So the standard situation was a secured set of paths to protect the keys, but an unusual pattern that could lead to security breach if someone plays with the /etc/letsencrypt. and indeed permissions on private keys were quite exotic, since one can expect 0700 for this kind of stuff, as it is usually seen in SSH installations.however, if someone changed the permissions of /etc/letsencrypt/archive, the accessibility of private keys could change silently because of the relaxed permissions, and Certbot did not make any control on /etc/letsencrypt/archive permissions after its creation.effectively private keys were not accessible by anyone except the user (usually root) because of the permissions on /etc/letsencrypt/archive.each private key put in a subdirectory of /etc/letsencrypt/archive was assigned 0644 permissions.Certbot was creating a directory /etc/letsencrypt/archive with permissions 0700.We did not keep an issue about a major security breach open for more than 3 years, if it is what you are currently thinking.Īs explained by and this what #1473 is about, prior to Certbot 0.29.0: Ok let's keep things rational, and analyze what is the current situation.įirst, #1473 is closed for a reason, and what it was about is not a major security breach. What is the chance that CentOS has this better? ( #1473 (comment) ) Now I can say that most of Wordpress installations with LetsEncrypt have this. I have seven installations, and ALL have world readable keys. And when correcting command is found, can we talk about it to wider audience? They have keys exposed.What work around can be used here? Some chmod with stick bit? HELP!!! If this is an Ubuntu package issue, what package maintainer should do? Where is a channel to tell 'em.What version are you talking about? How do I get cerbot's actual code version? ![]() On Ubuntu -help doesn't give me an arg to check certbot's version.May be it is set better as one of archive/domain/privkeyN.pem is set to 0644 instead of 0600 (or 0440) #1473 suggestions was talking? Wow! Just when you say "key material in there", which particular version / package / setting are you talking about? Wow! #1473 Has been open almost FOUR years ago, and is still relevant.
0 Comments
Leave a Reply. |