Over 30 new backup certificates in 24h

Describe the issue you are having:
Cloudlfare transparency monitoring has sent me over 30 emails over the past 24h regarding certificates being issued for this domain, by Google Trust Services. Weirdly, crt.sh does not list any certificates being issued since 2 weeks ago.

The audit log is filled with “Rec add” and “Rec del” from the user “Cloudflare” with interface “API” and “grpc_client_name” “bushbaby”. Over 400 entries for the last 24h.

What steps have you taken to resolve the issue?

  1. Disabling all SSL related options for that domain (in hope that it would stop trying to create new backup certificates)
  2. Pausing Cloudflare for that domain

The steps above did not help, the audit log is still filling up and I am still receiving emails from the transparency monitoring.

This only affects one domain that I have with Cloudflare, the rest is unaffected. I do not use the domain for anything currently. No API Tokens are enabled for that domain.

It looks to me like the backup certificate automation tool from Cloudflare is stuck in some sort of loop?

I am unsure what is causing this and how to solve it. I can’t send support tickets because that domain is on the free plan.

1 Like

crt.sh seems to be behind a bit. Do you see them here? Entrust Certificate Search - Entrust, Inc.
Also, what is the domain?

1 Like

The domain is xraven.org, from Cloudflare Registrar.

As of now, I still see new “Rec add” and “Rec del” audit logs from the Cloudflare user, but thankfully the frequency has atleast slowed down.

Yes, the Entrust Search seems to find the certificates. As of now, there are 13 certificates issued by Google Trust Services in the past 24h.

1 Like

Thanks, escalated to CF. We’ll see what they say, you’re not the only one who got hit by this, 3 reports so far, and I’m guessing more instances but not everyone watches CT Logs.

2 Likes

Also having the same issue. 10+ certificate notifications also for Google Trust Services, and ~165 “rec add”, “rec del” and some “create” entries in the audit log in the past 24h.

It is logging as user Cloudflare through the API, with “grpc_client_name”: “bushbaby”

2 Likes

Hello,

I have created a ticket 3065631 for this issue while we investigate. We appreciate your patience.

6 Likes

Hello,

I have created you a ticket so we can investigate and track this issue 3065644. Please look to this ticket for updates.

4 Likes

If it’s of any value, I’m having this issue too

I am also having this issue.

More reports are helpful indeed. Including domain name(s) if you can :slight_smile:

Same Issue,

domain: frenchpenguins.com

Sorry - forgot to specify the domain I’m having the issue with. Had a couple more instances of the issue today.

The domain is writingmeup.com

Similar issues here.
About ~10 or so emails over 2 days.
Domain is teararia.com

I have also noticed this, I received 14 emails yesterday, and 1 today. My main concern is that this is something malicious.

I normally see 2-4 alerts a month, and only occasionally on the same day

2 more emails today.
None of these certs are showing on crt.sh, only on Entrust Search.

Same issue
Domain is tenforums.com

Same issue, 15+ in the last 24h
Domain is easypoll.bot

There’s a status page incident open for this now:

4 Likes

According to the status page, this issue seems to have been resolved.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.