About Let's Encrypt & Tilda Certificates

Started by Deepak1, Aug 08, 2022, 12:01 AM

Previous topic - Next topic

Deepak1Topic starter

One summer evening, I whiled away the time by issuing Let's Encrypt (LE) certificates in the Kuber, and for a long time I could not understand why the limit on the number of certificates per week worked, i.e. 50 pieces.



A quick check on https://crt.sh/ showed that indeed a lot of unnecessary certificates were issued for completely different subdomains, and this, to put it mildly, surprised me.


Debriefing

Of course, letters were immediately written to the DNS hosting provider to audit the work with the zone through the personal account and API (well, the key suddenly leaked). No suspicious activity was identified in the response report, suggesting that HTTP-01 verification was used to issue the certificates.
This was also indirectly indicated by the fact that certificates were issued for the subdomain itself and additionally with "www.", no wildcard certificates were issued, and this requires DNS-01 verification.

It is important to note that for the original domain, let's call it example.com, the wildcard record *.example.com IN CNAME example.com is registered in DNS to the main site, which is hosted on the popular Tilda site builder. And the most interesting thing is that the issue of strange LE certificates began almost the next day, right away after changing the hosting IP address to 185.215.4.10, as it was insistently suggested in the control panel.

Half an hour of research along with HostHunter, iptodomain, bash and crt.sh also revealed the existence of other sites with wildcard records in DNS at 185.215.4.10, which issued rather suspicious certificates. I will not list the domains here, those who are interested can easily check for themselves.

Tilda

Regrettably, my 3-day email with Tilda support and attempt to push the issue to the next level was unsuccessful, and a request to check for suspicious software behind IP address 185.215.4.10 received a clear answer: "No malware."

I will not question the competence of the support team, but I got the impression that all my attempts to explain a possible scenario for issuing an LE certificate using HTTP-01 verification, with a wildcard record in DNS at 185.215.4.10, were, at a minimum, ignored.

I'm not a great computer security expert, so I don't see very huge risks in issuing a handful of "left" LE certificates for subdomains, but the precipitate of one week, when it was impossible to issue the required certificate, remained.


Conclusion

It is clear that a wildcard entry in DNS to a third-party hosting is in itself a rather attractive way to cheat with LE certificates, but if it already exists and leads to Tilda (185.215.4.10), then I recommend one of the options:

    Delete it

    Change A-records to previous Tilda IP addresses

P.S. By the way, it was after the return to the previous Tilda hosting IP that the issuance of such certificates has stopped for the time being.

UPD. After the publication, Tilda technical support quickly responded with a personal letter (I don't really understand why it was impossible to immediately clarify), where they promised to separately highlight in bold the inadmissibility of using wildcard records when using Tilda hosting for a reason similar to that indicated in the comment from AEP.
Apparently, using wildcard entries is considered bad practice.
  •  

halley_pham

I think there was no any hаck.

Some HTTPS servers (like Caddy with default settings, or Apache with mod_md) can issue a certificate to themselves on the fly via Let's Encrypt, using the domain from the incoming Host header.
If the IP address of such a webserver is tied to a wildcard record in DNS, then any dictionary enumeration of subdomains (and this is what, say, "security" services like Security Scorecard do) will lead to issuing a bunch of unnecessary certificates.

It seems that the author stepped exactly on that rake.
  •