ACME puts clear text certificate information in the logs
-
Just up front I really do not know a lot about certificates.
I have the Acme working on my pfsense for quite a while now, since the acme service was added to pfsense.
I use Cloudflare as my DNS.
I have pfsense setup to send the logs to a remote logging server.
this morning acme updated the certificate and I noticed in the logs that visible as clear text are:
(not posting the actual data)[CF_Key] => MYKEYWASHEREincleartext [CF_Email] => MYEMAIL I use to login to Cloudflare
It also listed a certificate also in clear text:
-----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgISBBVveyVPncQPg6kx8XPHmw2UMA0GCSqGSIb3DQEBCwUA .... ... 5l09PRljRedKQfA3KiV1ivRzQwlgC6tX03e+cpNAYH/FHRL0GhpI+/gv6M34JA== -----END CERTIFICATE-----
You can see this by filtering the system log on process acme.
Isn't this a security hole? I know posting my cloudflare Key and Email in cleartext anywhere is, because I can do anything to my DNS with those 2 values.
-
The certificate itself is public knowledge and is not a secret. The ACME settings like the key are more sensitive, but helpful when diagnosing problems. If it's a concern, do not allow users in your GUI access to those pages or the ability to read the configuration, or files on the filesystem.
-
@jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.