GoDaddy keeps sending CSR requests

I have been getting emails with CSRs (certificate signing request) ever since my client’s GoDaddy hosting contract finally came to an end. The site is now registered with Cloudflare and hosted at Cloudways, but GoDaddy keeps sending me these requests by using my information on the WHOIS record. When I open the requests there is no indication on who sent the request, so is this ‘someone’ trying to hijack the domain name or a certificate mismatch?

Now I’m not clear on the problem. You said GoDaddy is sending you those requests, then you say you don’t know who’s sending those requests.

Have you asked GoDaddy?

Sorry, that was poorly phrased.

Here is the complete email that would lead you to believe that the ‘entity’ would be identified when you click the link but that’s not the case. Maybe I just need to contact GoDaddy. (my last resort)

Dear Secure Certificate Customer,

We have received a Certificate Signing Request for the following domains:
xxxxi.com

Our query of the Whois database returned your name as the administrator for the domain in the certificate request.

In order to verify the validity of this request and that it was submitted by the entity to which the domain in the request is registered, please signify your final approval or disapproval of the certificate request by clicking the link below.

https://certs.godaddy.com/anonymous/domainapproval.pki?vk='key&locale=en-US

Approval of the request will enable us to continue processing your request. Failure to approve the certificate request will lead to denial of the request.

If the above address does not appear as a clickable link, cut/copy and paste it into your browser’s address bar.

If the Verification Page requests it, please use the following Verification Key: ‘key’
This part of our authentication process serves to ensure that only the entity/individual that controls the domain in the request can obtain a certificate for that domain.

If you have any trouble or questions, contact us and let us know. We are available to help around-the-clock, seven days a week.

Customer Support:
Phone: 480.463.8887

For further information, log in to your account at https://certs.godaddy.com.

If I were to guess, there’s process running at GoDaddy that’s trying to issue a cert. A CSR is usually generated on the server itself. I don’t know why GoDaddy would receive a CSR for your domain if it’s coming from outside GoDaddy.

Again:

I will try calling them again. Got tired of waiting for them to answer last time around. I suspect your answer is correct, but it struck me as strange. I thought I’d ask the question in case someone had run into this scenario.

1 Like

Because GoDaddy operate a CA that will sell anybody a certificate.

That’s the whole point of the verification email. If you don’t know where the request is coming from, don’t approve it. CAs must verify domain control to issue a certificate. Emailing one of a number of “standard” email addresses is one way this is done. Putting a particular file in a particular location, or a particular DNS record in place are other common ways of verifying domain control. The mechanisms that CAs use are defined by the CA/Browser Forum, and are intended to ensure certificates are not issued to random third parties.

The email should indicate the hostname that is being requested, which might give some indication about who is making the request. (It depends on how big your organisation is how complicated that could be.). If you don’t know anything about the request, don’t approve the request.

2 Likes

Thanks Michael, the link in the GoDaddy email did not indicate who initiated the request but I suspect I did not replace the certificate when I moved the site to Cloudflare which I have now rectified.

Had GoDaddy listed Cloudflare as the requestor then I would have got to this point sooner.

It will have indicated what the hostname was. Thats is pretty much all you ever get in a certificate verification email.

I don’t believe that Cloudflare use GoDaddy for certificates. They regularly use Digicert and Lets Encrypt, and Comodo/Sectigo is probably kept in reserve (at least from the set of CAA records that are added). Globalsign was in the mix, but the intermediate that Cloudflare had never issued a single certificate to the CT Logs before it was revoked.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.