Score:13

Server

Why does my Let's Encrypt certificate contain references to Cloudflare?

lolc

3/19/24, 6:54 PM

I own a website that uses a Let's Encrypt certificate. It's not behind Cloudflare, it's hosted at OVH and I'm accepting direct traffic from it.

Now, I set up an apache2 webserver and used certbot to automatically generate a certificate. The problem here is that when I look at the certificate information on Firefox, I can see at the bottom of the page that it contains references to "Cloudflare Nimbus2023", despite my not using their services.

The picture attached below is what it shows... Image here (for some reason it won't let me attach pictures)

Can anyone explain to me what this is? What is Cloudflare accessing here??

3603

1 + 6

cloudflare

ovh

lets-encrypt

apache2

certbot

djdomi

3/19/24, 7:09 PM

in this position it will ne be easy to verify without the full way what you meaning. moreover if its a private site then the whole question would be offtopic due home and enduser question shall be asked on superuser.com

lolc

3/19/24, 7:16 PM

@djdomi well, if you're on firefox, you can literally just check serverfault.com's certificate and scroll at the bottom once you clicked on "View Certificate". And sure enough, you will see a reference to Cloudflare at the bottom. Odd.

lolc

3/19/24, 7:17 PM

My goal here would be to generate a certificate that doesn't contain references to Cloudflare. So I DO think this post belongs to ServerFault.

vidarlo

3/19/24, 8:18 PM

@lolc Why is the reference to CF important?

lolc

3/19/24, 8:37 PM

@vidarlo because Cloudflare is a MITM. https://web.archive.org/web/20220403064007/https://git.redxen.eu/dCF/deCloudflare/src/branch/master/README.md

vidarlo

3/19/24, 8:56 PM

Uhm, if you use CF as a proxy they are by *design* in the middle. But they are ***not*** malicious. Whoever uses their service *wants* them to be in the middle. However, using their CT Log ***does not*** enable them to MITM your traffic or decrypt it!

Score:22

Server

vidarlo

3/19/24, 8:06 PM

Nimbus2023 is a certificate transparency log, hosted by Cloudflare. Basically CAB requires that all issued certificates is listed in transparency logs - and CF operates one such. SCT is a Signed Certificate Timestamp - basically Cloudflare signs that they've seen your certificate at a particular point in time. This makes validation easier, and basically forms a promise from the log operator to include the certificate in the log, within 24 hours.

The existence of SCT's keeps such log operators honest - they can't cheat, because they have publicly acknowledged to be aware of the certificate, and promise to include it. It also reduces privacy concerns, as the browser won't have to look up the certificate in a CT log.

This is nothing to worry about. It's a property of how LE issues certificates. The key material never leaves your computer, so CF (nor LE) can't decrypt your traffic.

If you don't want your certificates to appear in CT logs, the best bet is not to use certificates. The better approach is to trust the guys running CA/Browser forum, and Let's encrypt. They have a solid grasp of how TLS works and how to keep it secure.

+ 8

lolc

3/19/24, 8:39 PM

Thank you so much for the answer. Is there a way to specify an alternative SCT? Or should I ask.. Is there a list of them out there?

vidarlo

3/19/24, 8:54 PM

I'm at least aware of Digicert...

lolc

3/19/24, 9:32 PM

Thank you. ------

RonJohn

3/20/24, 7:46 AM

"so CF (nor LE) can decrypt your traffic". Can or can**not**?

vidarlo

3/20/24, 7:57 AM

@RonJohn Nice catch. Can't.

Håkan Lindqvist

3/20/24, 10:13 AM

@lolc https://certificate.transparency.dev/logs/ has a list of logs. I doubt that the user can choose though.

Patrick Mevzek

7/11/24, 5:23 AM

Apple own's list used for Safari references far more logs: https://valid.apple.com/ct/log_list/current_log_list.json

Patrick Mevzek

7/11/24, 5:24 AM

@lolc " Is there a way to specify an alternative SCT? ". Why? Also, this is only under control of the CA issuing the certificate, it decides to which logs it sends the pre-certificate and from which it gets back a SCT to embed in final certificate, or use during TLS handshake or OCSP.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does my Let's Encrypt certificate contain references to Cloudflare?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.