Let's Encrypt Certificate Issuance for Subdomains

Started by Deepak1, Aug 08, 2022, 12:01 AM

Previous topic - Next topic

Deepak1Topic starter

While passing time one summer evening, I issued Let's Encrypt (LE) certificates in Kuber and was surprised when the limit on the number of certificates per week worked.



 I later found out that a lot of unnecessary certificates were being issued for different subdomains through HTTP-01 verification. Letters were written to the DNS hosting provider, but no suspicious activity was identified in the response report. It was noted that no wildcard certificates were issued, indicating that DNS-01 verification was not used.

After investigating, other sites with wildcard records in DNS at 185.215.4.10 were discovered that issued rather suspicious certificates. Attempts to discuss the issue with Tilda support were unsuccessful. While issuing a handful of "left" LE certificates for subdomains is not a huge risk, it was frustrating that it took a week to issue the required certificate.

A recommendation was given to delete or change the A-records to previous Tilda IP addresses. Using wildcard entries is considered bad practice.
  •  

halley_pham

I don't believe there was any hacking involved in this situation.

Certain HTTPS servers can issue a Let's Encrypt certificate to themselves using the domain from the incoming Host header. If the IP address of the webserver is connected to a wildcard record in DNS, then subdomain enumeration can result in unnecessary certificates being issued. This is what happened to the author, who inadvertently triggered this process.
  •  

jameswilliam723

The text is accurate.

If wildcard entries are not specified, then there are no negative effects. However, Tilda's instructions for connecting a domain do not mention the use of wildcard records. The only valid suggestion in the post is to remove the wildcard entry to resolve the issue. Changing the IP address will not necessarily eliminate all potential side effects.
  •