search

globaleaks / whistleblowing-software

GlobaLeaks is free, open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.22k stars 268 forks source link

GlobaLeaks should prevent LetsEncrypt certificate activation on IP address #2403

Open fpietrosanti opened 6 years ago

fpietrosanti commented 6 years ago

Current behavior Actually GlobaLeaks do allow end-user to insert IP address in the procedure for LetsEncrypt certificate activation, triggering an error in the backend.

Expected behavior GlobaLeaks should do strict validation of what's acceptable as hostname to be used for LE certificate enrollment.

Example error when activating over IP address: Platform: WB_PROVA_AMA#1 Host: 10.10.50.159
Version: 3.3.11

acme.messages.Error ACME error.

https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00

:ivar unicode typ:
:ivar unicode title:
:ivar unicode detail:

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 1384, in _inlineCallbacks result = result.throwExceptionIntoGenerator(g)

File "/usr/lib/python3/dist-packages/twisted/python/failure.py", line 408, in throwExceptionIntoGenerator return g.throw(self.type, self.value, self.tb)

File "/usr/lib/python3/dist-packages/globaleaks/handlers/admin/https.py", line 562, in put yield acme_cert_issuance(self.request.tid)

File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext result = inContext.theWork()

File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in inContext.theWork = lambda: context.call(ctx, func, *args, **kw)

File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw)

File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext return func(*args,**kw)

File "/usr/lib/python3/dist-packages/globaleaks/orm.py", line 109, in _wrap result = function(session, *args, **kwargs)

File "/usr/lib/python3/dist-packages/globaleaks/handlers/admin/https.py", line 542, in acme_cert_issuance return db_acme_cert_issuance(session, tid)

File "/usr/lib/python3/dist-packages/globaleaks/handlers/admin/https.py", line 532, in db_acme_cert_issuance Settings.acme_directory_url)

File "/usr/lib/python3/dist-packages/globaleaks/utils/letsencrypt.py", line 66, in run_acme_reg_to_finish order = client.new_order(csr)

File "/usr/lib/python3/dist-packages/acme/client.py", line 608, in new_order response = self._post(self.directory['newOrder'], order)

File "/usr/lib/python3/dist-packages/acme/client.py", line 93, in _post return self.net.post(*args, **kwargs)

File "/usr/lib/python3/dist-packages/acme/client.py", line 1082, in post return self._post_once(*args, **kwargs)

File "/usr/lib/python3/dist-packages/acme/client.py", line 1096, in _post_once return self._check_response(response, content_type=content_type)

File "/usr/lib/python3/dist-packages/acme/client.py", line 956, in _check_response raise messages.Error.from_json(jobj)

acme.messages.Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Error creating new order :: Issuance for IP addresses not supported

fpietrosanti commented 6 years ago

Reference for fix #2139

yogken commented 2 years ago

When this Lets Encrypt scipt code executed ? is is done at frontend level by user or is it a background process?

evilaliv3 commented 2 years ago

@yogken: letsencrypt is enabled by the user at front end level and the code is executed synchronously on the backend.

I think a proper fix would be to prevent to configure an ip address on the hostname configuration.