Unrecognised LetsEncrypt ACME certificate issuance

I noticed a number of certificates issued in the caddy/certificates/acme-v02.api.letsencrypt.org-directory/ that I do not recognise.

Is that an indication the installation has been compromised?

How could these certificates be issued?

Just answered my own question.

The default docker-compose config for Caddy responds to any URL that hits the server. It will go through the process of issuing a certificate.

So if you have a wildcard DNS configured, any time a request to any URL under any subdomain comes through, a new certificate will get issued.

If you’re using LetsEncrypt, that’ll very quickly hit a rate limit and block your root domain from getting any more certificates.

Not sure if it helps but maybe tighten up the default Caddy config to only serve EXTERNAL_URL specified in .env.