While passing time one summer evening, I issued Let's Encrypt (LE) certificates in Kuber and was surprised when the limit on the number of certificates per week worked.



 I later found out that a lot of unnecessary certificates were being issued for different subdomains through HTTP-01 verification. Letters were written to the DNS hosting provider, but no suspicious activity was identified in the response report. It was noted that no wildcard certificates were issued, indicating that DNS-01 verification was not used.

After investigating, other sites with wildcard records in DNS at 185.215.4.10 were discovered that issued rather suspicious certificates. Attempts to discuss the issue with Tilda support were unsuccessful. While issuing a handful of "left" LE certificates for subdomains is not a huge risk, it was frustrating that it took a week to issue the required certificate.

A recommendation was given to delete or change the A-records to previous Tilda IP addresses. Using wildcard entries is considered bad practice.

I don't believe there was any hacking involved in this situation.

Certain HTTPS servers can issue a Let's Encrypt certificate to themselves using the domain from the incoming Host header. If the IP address of the webserver is connected to a wildcard record in DNS, then subdomain enumeration can result in unnecessary certificates being issued. This is what happened to the author, who inadvertently triggered this process.

The text is accurate.

If wildcard entries are not specified, then there are no negative effects. However, Tilda's instructions for connecting a domain do not mention the use of wildcard records. The only valid suggestion in the post is to remove the wildcard entry to resolve the issue. Changing the IP address will not necessarily eliminate all potential side effects.

It appears that someone has been abusing the Let's Encrypt (LE) certificate issuance system to obtain numerous certificates for subdomains associated with your DNS hosting provider, likely through the HTTP-01 validation method. This could be an attempt to conduct malicious activities such as phishing, man-in-the-middle attacks, or other forms of cyber threats.

The fact that no wildcard certificates were issued suggests that the DNS-01 validation method was not used, which is a relief as it would have granted the attacker broader control over your domain. However, the issuance of multiple subdomain certificates is still a cause for concern.

The lack of suspicious activity reported by your DNS hosting provider could be due to several reasons:

1. Insufficient logging or monitoring capabilities on their end.
2. The attacker may have used techniques to obfuscate their activities.
3. The attack may have originated from a compromised system within your infrastructure.

The recommendation to delete or change the A-records to previous Tilda IP addresses is a sound approach to mitigate the immediate risk. However, it's essential to conduct a thorough investigation and take additional steps to enhance your security posture.

Here are my recommendations:

1. Conduct a comprehensive audit of your DNS records, web server configurations, and network infrastructure to identify any potential vulnerabilities or compromised systems.

2. Implement strict access controls and monitoring mechanisms for your DNS management interface and web servers.

3. Consider implementing additional security measures like Web Application Firewalls (WAFs), IP whitelisting, and two-factor authentication for sensitive systems.

4. Review your Let's Encrypt account and revoke any unauthorized or suspicious certificates.

5. Engage with the Let's Encrypt team and report the potential abuse, providing them with relevant logs and evidence.

6. Collaborate with your DNS hosting provider and ensure they have robust logging and monitoring systems in place to detect and respond to such incidents promptly.

7. Educate your team on cybersecurity best practices, including the importance of secure DNS management, web server hardening, and incident response procedures.

8. Consider implementing a centralized logging and security information and event management (SIEM) solution to enhance your capability to detect and respond to security incidents more effectively.

9. Regularly review and update your security policies, procedures, and incident response plans to stay ahead of evolving cyber threats.

While the issuance of a handful of "left" LE certificates may not seem like a significant risk, it could be an indication of a larger, ongoing attack campaign. Proactive measures and a thorough investigation are crucial to safeguarding your organization's digital assets and reputation.