Someone else issued wildcard certificates for my domain

Hi,

I have a domain that I manage through Cloudflare and I just got two certificate transparency notices about new certificates being issued by Let’s Encrypt one second apart. Both are wildcard certificates that include only *.mydomain.com and mydomain.com. I am using letsencrypt for this domain and its subdomains but I never issued a wildcard cert myself and there is no way my cronjobs could have done this. Let’s encrypt requires a DNS challenge for wildcard certificates, so I checked the DNS records and there are no new entries but I couldn’t find a log of changes, so it could have been deleted. Is there a log somewhere?

I immediately changed my cloudflare password and activated 2FA (I don’t know why I hadn’t activated it before), but I am not convinced that someone gained access to my account. I usually get an email whenever I log in from a new IP and there was no such mail.

Has anyone dealt with something like this before? Is there a way to revoke the certificates? Or to see a log of DNS changes on cloudflare? How is this possible? I’m worried and don’t know what to do.

Hi @Noodlewasser,

Have you checked SSL/TLS → Edge Certificates in your Cloudflare dashboard? Cloudflare use various CAs for Universal Certificates, including Let’s Encrypt and it may be that your universal cert was renewed with LE.

This would be in the Audit Log at the top of your account home page.

3 Likes

That’s it, thank you so much! I hadn’t thought of that and didn’t know that Cloudflare is using Let’s Encrypt.

1 Like

No problem, the universal certs are usually issued by either DigiCert or Let’s Encrypt. Glad that cleared it up for you!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.