About Let’s Encrypt and Tilda certificates

Background

One recent summer evening I whiled away the time issuing Let’s Encrypt (LE) certificates in kubera, and for a long time could not understand with what fright the limit on the number of certificates per week worked, i.e. 50 pieces.

Quick check for https://crt.sh/ showed that many unnecessary certificates were actually issued for completely different subdomains, and this, to put it mildly, surprised.

Debriefing

Of course, letters to the DNS hoster were immediately written to audit the work with the zone through their personal account and API (well, suddenly the key leaked). No suspicious activity was identified in the response report, suggesting that HTTP-01 verification was used to issue certificates. It was also indirectly indicated by the fact that certificates were issued for the subdomain itself and additionally with “www.”, No wildcard certificates were issued, and this requires a DNS-01 check.

It is important to note that for the original domain, let’s call it example.com, a wildcard record is registered in the DNS * .example.com IN CNAME example.com to the main site hosted on the popular Tilda website builder. And the most interesting thing is that the release of strange LE certificates began almost the next day, immediately after changing the hosting IP address to 185.215.4.10as strongly suggested in the control panel.

Half an hour of research together with HostHunter, iptodomain, bash and crt.sh also revealed the existence of other sites with wildcard DNS records on 185.215.4.10which have issued rather suspicious certificates. I will not list the domains here, those who are interested can easily check for themselves.

Tilda

Unfortunately, my three-day correspondence with Tilda support and trying to push the issue to the next level was unsuccessful, and when asked to check for suspicious software behind the IP address 185.215.4.10 a clear answer was received: “No malware.”

I will not question the competence of the support service, but I got the impression that all my attempts to explain a possible scenario for issuing an LE certificate using the HTTP-01 check, if there is a wildcard entry in the DNS on 185.215.4.10, were at least ignored.

I am not a big expert in computer security, so I don’t see very big risks in issuing a bunch of “left” LE certificates for subdomains, but there is still one week’s sediment when it was impossible to issue the required certificate.

Output

It is clear that a wildcard DNS entry for third-party hosting is already a pretty attractive way to cheat with LE certificates, but if it exists, it leads to Tilda (185.215.4.10), then I recommend one of the options:

1. Delete it

2. Change A-records to previous Tilda IPs

PS By the way, just after returning to the previous IP of Tilda hosting, the issuance of such certificates has stopped.