search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.67k stars 4.91k forks source link

Edge case: _contains using grep with regex matches incorrectly for 'g.domain.com', at least for INWX api #5129

Open mandrakey opened 4 months ago

mandrakey commented 4 months ago

Hi team,

I just stumbled on this when trying to issue a certificate for 'g.berlight.de'. Took me a minute to debug.

Steps to reproduce

  1. Try to issue a certificate with --dns dns_inwx active and use a subdomain 'g', like -d g.berlight.de or -d g.domain.com, ...

Debug log

Traceable in the normal log, the following entries are of interest:

[Thu May  2 12:30:23 UTC 2024] h='g.berlight.de'                                                                                                                                                                     
[Thu May  2 12:30:23 UTC 2024] _sub_domain='_acme-challenge'                                                                                                                                                         
[Thu May  2 12:30:23 UTC 2024] _domain='g.berlight.de'                                                                                                                                                               
[Thu May  2 12:30:23 UTC 2024] Adding record: domain=g.berlight.de sub=_acme-challenge

Notice how a -d g.berlight.de gets to be Adding record: domain=g.berlight.de sub=_acme-challenge - it should be Adding record: domain=berlight.de sub=_acme-challenge.g.

I traced it to the _contains function in acme.sh, which looks like this:

_contains() {
  _str="$1"
  _sub="$2"
  echo "$_str" | grep -- "$_sub" >/dev/null 2>&1
}

Now the INWX api returns XML by default and has type hints in it. In this particular case, you can find, among a lot of other stuff, the string <string>berlight.de</string> in it, on which _contains "...XML..." "g.berlight.de" returns a hit as it uses regular expressions: g>berlight.de matches (confirmed on Fedora and Alpine).

I was able to issue my certificate by altering _contains to use grep -F, though I am not sure if that would be a generally acceptable solution, or if that might break some feature I am not using.

Another idea might be to alter dns_inwx.sh to replace dots in it's _get_root function with a \. so it will match actual dots, and not "any character".

It is an edge case and thus probably not very important, just wanted to point it out.

Thanks for all the work!

github-actions[bot] commented 4 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.