Cloudflare's Certificate Transparency Monitoring

[Telos]

I received this notification email yesterday... and I'm confused and perplexed (I'm new to using Cloudflare for my domain).

Cloudflare has observed issuance of the following certificate for domain.com or one of its subdomains:

Log date: 2022-02-06 17:23:37 UTC
Issuer: CN=E1,O=Let's Encrypt,C=US
Validity: 2022-02-06 12:13:37 UTC - 2022-05-07 12:13:36 UTC
DNS Names: *.domain.com, domain.com

Most certificates are trustworthy. However, if the data above is surprising to you or incorrect, please visit https://support.cloudflare.com/hc/articles/360031379012.

This email was requested by one of your Cloudflare account administrators. If you would no longer like to receive it, please disable it under "Certificate Transparency Monitoring" at https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates#ct-alerting-card.

For starters... I'm not certain what this is telling me. I'm also confused with the "Validity" period.

In December, I purchased a domain from Namecheap and then registered it with Cloudflare. Using a nginx container, I acquired an LE wildcard cert for my domain. Nginx reports it valid through mid-March.

I haven't been on Cloudflare since December, so I'm unsure what triggered this transparency notification, and what it means (including its validity period).

I'm hoping that some of the more advanced users here can explain this simply for me. Thanks in advance.

 

[Robbie]

Looks like due-diligence only due to recent change of ownership - a good thing really.

Just treat as info only and no action required from you.

 

[leriak]

The mail is most likely due to having active the certificate transparency monitoring option in SSL/TLS - Edge certificates:

 

[Telos]

Thanks for the feedback.

The weird thing is that my certificate seems to have been renewed automagically.

I don't know if (or why) Cloudflare did that... or other (???).

I registered the cert using ngnix in December, and my nginx cert manager still shows a March expiration. But my browser shows a May expiration matching the Cloudflare notification date.

Any ideas on how that came about (I'm just a noob with Cloudflare). @Robbie @leriak

 

[Robbie]

@Telos I'm no expert either but it all looks like typical stuff from Cloudflare, especially with a 'new' or 'moved' domain. The certs should renew well-before the expiry date, automatically.

My main domain name is with dynadot and compared to Cloudflare you get zero feedback on anything and the responsibility flows to the end-user. Things can die without any fanfare. It is a bit unnerving and Cloudflare seems easier to work with and monitor.

 

[leriak]

I registered the cert using ngnix in December, and my nginx cert manager still shows a March expiration. But my browser shows a May expiration matching the Cloudflare notification date.

I have a nginx proxy manager container and it gets and automatically renews a * certificate. I have not checked the expiration date shown in the container however... it's been working in the background and I haven't paid attention.

I don't know if (or why) Cloudflare did that... or other (???).

As far as I understand the certificate monitoring function just crawls through public databases to find out if certificates have been generated for your domain... My guess is that the container has renewed the certificate.

Are you using the cloudflare proxy (orange cloud on dns records)?

If you are proxied, on the browser you should see a cert by cloudflare, not you LE certificate (picture below).

If you are not proxied then you are connecting directly to your server so you see your cert from let's encrypt. In that case the cert is on your server.

Cloudflare actually allows uploading a custom cert so you don't see a cloudflare cert when proxied, but not on the free plan (I assume you are using the free one...)

 

[Telos]

I have a nginx proxy manager container and it gets and automatically renews a * certificate.

This is how I thought I had set things up. Nginx cert says March expiration... so it does not "see" the update which Cloudflare implemented.

Are you using the cloudflare proxy (orange cloud on dns records)?

Yes... on A and CNAME records

If you are proxied, on the browser you should see a cert by cloudflare, not you LE certificate (picture below).

I am set to "Full", not "Full (strict)" ... so, that is one difference, though I don't understand the difference between the two.

FWIW, I have the "Cloudflare Origin Certificate) loaded on the NAS, and it is with a CNAME that I connect to my NAS. For example...
NAS1.domain.com
When the NAS login screen appears, the cert is identified as from Let's Encrypt, Within that LE cert, there is a section "Embedded SCTs" in which there is a Cloudflare reference (I'm not sure what any of that means).

