acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.16k stars 4.95k forks source link

Looks like is not checked if LE_WORKING_DIR is NOT set... #4993

Closed RoyBellingan closed 8 months ago

RoyBellingan commented 8 months ago

While calling acme inside another process, and if the ENV is not forwarded from the parent to the child acme fail with something like

/home/user/.acme.sh/acme.sh: line 2312: /.acme.sh/site_ecc/site.it.conf: Permission denied

de facto trying, involountarly, to write inside the root file system!

This is NOT enought

/usr/bin/printenv                         
LE_WORKING_DIR=/home/diter/.acme.sh
_=/usr/bin/printenv

This is what is needed (IE LE_WORKING_DIR is irrelevant)

/usr/bin/printenv                                                     
HOME=/home/diter
_=/usr/bin/printenv

So I suggest something like

if [ -z "$HOME" ]; then
    echo "The HOME variable is missing and is critical to be set."
fi

Around line https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L11

Should be enought ?

github-actions[bot] commented 8 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

RoyBellingan commented 8 months ago

This is the result with a CLEAN ENVIROMENT (I tried to pass only LE_WORKING_DIR but is not enought)

[Fri Feb  9 06:37:16 UTC 2024] _selectServer try snames='zerossl.com,zerossl'
[Fri Feb  9 06:37:16 UTC 2024] _selectServer try snames='letsencrypt.org,letsencrypt'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='letsencrypt.org_test,letsencrypt_test,letsencrypttest'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='buypass.com,buypass'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='buypass.com_test,buypass_test,buypasstest'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='ssl.com,sslcom'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='google.com,google'
[Fri Feb  9 06:37:17 UTC 2024] _selectServer try snames='google.com_test,googletest,google_test'
[Fri Feb  9 06:37:17 UTC 2024] Lets find script dir.
[Fri Feb  9 06:37:17 UTC 2024] _SCRIPT_='/home/diter/.acme.sh/acme.sh'
[Fri Feb  9 06:37:17 UTC 2024] _script='/home/diter/.acme.sh/acme.sh'
[Fri Feb  9 06:37:17 UTC 2024] _script_home='/home/diter/.acme.sh'
[Fri Feb  9 06:37:17 UTC 2024] Using default home:/.acme.sh
[Fri Feb  9 06:37:17 UTC 2024] Using config home:/.acme.sh
[Fri Feb  9 06:37:17 UTC 2024] LE_WORKING_DIR='/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Fri Feb  9 06:37:17 UTC 2024] Using server: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb  9 06:37:17 UTC 2024] Running cmd: issue
[Fri Feb  9 06:37:17 UTC 2024] _main_domain='mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] _alt_domains='www.mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] Using config home:/.acme.sh
[Fri Feb  9 06:37:17 UTC 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Feb  9 06:37:17 UTC 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Feb  9 06:37:17 UTC 2024] _ACME_SERVER_PATH='directory'
[Fri Feb  9 06:37:17 UTC 2024] DOMAIN_PATH='/.acme.sh/mailserver.simonacanni.it_ecc'
[Fri Feb  9 06:37:17 UTC 2024] '/srv/www/letssl/' does not contain 'dns'
[Fri Feb  9 06:37:17 UTC 2024] Le_NextRenewTime
[Fri Feb  9 06:37:17 UTC 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb  9 06:37:17 UTC 2024] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb  9 06:37:17 UTC 2024] GET
[Fri Feb  9 06:37:17 UTC 2024] url='https://acme-v02.api.letsencrypt.org/directory'
[Fri Feb  9 06:37:17 UTC 2024] timeout=
touch: cannot touch '/.acme.sh/http.header': Permission denied
[Fri Feb  9 06:37:17 UTC 2024] HTTP_HEADER='/tmp/tmp.t9ItG7Wj9b'
[Fri Feb  9 06:37:17 UTC 2024] _CURL='curl --silent --dump-header /tmp/tmp.t9ItG7Wj9b  -L  --trace-ascii /tmp/tmp.wsVUBV9Qtc  -g '
[Fri Feb  9 06:37:17 UTC 2024] ret='0'
[Fri Feb  9 06:37:17 UTC 2024] response='{
  "1bJAIF6mLOc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Fri Feb  9 06:37:17 UTC 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Fri Feb  9 06:37:17 UTC 2024] ACME_NEW_AUTHZ
[Fri Feb  9 06:37:17 UTC 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Feb  9 06:37:17 UTC 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Fri Feb  9 06:37:17 UTC 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Fri Feb  9 06:37:17 UTC 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
[Fri Feb  9 06:37:17 UTC 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2354: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2354: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2354: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
/home/diter/.acme.sh/acme.sh: line 2312: /.acme.sh/mailserver.simonacanni.it_ecc/mailserver.simonacanni.it.conf: Permission denied
[Fri Feb  9 06:37:17 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb  9 06:37:17 UTC 2024] _on_before_issue
[Fri Feb  9 06:37:17 UTC 2024] _chk_main_domain='mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] _chk_alt_domains='www.mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] '/srv/www/letssl/' does not contain 'no'
[Fri Feb  9 06:37:17 UTC 2024] Le_LocalAddress
[Fri Feb  9 06:37:17 UTC 2024] d='mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] Check for domain='mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] _currentRoot='/srv/www/letssl/'
[Fri Feb  9 06:37:17 UTC 2024] d='www.mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] Check for domain='www.mailserver.simonacanni.it'
[Fri Feb  9 06:37:17 UTC 2024] _currentRoot='/srv/www/letssl/'
[Fri Feb  9 06:37:17 UTC 2024] d
[Fri Feb  9 06:37:17 UTC 2024] '/srv/www/letssl/' does not contain 'apache'
[Fri Feb  9 06:37:17 UTC 2024] _saved_account_key_hash='IJ3e6Y7lD0MCoJETXaSV6k3d63cW7dPv4Q+z62i4aHY='
/home/diter/.acme.sh/acme.sh: line 3656: /.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key: Permission denied
[Fri Feb  9 06:37:17 UTC 2024] Using config home:/.acme.sh
[Fri Feb  9 06:37:17 UTC 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Feb  9 06:37:17 UTC 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Feb  9 06:37:17 UTC 2024] _ACME_SERVER_PATH='directory'
[Fri Feb  9 06:37:17 UTC 2024] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb  9 06:37:17 UTC 2024] Only RSA or EC key is supported. keyfile=/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
cat: /.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key: Permission denied
[Fri Feb  9 06:37:17 UTC 2024] 
[Fri Feb  9 06:37:17 UTC 2024] _on_issue_err
[Fri Feb  9 06:37:17 UTC 2024] Please add '--debug' or '--log' to check more details.
[Fri Feb  9 06:37:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Fri Feb  9 06:37:17 UTC 2024] _chk_vlist
[Fri Feb  9 06:37:17 UTC 2024] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1l-fips  24 Aug 2021 SUSE release 150500.17.22.1
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.2 on Apr  3 2018 11:53:32
   running on Linux version #1 SMP PREEMPT_DYNAMIC Tue Dec 5 10:06:35 UTC 2023 (2e4092e), release 5.14.21-150500.55.39-default, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
Neilpang commented 8 months ago

you can use acme.sh --issue --home '/home/diter/.acme.sh' -d xxxxx ....... to specify the working dir.

RoyBellingan commented 8 months ago

yes, the problem is that the program does not advertise that such important parameter is missing and ends up failing as a side effect.