I have a domain that I manage through Cloudflare and I just got two certificate transparency notices about new certificates being issued by Let’s Encrypt one second apart. Both are wildcard certificates that include only *.mydomain.com and mydomain.com. I am using letsencrypt for this domain and its subdomains but I never issued a wildcard cert myself and there is no way my cronjobs could have done this. Let’s encrypt requires a DNS challenge for wildcard certificates, so I checked the DNS records and there are no new entries but I couldn’t find a log of changes, so it could have been deleted. Is there a log somewhere?
I immediately changed my cloudflare password and activated 2FA (I don’t know why I hadn’t activated it before), but I am not convinced that someone gained access to my account. I usually get an email whenever I log in from a new IP and there was no such mail.
Has anyone dealt with something like this before? Is there a way to revoke the certificates? Or to see a log of DNS changes on cloudflare? How is this possible? I’m worried and don’t know what to do.