ACME puts clear text certificate information in the logs



  • Just up front I really do not know a lot about certificates.

    I have the Acme working on my pfsense for quite a while now, since the acme service was added to pfsense.

    I use Cloudflare as my DNS.

    I have pfsense setup to send the logs to a remote logging server.

    this morning acme updated the certificate and I noticed in the logs that visible as clear text are:
    (not posting the actual data)

    [CF_Key] => MYKEYWASHEREincleartext
    [CF_Email] => MYEMAIL I use to login to Cloudflare
    

    It also listed a certificate also in clear text:

    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgISBBVveyVPncQPg6kx8XPHmw2UMA0GCSqGSIb3DQEBCwUA
    
    ....
    ...
    
    5l09PRljRedKQfA3KiV1ivRzQwlgC6tX03e+cpNAYH/FHRL0GhpI+/gv6M34JA==
    -----END CERTIFICATE-----
    

    You can see this by filtering the system log on process acme.

    Isn't this a security hole? I know posting my cloudflare Key and Email in cleartext anywhere is, because I can do anything to my DNS with those 2 values.


  • Rebel Alliance Developer Netgate

    The certificate itself is public knowledge and is not a secret. The ACME settings like the key are more sensitive, but helpful when diagnosing problems. If it's a concern, do not allow users in your GUI access to those pages or the ability to read the configuration, or files on the filesystem.



  • @jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.


Log in to reply