valid, even if this account wasn’t the originally used to issue the certificate.

By the way, back in June you also had a certificate issued for this hostname: https://crt.sh/?q=limzykenneth.com There is exactly two months in between: the recommended renewal interval of 60 days. Are you absolutely sure you don’t have an ACME client laying around yourself issuing this certificate for you? Because it sure looks like it.

1 Like

Well, if they have an acme client using http-01 on the server that’s behind cloudflare, the challenge will transparently traverse cloudflare and succeed without issue…

1 Like

I’m fairly certain my Cloudflare account hasn’t been compromised, at least all the DNS records hasn’t been changedm I have 2fa on the account, and there’s no other sign of unauthorised login to the Cloudflare portal.

By the way, back in June you also had a certificate issued for this hostname: https://crt.sh/?q=limzykenneth.com There is exactly two months in between: the recommended renewal interval of 60 days. Are you absolutely sure you don’t have an ACME client laying around yourself issuing this certificate for you? Because it sure looks like it.

That is unexpected as well, I definitely did not have LE setup on this domain and its subdomain. The server itself is on Heroku (the subdomain something.limzykenneth.com is also on Heroku but on a different dyno). As far as I can tell, there’s no breach in my account over at Heroku as well.

My only experience with LE certificate issuance is with another completely unrelated domain so I’m quite sure there isn’t anything setup on my end that requested these certificates.

1 Like

Actually, would it be the case that Heroku is requesting the certificate on my behalf as part of the SSL offering they have?

1 Like

It could be…

1 Like

Ok it made sense now. Also looking at https://crt.sh/?q=limzykenneth.com, the LE certs are only for the subdomain which has heroku SSL setup while the others are all Cloudflare certs.

Thanks for the help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.