This is all on the free plan. Thanks for your help.

 

[leriak]

I am set to "Full", not "Full (strict)" ... so, that is one difference, though I don't understand the difference between the two.

In Full and Full (strict) modes the communication is encrypted between client and cloudflare through a cloudflare certificate and then between cloudflare and the server with another certificate (which the client does not see).
The difference is that in Full the certificate between cloudflare and server is a self signed certificate, and in Full (strict) the certificate is a valid certificate from a CA.

Side note in case you didn't know: this means that proxied traffic is decrypted at cloudflare and then reencrypted when sent to your server. This is necessary for cloudflare to provide its services.

FWIW, I have the "Cloudflare Origin Certificate) loaded on the NAS, and it is with a CNAME that I connect to my NAS. For example...
NAS1.domain.com
When the NAS login screen appears, the cert is identified as from Let's Encrypt, Within that LE cert, there is a section "Embedded SCTs" in which there is a Cloudflare reference (I'm not sure what any of that means).

The origin certificate that cloudflare offers they issue to your domain but is not a "valid" certificate from a CA. This is a certificate intended for encryption between cloudflare and the server, cloudflare trusts it because they have issued it. I guess this is an option for the Full mode, but I'm not sure as I went directly to Full strict with LE cert.

I'm not entirely sure I understand how you have set this up

• If you have the cloudflare origin cert in the NAS and access through cloudflare proxy you should see cloudflare's cert on your browser, if you tried to access without the proxy active (grey cloud), you should see a similar warning on the browser as when using a self issued cert as the browser would see the cloudflare origin cert which is not trusted.
• If you have the LE cert on your nas but also access through cloudflare you should see the same cloudflare cert, not the LE cert (just checked on my domain). But without proxy then you should see the LE cert on your browser -> this is what I use to be able to access from inside the lan with valid certs using an in lan dns server so transition between "on the road" and "at home" is seamless.

I know this is confusing, I'm not a web guy and when I started using all this a year and a half ago I couldn't understand most of it, I've been slowly learning mostly by reading the cloudflare doc, and through trial and error. But I'm definitively NOT an expert and you should take what I say with a healthy amount of salt...

 

[fredbert]

Late to this party. I was doing some certificate stuff and reading on Let's Encrypt about their rate limits. Anyway, they point say this...

You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.

I mention it because Certificate Transparency came up earlier. You can search for you domain and it will retrieve logs with it in.

Full text here.

Rate Limits - Let's Encrypt

Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible. We believe these rate limits are high enough to work for most people by default. We’ve also designed them so renewing a certificate almost never hits a rate limit, and so that large organizations can gradually...

letsencrypt.org

From what it sounds like, Cloudflare have a reverse proxy. When some (all?) domains are resolved on the Internet Cloudflare will respond with and IP to their r-proxy; a secure connection happen between client and r-rpoxy; then the r-proxy makes a connection to your [protected] web server, and this can be HTTP or HTTPS (looking at their info) and your server certificate can be self-signed, CF Origin, other CA (e.g. LE ?).

This doesn't stop direct access to your web server. If some tries to access using your real IP, or you have another domain/sub-domain that resolves via another way, then these connections won't use Cloudflare's r-proxy. For these connections the web server's certificate may or may not be setup to be trusted for the requested server name.

Then there's Synology DSM's many web and other services that each have their own certificate assigned in Control Panel. It would be a good idea to check that these are correctly assigned.

I wonder how Cloudflare's proxy features affects a router's ability to do local loopback?

 

[Telos]

Thanks all. I have some homework here to complete. The "good news" is that Cloudflare seems to be managing my cert, however there is no means to download. So I will have nginx renewal manually run, in case I need a copy.

Fortunately, LE isn't overly restrictive in permitting cert updates. When I set this up initially, I did so without the wildcard, and then a week later, after figuring out that process, I re-requested a cert (with the wildcard added) and all happened without delay.

 

[Telos]

Meanwhile... 12 days later... and it seems that Cloudflare has again extended my LE certificate

Maybe this is normal?