CF keeps sending emails to me about certificate transparency

I renewed my site’s certificate yesterday. My site was signed by Let’s Encrypt. I keep receiving 18 emails from CF like this:

Hello,

Cloudflare has observed issuance of the following certificate for mydomain or one of its subdomains:

Log date: 2023-12-14 06:05:14 UTC
Issuer: CN=GTS CA 2A1,O=Google Trust Services LLC,C=US
Validity: 2023-12-14 05:05:13 UTC - 2024-01-28 05:05:12 UTC
DNS Names: mydomain, *.mydomain

My SSL/TLS encryption mode is Full (strict), and I don’t use ’ Edge Certificates’ in CF dashboard.
I noticed CF changes CA from DigiCert to Let’s Encrypt / Google trust service, so I added DNS CAA records:

mydomain 0 issuewild pki.goog DNS only Auto
mydomain 0 issue pki.goog DNS only Auto

but I still received many “Certificate Transparency Monitoring” emails from CF.

I don’t know what’s going on. This never happend before. Anyone has any idea?

2 Likes

Can you by any chance share the exact domain(s) that this issue relate to?

Should I understand that Universal SSL is currently disabled, and that the option for Universal SSL, if you scroll down to the bottom of the following link, is saying “Enable Universal SSL”?

https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

The typical issue with CAA records, and Cloudflare, is that Cloudflare will be overriding your CAA records, so they can issue certificates for you, if you have Universal SSL enabled.

hi,
‘Universal SSL’ currently is enabled. I mean I don’t upload any custom universal ssl certificate to dashboard. I manage my site’s certificate myself, but I use CF universal ssl at the same time. ‘SSL/TLS encryption mode’ is Full (strict). Usually I only get 2 emails from CF when my site’s certificate renewed through Let’s Encrypt shell script. I noticed all 18 emails are reporting certificate signed by Google Trust Services LLC.

email log date:
2023-12-14 04:52:00 UTC
2023-12-14 04:59:01 UTC
2023-12-14 05:03:01 UTC
2023-12-14 05:07:55 UTC
2023-12-14 05:22:14 UTC
2023-12-14 05:43:51 UTC
2023-12-14 06:08:54 UTC
2023-12-14 06:13:01 UTC
2023-12-14 06:17:50 UTC
2023-12-14 06:32:17 UTC
2023-12-14 06:53:53 UTC
2023-12-14 07:26:34 UTC
2023-12-14 09:31:38 UTC
2023-12-14 14:20:30 UTC
2023-12-14 18:45:19 UTC
2023-12-15 01:27:38 UTC
2023-12-15 04:55:24 UTC
2023-12-15 06:05:14 UTC

Ah, I misunderstood the part about Edge Certificates / Universal SSL.

But no worries!

That does indeed sound to be the normal practice. :wink:

This part is indeed a bit strange, but I can confirm by checking your domain, that multiple certificates seems to have been issued on 2023-12-14, and 2023-12-15.

If you in accordance with your first message, want to remove the domain from public view, you can take it away now.

Thank you for the elaborative email log as well!

hi,

I received antoher two emails from CF.
email log date:
2023-12-14 08:16:14 UTC
2023-12-14 11:26:26 UTC

strange… why they are 12/14 not 12/15…

I noticed universal SSL certificate in my dashboard was issued by Let’s Encrypt. It seems OK.
The backup universal SSL certificate in my dashboard was issued by Google Trust Service.
All related certificates in these emails are issued by Google Trust Service.

Maybe there’s something wrong between CF and google?

Hi,

I started receving an unexpected amount of these notifications starting 2023-12-10. I have received about 30 such notifications emails in the last 5 days.
For me it is also the certificates from Google Trust Services that notifications are sent for, which I assume to be intended to be the backup certificates as previously mentioned.

Other than being unreasonably frequent, the information that is sent out regarding observed issuance of certificates in the emails does not at all align with what’s available to search for in crt.sh.
In that certificate search, the last issued certificate from Google Trust Services took place on 2023-11-29.

1 Like

Blockquote
I started receving an unexpected amount of these notifications starting 2023-12-10. I have received about 30 such notifications emails in the last 5 days.

looks like I’m not the only one got these mad emails. My phone(with gmail app installed) rings several times everyday. It drives me crazy :hear_no_evil:

1 Like

I’m seeing more related threads on this, for example: Over 30 new backup certificates in 24h - #6 by user18060 in which @eportillo seems to be creating support tickets for this issue.

1 Like

I completely understand the frustration from your point of view.

I have made a note about this thread, connecting it together with the couple of other threads there are.

One will likely also be created for this one at some point, too.

They’re looking into this, but as for

crt.sh has always been a bit unstable, and now it seems its just behind for a few CT Logs.
You should be able to see them all here: Entrust Certificate Search - Entrust, Inc.

1 Like