Erroneous SSL certificate renewal email for the managed certificate

We received an email stating that one of our subdomains requires verification for the edge certificate renewal and suggesting to add a TXT record to verify the subdomain. It says the domain no longer resolves to the Cloudflare and says the certificate will expire in December.

The thing is our domain is using Cloudflare nameservers, and we use only Cloudflare-managed certificates, none of them is expiring in December. This subdomain is Proxied and falls under * certificate.

I’m very confused, it looks like it’s either a bug with Cloudflare renewal, or a phishing attempt?
The email notification came from Cloudflare [email protected] signed-by:

Certificate Renewal
Domain: ...(one of our subdomains)...

Organization: Cloudflare, Inc.
San Francisco, CA
Review Certificate Request

As part of the Cloudflare SSL certificate renewal process, we need you to re-approve the domain ... so that we can re-issue SSL certificates for use on our network.

If you previously validated this domain using the HTTP DCV method, you are receiving this email because:

- ... no longer resolves to Cloudflare's edge, and we cannot automatically complete the renewal process.
- Recent CA/B forum rule changes state that HTTP DCV is no longer permitted for wildcard certificates.
Add the DNS records shown below to avoid certificate expiration or remove the hostname if no longer in use. 

Your current certificate expires on Wed Dec 27 13:40:10 +0000 2023. If you are unable to complete validation by the expiration date, Cloudflare will remove this certificate from the edge. 

Add the following TXT entries to your authoritative DNS provider:
_acme-challenge....... TXT ...

Once records have been added, click this link to complete the renewal process: [legit cloudflare verification link with token]

The Cloudflare Team

Just to emphasize, we never had any dedicated edge certificate for that subdomain, we use a single wildcard cert, neither we changed NS settings, so subdomain never stopped to resolve to the Cloudflare. Additionally, we have other subdomains, but received no renewal email about them.

What is that?

Hello @arseniy,

It will be difficult to answer without knowing the actual domain, and digging information on the SSL certs deployed from Edge, but I have seen some of these emails sent out for Custom hostnames/managed hostnames - deployed/issued but not deleted/removed for some reason:

If your site is working as normal, then there is no need for concern, but if you do see issues, please open a ticket for us to investigate from our end.

Thank you.

1 Like

Thank you for the reply. I was really concerned about it because I suspected it’s some sort of phishing. Now I think I was able to dig to the bottom:

That subdomain previously was serving a Cloudflare Pages project and now that CNAME was replaced with a redirect rule pointing. So the project still remained and it had the domain in the list, most likely it issues a custom certificate under the hood.

The issue can be closed now.