search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.64k stars 249 forks source link

Apache Challenge File Permissions Cause ACME Validation Failure #388

Open TheSecMaven opened 3 years ago

TheSecMaven commented 3 years ago

Subject of the issue

Apache on our server is run by a user named apache. When we host a file on apache, it has to either own the file, or have read access to it. When we use step cli to host a challenge, the permissions don't allow that.

Your environment

Steps to reproduce

  1. be sure apache can host acme challenges from a directory
  2. as root, run step ca certificate myserver.domain.com foo.crt foo.key --provisioner=acme-provisioner-1week --webroot "/opt/rh/httpd24/root/var/www/html/" --ca-url https://mysmallstepca.domain.com:--kty=RSA --root /etc/acme/root_ca.crt --console

Expected behaviour

Get a Certificate using ACME for myserver.domain.com

Actual behaviour

✔ Provisioner: acme-provisioner-1week (ACME)
Using Webroot Mode HTTP challenge to validate myserver.domain.com ........... Error!

Unable to validate challenge: &{Type:http-01 Status:pending Token:yJUHLDIUDNquZIzl8ahnXUaGsIDmHmSp Validated: URL:https://mysmallstepca.domain.com/acme/acme-provisioner-1week/challenge/g9HYOunqfTMnM7LwcjHlSyarfNraHTRD Error:error doing http GET for url http://server.domain.com/.well-known/acme-challenge/yJUHLDIUDNquZIzl8ahnXUaGsIDmHmSp with status code 403 ID: AuthzID:}

Additional context

When I chmod a+rX -R .well-known/acme-challenge/ while its hosting the challenge, it ends up working.

When i `ls -lart the directory where it hosts the challenge i see its only readable by user, not group or all. See below

[root@server html]# ls -lart .well-known/acme-challenge/
total 12
drwxr-xr-x. 3 root apache 4096 Nov 17 18:45 ..
-rw-------. 1 root root     76 Nov 17 19:21 xW1gq0UiNMi5iXb9zdPL5LsX2FQYrE3E
drwxr-xr-x. 2 root apache 4096 Nov 17 19:21 .
[root@server html]#

If that file was changed to read by all, this would work.

TheSecMaven commented 3 years ago

worth noting, I tried the same thing with dehydrated, another acme client. when it creates the challenges, they are readable by anyone.

[root@server dehydrated]# ls -lart acme-challenge/
total 24
-rw-r--r--. 1 root root   76 Nov 18 09:27 V7bPETOTOeZhJ2q9plJprtHUpiJW5bE8
-rw-r--r--. 1 root root   76 Nov 18 09:30 KwqsJVhIndp6fHmlk6dyGwVakGrIZOfv
-rw-r--r--. 1 root root   76 Nov 18 09:43 QR9f4i6yQEd4GDG7z4AseMWpOSoy4B5Z
-rw-r--r--. 1 root root   76 Nov 18 09:45 SBqKlmI8QZCPMATprXmXmPwIiLPNvgsh
drwxr-xr-x. 2 root root 4096 Nov 18 09:47 .
TheSecMaven commented 3 years ago

upgraded to latest version of step, same issue.

[root@server acme-challenge]# step --version
Smallstep CLI/0.15.3 (linux/amd64)
Release Date: 2020-10-21 23:46 UTC
[root@server acme-challenge]#

Ran command 

[root@server www]# step ca certificate server.domain.com foo.crt foo.key --provisioner=acme-provisioner-1week  --webroot "/opt/rh/httpd24/root/var/www/html/" --ca-url https://smallstepca.domain.com:8443 --kty=RSA --root /etc/acme/root_ca.crt --console
✔ Provisioner: acme-provisioner-1week (ACME)
Using Webroot Mode HTTP challenge to validate server.domain.com ........... Error!

Unable to validate challenge: &{Type:http-01 Status:pending Token:7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv Validated: URL:https://smallstepca.domain.com:8443/acme/acme-provisioner-1week/challenge/KdxrFm9uMn5TY0zDhGlwKzh4VQZMnnGn Error:error doing http GET for url http://server.domain.com/.well-known/acme-challenge/7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv with status code 403 ID: AuthzID:}

Permissions of the challenge file while command was running

[root@server acme-challenge]# ls -lart
total 12
drwxr-xr-x. 3 root apache 4096 Nov 17 18:45 ..
-rw-------. 1 root root     76 Nov 18 09:54 7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv
drwxr-xr-x. 2 root apache 4096 Nov 18 09:54 .
[root@server acme-challenge]#
maraino commented 3 years ago

@dopey Consider changing permissions of the generated files. @mkkeffeler alternatively, the user apache can be used to generate those files, I mean run step with the apache user.

TheSecMaven commented 3 years ago

yeah, was thinking the same, but that user has no shell by default, and most people using it won't have root privileges to edit that and do the suggestion. I think generally people use step not with root access, only needing root to get it installed the first time.

dopey commented 3 years ago

Hey @mkkeffeler before moving on this issue, we'd need to do (or have someone from the community do) some due diligence on the security risk of allowing global read on that file.

In the mean time we believe there is a workaround: https://serverfault.com/questions/351046/how-to-run-command-as-user-who-has-usr-sbin-nologin-as-shell

TheSecMaven commented 3 years ago

yeah agreed. I think you will find all other acme clients doing this, as I provided at least 1 other client doing it. definitely good to review.