Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME puts clear text certificate information in the logs

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 649 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IsaacFLI
      IsaacFL
      last edited by

      Just up front I really do not know a lot about certificates.

      I have the Acme working on my pfsense for quite a while now, since the acme service was added to pfsense.

      I use Cloudflare as my DNS.

      I have pfsense setup to send the logs to a remote logging server.

      this morning acme updated the certificate and I noticed in the logs that visible as clear text are:
      (not posting the actual data)

      [CF_Key] => MYKEYWASHEREincleartext
      [CF_Email] => MYEMAIL I use to login to Cloudflare
      

      It also listed a certificate also in clear text:

      -----BEGIN CERTIFICATE-----
      MIIFajCCBFKgAwIBAgISBBVveyVPncQPg6kx8XPHmw2UMA0GCSqGSIb3DQEBCwUA
      
      ....
      ...
      
      5l09PRljRedKQfA3KiV1ivRzQwlgC6tX03e+cpNAYH/FHRL0GhpI+/gv6M34JA==
      -----END CERTIFICATE-----
      

      You can see this by filtering the system log on process acme.

      Isn't this a security hole? I know posting my cloudflare Key and Email in cleartext anywhere is, because I can do anything to my DNS with those 2 values.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The certificate itself is public knowledge and is not a secret. The ACME settings like the key are more sensitive, but helpful when diagnosing problems. If it's a concern, do not allow users in your GUI access to those pages or the ability to read the configuration, or files on the filesystem.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        IsaacFLI 1 Reply Last reply Reply Quote 1
        • IsaacFLI
          IsaacFL @jimp
          last edited by

          @jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.