,
21 tweets,
7 min read
Read on Twitter
So yesterday I went through a bit of an incident that appeared like it could be quite serious but turned out to be just fine. 😅 A thread:
1/x A certificate was issued for a subdomain on my blog and I was pretty sure I hadn't requested it, I was nowhere even near a computer when it was issued.
2/x I was able to know that this had happened because the cert was logged into CT logs. If you're not familiar with Certificate Transparency then you should check out my intro post: scotthelme.co.uk/certificate-tr…
3/x Searching for certs is great, but I got a notification that one was issued. More specifically I got a push notification to my devices thanks to Facebook. I cover their CT log monitoring service here. It's pretty awesome: scotthelme.co.uk/finding-phishi…
4/x So, I'm like huh, this is a subdomain that I use at home (resolves to my residential IP) for testing purposes. I use Cloudflare as a DDNS provider to do this so I go to check out the current IP. scotthelme.co.uk/replacing-dynd…
5/x Seems my public IP has rotated (happens somewhat often in the UK) but my DDNS hadn't picked it up. Cogs start turning... Could someone have possibly grabbed my public IP and got a cert?... Seems basicaly impossible, so I kept thinking.
6/x The CA that had issued the cert was @buypass and I don't use them for regular cert issuance, I've only really used them once when I blogged about having a backup CA for @letsencrypt and the importance of more ACME support across CAs. scotthelme.co.uk/having-a-backu…
7/x This means they were cleared for issuance in terms of CAA because I'd previously added them, but didn't really help much beyond that. scotthelme.co.uk/certificate-au…
8/x Here's the original cert I got back in Jan for testing crt.sh/?id=1078088529 and given the '30 day until expiry' window for the new one crt.sh/?id=1534410437, my next thought was perhaps some kind of 'courtesy' renewal. I thought I'd ask the CA to check.
9/x I reached out on Twitter and got a contact for someone at the CA who confirmed that they didn't initiate the renewal, an ACME client called in and triggered it.
10/x That kind of threw me again because I didn't automate any renewal with @buypass and remember, the subdomain doesn't resolve to my IP, so I couldn't pass the domain validation anyway. At least so I thought...
11/x Turns out that once a CA has validated your control of a domain they don't need to check that again for a period of up to 825 days! I knew CAs could re-use validation, I just didn't realise the period was quite so long. This means that if @buypass knew who I was, we're good.
12/x If you're interested, the 825 day period is outlined in section 4.2.1 of the CA/Browser Forum
Baseline Requirements found here: cabforum.org/wp-content/upl…
Baseline Requirements found here: cabforum.org/wp-content/upl…
13/x This means my client at home could renew the cert even though the domain doesn't resolve to it by re-using the previous validation. That said, I didn't create a cron job (my usual path for automation) so I'm still confused.
14/x I reached out to some friends in the PKI world to ask for their input because my only ideas so far were that someone grabbed my IP and got the cert, or, Buypass had done something funky. Neither of those seemed logical, I needed an outside opinion!
15/x Now, this is where the story starts to unfold... In my testing of Buypass back in Jan I'd used a few different ACME clients, including one I'm not familiar with, CertBot. As I said earlier, I didn't create a cron job to auto renew, but it turns out that's not the only way...
16/x It seems that CertBot creates a systemd Timer for automating renewal for you and I can see why they'd do that, it makes sense. I just wasn't expecting the one time use of the tool to result in an automated renewal attempt later on!
17/x 🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️
18/x Here's the little sucker, right there: 
19/x So, now we have a logical explanation: user error! The client didn't need the domain to resolve, it used the previous validation. CertBot was super helpful, I just didn't know it was helping me. Everything in the world is good 🌍🔒💚
20/20 To wrap up, the following are awesome: @buypass, @letsencrypt and @EFF Certbot. The following are not awesome: Me with jet lag.
Stay safe people 👍
Stay safe people 👍
