Bug #12670
open
ACME package writes credentials to system log
0%
Description
The acme renewal cron currently dumps the config into the system log:
<13>1 2022-01-09T03:57:32.299169+01:00 fw01.xxx.lan ACME 93105 - - ## Its time to renew ## <13>1 2022-01-09T03:57:32.299183+01:00 fw01.xxx.lan ACME 93105 - - Renewing certificate <13>1 2022-01-09T03:57:32.299198+01:00 fw01.xxx.lan ACME 93105 - - account: xxx <13>1 2022-01-09T03:57:32.299212+01:00 fw01.xxx.lan ACME 93105 - - server: letsencrypt-production-2 <13>1 2022-01-09T03:57:32.300864+01:00 fw01.xxx.lan ACME 93105 - - <13>1 2022-01-09T03:57:32.300896+01:00 fw01.xxx.lan ACME 93105 - - /usr/local/pkg/acme/acme.sh --issue --domain '*.infra.xxx.co.at' --dns 'dns_inwx' --home '/tmp/acme/infra.xxx.co.at/' --accountconf '/tmp/acme/infra.xxx.co.at/accountconf.conf' --force --reloadCmd '/tmp/acme/infra.xxx.co.at/reloadcmd.sh' --log-level 3 --log '/tmp/acme/infra.xxx.co.at/acme_issuecert.log' <13>1 2022-01-09T03:57:32.300916+01:00 fw01.xxx.lan ACME 93105 - - Array <13>1 2022-01-09T03:57:32.300931+01:00 fw01.xxx.lan ACME 93105 - - ( <13>1 2022-01-09T03:57:32.300945+01:00 fw01.xxx.lan ACME 93105 - - [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ <13>1 2022-01-09T03:57:32.300958+01:00 fw01.xxx.lan ACME 93105 - - [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ <13>1 2022-01-09T03:57:32.300972+01:00 fw01.xxx.lan ACME 93105 - - [INWX_User] => XXX <13>1 2022-01-09T03:57:32.300985+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Password] => YYY <13>1 2022-01-09T03:57:32.300999+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Shared_Secret] => <13>1 2022-01-09T03:57:32.301013+01:00 fw01.xxx.lan ACME 93105 - - ) <13>1 2022-01-09T03:57:38.616297+01:00 fw01.xxx.lan ACME 93105 - - [Sun Jan 9 03:57:33 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
Imo this array shouldn't be spit out as it leaks information.
Updated by Florian Apolloner over 3 years ago
It is probably due to https://github.com/pfsense/FreeBSD-ports/blob/94457075a991331b9c0bcee44ea7d4fd9427ab36/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme_sh.inc#L89-L91 -- but I do not see how debug could be turned off via the Web-UI
Updated by Viktor Gurov over 3 years ago
WebGUI debug option:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/169
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
Updated by Viktor Gurov over 3 years ago
- Status changed from Pull Request Review to Feedback
Updated by Danilo Zrenjanin about 3 years ago
- Status changed from Feedback to Resolved
Tested against:
2.6.0-RC (amd64) built on Mon Jan 24 18:44:12 UTC 2022 FreeBSD 12.3-STABLE
It looks fine now. Only two rows in the system log upon a cert renewal
Feb 12 07:52:52 php-fpm 353 Acme, renewing certificate: pfTest2 Feb 12 07:52:58 php 56347 Acme, storing new certificate: pfTest2
I am marking this ticket resolved.
Updated by Jim Pingle about 3 years ago
- Status changed from Resolved to New
The debug option added broke several things. It broke the ability to create account keys, and it is breaking new ACME certificates. See #12912 for some details.
I'm backing out the changes made here, we can try to find a better way to handle this.
Updated by Jim Pingle about 3 years ago
If we try this again as a debug option we must test this better, at a minimum:
- Creating a new account key should have the key present and should not have any log messages included before the key.
- Creating a new certificate must fully succeed in the GUI without debug enabled (See #12912)
- Renewing an existing certificate must fully succeed in the GUI without debug enabled