I own a website that uses a Let's Encrypt certificate. It's not behind Cloudflare, it's hosted at OVH and I'm accepting direct traffic from it.
Now, I set up an apache2 webserver and used certbot to automatically generate a certificate. The problem here is that when I look at the certificate information on Firefox, I can see at the bottom of the page that it contains references to "Cloudflare Nimbus2023", despite my not using their services.
The picture attached below is what it shows...
(for some reason it won't let me attach pictures)
Can anyone explain to me what this is? What is Cloudflare accessing here??
Nimbus2023 is a certificate transparency log, hosted by Cloudflare. Basically CAB requires that all issued certificates is listed in transparency logs - and CF operates one such. SCT is a Signed Certificate Timestamp - basically Cloudflare signs that they've seen your certificate at a particular point in time. This makes validation easier, and basically forms a promise from the log operator to include the certificate in the log, within 24 hours.
The existence of SCT's keeps such log operators honest - they can't cheat, because they have publicly acknowledged to be aware of the certificate, and promise to include it. It also reduces privacy concerns, as the browser won't have to look up the certificate in a CT log.
This is nothing to worry about. It's a property of how LE issues certificates. The key material never leaves your computer, so CF (nor LE) can't decrypt your traffic.
If you don't want your certificates to appear in CT logs, the best bet is not to use certificates. The better approach is to trust the guys running CA/Browser forum, and Let's encrypt. They have a solid grasp of how TLS works and how to keep it secure.