ACME puts clear text certificate information in the logs

  • Just up front I really do not know a lot about certificates.

    I have the Acme working on my pfsense for quite a while now, since the acme service was added to pfsense.

    I use Cloudflare as my DNS.

    I have pfsense setup to send the logs to a remote logging server.

    this morning acme updated the certificate and I noticed in the logs that visible as clear text are:
    (not posting the actual data)

    [CF_Key] => MYKEYWASHEREincleartext
    [CF_Email] => MYEMAIL I use to login to Cloudflare

    It also listed a certificate also in clear text:

    -----END CERTIFICATE-----

    You can see this by filtering the system log on process acme.

    Isn't this a security hole? I know posting my cloudflare Key and Email in cleartext anywhere is, because I can do anything to my DNS with those 2 values.

  • Rebel Alliance Developer Netgate

    The certificate itself is public knowledge and is not a secret. The ACME settings like the key are more sensitive, but helpful when diagnosing problems. If it's a concern, do not allow users in your GUI access to those pages or the ability to read the configuration, or files on the filesystem.

  • @jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.

Log in to reply