Zoho is somehow able to obtain certificate with my domain as an SAN

I use zoho as my email hosting and it has a customized login feature where If I cname a subdomain (mail.example.com in my case) to their server and they'd issue certificate where my subdomain is an SAN (along with many other zoho users) and use that as a login page.

I've since removed the cname record weeks ago and I'm still getting certificate transparency email from cloudflare that a letsencrypt certificate was issued on mail.example.com. I only have email related dns records (mx, spf, dkim) having any relation with zoho. I'm wondering how is zoho able to issue cerificates on my subdomain?

Technically, authorizations for a given name remain valid for 30 days after the last valid challenge. So the account they had been using to get a cert could plausibly still get additional certs using the previous authorization if it has been less than 30 days since you removed the CNAME.

Are you also using Cloudflare for any other SSL stuff? They're known to issue Let's Encrypt certificates on your behalf as part of their automated Edge SSL stuff. They don't call out LE specifically, but I'm pretty sure it's part of their relatively recent Backup Certificates feature as described here:

And ironically, their Certificate Transparency monitoring feature does not recognize or ignore the certificates they generated. So the alerts you're getting might not be certs generated by Zoho, but from Cloudflare.

6 Likes

Technically, authorizations for a given name remain valid for 30 days after the last valid challenge

This must be it, because it hasn't been 30 days.
I'm pretty sure it's zoho and not cloudflare since the cert contains lots of SAN of mail. domains of other people.

Thanks for answering and clearing this up!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.