[SOLVED] Why is Cloudflare issuing a certificate for an FQDN that does not exist?

This morning, we received Certificate Transparency notifications that Cloudflare issued 2 new SSL/TLS certificates for service.<our-domain>. This FQDN does not exist, is not a subdomain we’ve configured anywhere in Cloudflare, we did not request the generation of the certificates, and they do not show up anywhere in the management UI. Why were they issued?

Checking the CT logs for our domain, it seems that Cloudflare also previously issued 2 certs for the exact same FQDN (service.<our-domain>) which expire on 2022-05-08 – exactly 30 days from the 2 certs that were issued today. Obviously, these certs are being automatically issued/renewed…but…WHY? What is service.<our-domain> used for internally for Cloudflare?

Hey! Could you please check the audit logs of your Cloudflare account? There should be an entry for the SSL certificate issuance. If you can share the log entry here, we can take a look at it :slightly_smiling_face:

Hi @albert. Thank you for the reply. Unfortunately, the audit log does not contain any entries for the SSL certificate issuance. We’re using a Business plan. Even with “Include user level activity” turned on, the only log entries around the time of the CT notifications are the following:

2022-04-06T07:24:20+00:00 Login ← my own account
2022-04-08T01:53:09+00:00 Login ← my own account
2022-04-08T01:53:18+00:00 Email verified success ← my own account
2022-04-08T05:51:54+00:00 Login ← my own account
2022-04-08T06:05:05+00:00 Login ← my own account

The log dates within the CT notifications were 2022-04-08T01:05:03+00:00 and 2022-04-08T01:05:04+00:00.

Just to make sure the dashboard UI isn’t playing any tricks, could you try exporting the audit log to CSV and searching for certificate_pack?

@albert Good suggestion. Unfortunately, still nothing :slightly_frowning_face:

Time Action
2022-04-08T06:05:05Z login
2022-04-08T05:51:54Z login
2022-04-08T01:53:18Z email_verified_success
2022-04-08T01:53:09Z login
2022-04-06T07:24:20Z login

Alright, thanks for confirming! This is interesting… :thinking: The fact that nothing shows up in your audit log makes it seem like the certificates may have been issued for another Cloudflare account, but that should only happen if they have your domain configured as a custom hostname - and that requires ownership verification. Would you be comfortable sharing the domain?

1 Like

@albert I wouldn’t be able to share the domain name here in this thread, but I could in an official support ticket.

Update: I have found the root cause. The service.<our-domain> subdomain does indeed exist, but it’s a CNAME record which points to a third-party service that we have stopped using. That third-party service appears to also utilize Cloudflare. We stopped using that (quite large) third-party service more than a year ago and have not paid them any money, but their resource still seems to exist and is indeed serving the certificate in question (I matched the certificate serial number).

Interestingly, while we possibly verified our domain with the third-party service itself in the past, we have no record that our domain was verified by Cloudflare on behalf of that service. Although given the size of the service, perhaps the verification was obfuscated to some extent…interesting nonetheless.

@albert Thank you very much for your insight. Thanks to your help, I’ve got a clear path forward. Cheers!

1 Like

Yeah, that makes sense :slightly_smiling_face: The third-party service is most likely using Cloudflare SSL for SaaS and custom hostnames. “Verification” in this context can be as simple as creating a CNAME and TXT record - it’s pretty much white-label.

I suggest you delete the DNS records pointing to the third-part service - this should prevent any new certificates from being issued. After that, you should contact the third-party service and ask them to remove your domain on their end. This will ensure there aren’t conflicting configurations in case you decide to use the domain with Cloudflare in the future.