Project

General

Profile

Actions

Bug #12670

open

ACME package writes credentials to system log

Added by Florian Apolloner 4 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

The acme renewal cron currently dumps the config into the system log:

<13>1 2022-01-09T03:57:32.299169+01:00 fw01.xxx.lan ACME 93105 - - ## Its time to renew ##
<13>1 2022-01-09T03:57:32.299183+01:00 fw01.xxx.lan ACME 93105 - - Renewing certificate 
<13>1 2022-01-09T03:57:32.299198+01:00 fw01.xxx.lan ACME 93105 - - account: xxx 
<13>1 2022-01-09T03:57:32.299212+01:00 fw01.xxx.lan ACME 93105 - - server: letsencrypt-production-2 
<13>1 2022-01-09T03:57:32.300864+01:00 fw01.xxx.lan ACME 93105 - - 
<13>1 2022-01-09T03:57:32.300896+01:00 fw01.xxx.lan ACME 93105 - - /usr/local/pkg/acme/acme.sh  --issue  --domain '*.infra.xxx.co.at' --dns 'dns_inwx'  --home '/tmp/acme/infra.xxx.co.at/' --accountconf '/tmp/acme/infra.xxx.co.at/accountconf.conf' --force --reloadCmd '/tmp/acme/infra.xxx.co.at/reloadcmd.sh' --log-level 3 --log '/tmp/acme/infra.xxx.co.at/acme_issuecert.log'
<13>1 2022-01-09T03:57:32.300916+01:00 fw01.xxx.lan ACME 93105 - - Array
<13>1 2022-01-09T03:57:32.300931+01:00 fw01.xxx.lan ACME 93105 - - (
<13>1 2022-01-09T03:57:32.300945+01:00 fw01.xxx.lan ACME 93105 - -     [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300958+01:00 fw01.xxx.lan ACME 93105 - -     [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300972+01:00 fw01.xxx.lan ACME 93105 - -     [INWX_User] => XXX
<13>1 2022-01-09T03:57:32.300985+01:00 fw01.xxx.lan ACME 93105 - -     [INWX_Password] => YYY
<13>1 2022-01-09T03:57:32.300999+01:00 fw01.xxx.lan ACME 93105 - -     [INWX_Shared_Secret] => 
<13>1 2022-01-09T03:57:32.301013+01:00 fw01.xxx.lan ACME 93105 - - )
<13>1 2022-01-09T03:57:38.616297+01:00 fw01.xxx.lan ACME 93105 - - [Sun Jan  9 03:57:33 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory

Imo this array shouldn't be spit out as it leaks information.

Actions #3

Updated by Jim Pingle 4 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #4

Updated by Viktor Gurov 4 months ago

  • Status changed from Pull Request Review to Feedback
Actions #5

Updated by Danilo Zrenjanin 3 months ago

  • Status changed from Feedback to Resolved

Tested against:

2.6.0-RC (amd64)
built on Mon Jan 24 18:44:12 UTC 2022
FreeBSD 12.3-STABLE 

It looks fine now. Only two rows in the system log upon a cert renewal

Feb 12 07:52:52     php-fpm     353     Acme, renewing certificate: pfTest2
Feb 12 07:52:58     php     56347     Acme, storing new certificate: pfTest2 

I am marking this ticket resolved.

Actions #6

Updated by Jim Pingle 3 months ago

  • Status changed from Resolved to New

The debug option added broke several things. It broke the ability to create account keys, and it is breaking new ACME certificates. See #12912 for some details.

I'm backing out the changes made here, we can try to find a better way to handle this.

Actions #7

Updated by Jim Pingle 3 months ago

If we try this again as a debug option we must test this better, at a minimum:

  • Creating a new account key should have the key present and should not have any log messages included before the key.
  • Creating a new certificate must fully succeed in the GUI without debug enabled (See #12912)
  • Renewing an existing certificate must fully succeed in the GUI without debug enabled
Actions

Also available in: Atom PDF