Open TheSecMaven opened 3 years ago
worth noting, I tried the same thing with dehydrated, another acme client. when it creates the challenges, they are readable by anyone.
[root@server dehydrated]# ls -lart acme-challenge/
total 24
-rw-r--r--. 1 root root 76 Nov 18 09:27 V7bPETOTOeZhJ2q9plJprtHUpiJW5bE8
-rw-r--r--. 1 root root 76 Nov 18 09:30 KwqsJVhIndp6fHmlk6dyGwVakGrIZOfv
-rw-r--r--. 1 root root 76 Nov 18 09:43 QR9f4i6yQEd4GDG7z4AseMWpOSoy4B5Z
-rw-r--r--. 1 root root 76 Nov 18 09:45 SBqKlmI8QZCPMATprXmXmPwIiLPNvgsh
drwxr-xr-x. 2 root root 4096 Nov 18 09:47 .
upgraded to latest version of step, same issue.
[root@server acme-challenge]# step --version
Smallstep CLI/0.15.3 (linux/amd64)
Release Date: 2020-10-21 23:46 UTC
[root@server acme-challenge]#
Ran command
[root@server www]# step ca certificate server.domain.com foo.crt foo.key --provisioner=acme-provisioner-1week --webroot "/opt/rh/httpd24/root/var/www/html/" --ca-url https://smallstepca.domain.com:8443 --kty=RSA --root /etc/acme/root_ca.crt --console
✔ Provisioner: acme-provisioner-1week (ACME)
Using Webroot Mode HTTP challenge to validate server.domain.com ........... Error!
Unable to validate challenge: &{Type:http-01 Status:pending Token:7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv Validated: URL:https://smallstepca.domain.com:8443/acme/acme-provisioner-1week/challenge/KdxrFm9uMn5TY0zDhGlwKzh4VQZMnnGn Error:error doing http GET for url http://server.domain.com/.well-known/acme-challenge/7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv with status code 403 ID: AuthzID:}
Permissions of the challenge file while command was running
[root@server acme-challenge]# ls -lart
total 12
drwxr-xr-x. 3 root apache 4096 Nov 17 18:45 ..
-rw-------. 1 root root 76 Nov 18 09:54 7PP6rHRpW1Y13kKPt0JQZbZFAj38Cbbv
drwxr-xr-x. 2 root apache 4096 Nov 18 09:54 .
[root@server acme-challenge]#
@dopey Consider changing permissions of the generated files. @mkkeffeler alternatively, the user apache can be used to generate those files, I mean run step with the apache user.
yeah, was thinking the same, but that user has no shell by default, and most people using it won't have root privileges to edit that and do the suggestion. I think generally people use step not with root access, only needing root to get it installed the first time.
Hey @mkkeffeler before moving on this issue, we'd need to do (or have someone from the community do) some due diligence on the security risk of allowing global read on that file.
In the mean time we believe there is a workaround: https://serverfault.com/questions/351046/how-to-run-command-as-user-who-has-usr-sbin-nologin-as-shell
yeah agreed. I think you will find all other acme clients doing this, as I provided at least 1 other client doing it. definitely good to review.
Subject of the issue
Apache on our server is run by a user named apache. When we host a file on apache, it has to either own the file, or have read access to it. When we use step cli to host a challenge, the permissions don't allow that.
Your environment
Steps to reproduce
step ca certificate myserver.domain.com foo.crt foo.key --provisioner=acme-provisioner-1week --webroot "/opt/rh/httpd24/root/var/www/html/" --ca-url https://mysmallstepca.domain.com:--kty=RSA --root /etc/acme/root_ca.crt --console
Expected behaviour
Get a Certificate using ACME for myserver.domain.com
Actual behaviour
Additional context
When I
chmod a+rX -R .well-known/acme-challenge/
while its hosting the challenge, it ends up working.When i
`ls -lart
the directory where it hosts the challenge i see its only readable by user, not group or all. See belowIf that file was changed to read by all, this would work.