Unexpected issuance of Let's Encrypt certificates by Cloudflare?

Could someone please explain why Cloudflare might suddenly start issuing Let’s Encrypt certificates for the domains, considering that those are configured in a “flexible” SSL/TLS mode and the DIgicert certificates are not yet expired? If it is a legitimate action (and looking at the topic at Does Cloudflare create Let's Encrypt certificates? it might be), then why would the option to watch Certificate Transparency logs be alerting about that in a rather alarming manner, leaving the impression that it was issued by “someone” rather than Cloudflare itself? Also it seems rather odd, that even after that issuance, the certificate shown when accessing the domain in question is still the one from Digicert (1 year one), rather than the issued 90-days Let’s Encrypt one.

On a side note, is there a chance to make those emails state more clearly that the issance was done by Cloudflare itself? That would be less alarming and confusing :slight_smile:

Thanks.

In that case your concern should not be the CA of your certificates but the fact that you still have an insecure site.

1 Like

@sandro , I would certainly appreciate if we stayed on topic of the conversation. Your reply has nothing to do with the question. If I wanted to issue a certificate locally and the content warranted that, I would do so. In the meantime the configuration where any connection NOT established by Cloudflare is rejected serves the purpose pretty well for me. Thanks.

Well, this is an open forum, not a personal support channel :wink: so you’ll natural get comments which might not necessarily fix your “issue” but address your overall security issues.

I am not quite sure what your concern about the CA is, but LE really is no issue at all. The real issue here is that your site is on HTTP. Would you be kind enough to share your domain?

@sandro , once again - I understand your position, but let’s not deviate from the topic. In this particular configuration “the site is on HTTP” only for Cloudflare. As I mentioned, this is sufficient now (though maybe not in the future), and all direct connections would not be served at all. Now to the subject - the issue as I see it is that the use of the Certificate Transparency alerting is good, but it is quite confusing for the scenario when the certificate is issued by Cloudflare itself. The impression upon reading the alert is that someone somewhere has issued a certificate for your domain (and considering the issuance for a wildcard, was able to modify the DNS records, as LE requires). Apart from that, it is unclear why such automatic issuance happened, considering that Digicert certificate has not yet expired, and why after the issuance it is still Digicert certificate that is being shown. I hope it makes the concerns a bit more clear.

Certificate transparency doesn’t matter who the provider is. If the email was for Digicert vs Let’s Encrypt it would have been formatted the same. If it matches the general parameters for your provider (Cloudflare) it is a NoOp.

Hi @cscharff ,

The question about emails is not about specific CAs - CAs are mentioned in the conext of 2 other questions (why LE certs were issued if Digicert was still good for a year, and why if LE was issued, Digicert was still shown - neither makes any sense there). With emails it is not about CA, but about Cloudflare’s knowledge whether the certificate was issued by Cloudflare or someone else, which is NOT reflected in the alerts - “Cloudflare has observed the issuance” sounds way more alarming that “Cloudflare has issued a certificate for your domain” for example, and makes you believe that the issuance is not legitimate and made without yours (or Cloudflare’s) knowledge. I also do not see how “If it matches the general parameters for your provider” fits here - could you elaborate?

Cloudflare’s certificate transparency monitoring doesn’t distinguish between itself requesting certificates and anyone else. There are multiple ways a cert could be issued which aren’t directly tied to the account monitoring certificate transparency for a particular domain within Cloudflare’s suite of products.

Without knowing anything about your zone it’s impossible to say more about how or where the certificate was issued or deployed. It’s likely the current cert is expiring soon(ish) so the system ordered a new one in advance of expiry.

That’s precisely my point - they have all the necessary information to correlate the fact of the issuance by them and the record popping up in the Transparency Logs. Doing that would remove the confusion from those alerts.

They might very well be pulling their data from crt.sh without any additional processing, other than the form letter. I think to confirm that the cert came from Cloudflare, and not some other host on the same day, it’d take a substantial amount of additional processing.

One option might be to use the SSL Notification option here that would let you know when Cloudflare updates your cert.

If I’m ever curious if the request came from Cloudflare, I go to SSL/TLS → Edge Certificates to see what’s actually there.

This will only show you what the currently active certificates are. As Cloudflare issue new certs before making them live, there will be a period of time when you cannot see valid but inactive certificates (either for the next certificate to be used, or for the old and unused but still valid certificate).

The Cloudflare CT alerts do not exclude Cloudflare issued certs. But this is actually a significant use case for CT log monitoring. All the certs I know about (including the Cloudflare managed certs) should be excluded from the alerts. It is when a cert is issued that I do not know about that I should be worried. If you have a lot of CF domains then you will not spot the one mis-issued cert in the noise. There are third party paid services that can do this, but you need to specify the certs that you don’t want to be alerted about. With CF managed certs you don’t know about them until after they have been issued, so you cannot exclude them from such alerting.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.