search

srvrco / getssl

obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.
GNU General Public License v3.0
2.07k stars 372 forks source link

Too many server reloads; stale certificate exposed #842

Open tlhackque opened 4 months ago

tlhackque commented 4 months ago

If getssl detects that a remote certificate expires sooner than a saved local certificate, an upload is attempted. Then a server reload is performed.

Later in the same run, if getssl discovers that the remote certificate has a different domain list, a new CSR is created, the certificate is signed, and the server is reloaded again.

Besides being inefficient, this means that the initial local, stale certificate is used in the interval before the correct certificate is issued and installed. This just happened to me in real life.

A glance at the code indicates a similar scenario if the key type(s) change: the saved/stale local certificate is uploaded, then the new one is generated and uploaded.

  1. getssl should check the expiration date after verifying that the domain lists match.
  2. It should only upload the local certificate if it determines that it will not generate a new one. (for any reason)

Bottom line: Only local certificates matching the current specification should be uploaded. The RELOAD_CMD should be invoked at most once per certificate. (Of course, RELOAD_CMD itself may reload more than one server if so-configured.)