Hey there,
When you open an issue on this project, a comment from GitHub actions tells you to provide logs with --debug 2 set. However, sometimes these logs contain private keys. This means that people occasionally post the private keys for their publicly trusted certificates.
Here are some instances where this has happened:
#6165
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMs4tSuTqBFPsTwVDvPmU2+9zfprjRTn/p9EaQWWvkJNoAoGCCqGSM49
AwEHoUQDQgAE8ngffyDE+hIUoNz1umHlWG/CuY1TqpSDRrZYvHyfOkKdnH/mrYUa
gZr+O1fNQWWaN8BKHe6nkOcAD8mMTG14uw==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=16142264126
#5004 (comment)
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBhqGS/2Ucnoe+weM2oTNWlQbmCG6tr5hwiQDMxS0gShoAoGCCqGSM49
AwEHoUQDQgAEZ1B5WYmbpfFOMG+9FUrc0/y0TiXffNUe5YcUWuVgNz57aab8+Pyh
CBf92/cbkwZQbHgip7hjghwflTjuAqVMfQ==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=13108850004
#4788 (comment)
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKqkk1rZcu4/tD+fYh6SrLX8QBzWyIpRyUhJkgItok6YoAoGCCqGSM49
AwEHoUQDQgAEj7fUB56An+/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5
pJrhobIEtMkTLzltcjGGFmB62kuRK6NJsw==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=10532645172
None of these keys are currently being used. The certificates have either expired or been revoked. But this could definitely happen again in the future with valid certificates.
While it's up to each individual to make sure they're not sharing logs/files with important secrets, I think tools like acme.sh should also avoid logging this information, especially by default (e.g., it should require an opt-in flag like --output-insecure).
My suggestions:
- Don't log private keys without
--output-insecure
- haproxy.sh is affected CC: @wlallemand
- synology_dsm.sh also appears to be affected because
_post() logs the request body
- Perhaps more?
- Include a warning in the GitHub actions comment telling the person to check logs for secrets before sharing them.
- Consider changing acme.sh's defaults, so it generates a new private key when renewing certificates.
Hey there,
When you open an issue on this project, a comment from GitHub actions tells you to provide logs with
--debug 2set. However, sometimes these logs contain private keys. This means that people occasionally post the private keys for their publicly trusted certificates.Here are some instances where this has happened:
#6165
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMs4tSuTqBFPsTwVDvPmU2+9zfprjRTn/p9EaQWWvkJNoAoGCCqGSM49
AwEHoUQDQgAE8ngffyDE+hIUoNz1umHlWG/CuY1TqpSDRrZYvHyfOkKdnH/mrYUa
gZr+O1fNQWWaN8BKHe6nkOcAD8mMTG14uw==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=16142264126
#5004 (comment)
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBhqGS/2Ucnoe+weM2oTNWlQbmCG6tr5hwiQDMxS0gShoAoGCCqGSM49
AwEHoUQDQgAEZ1B5WYmbpfFOMG+9FUrc0/y0TiXffNUe5YcUWuVgNz57aab8+Pyh
CBf92/cbkwZQbHgip7hjghwflTjuAqVMfQ==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=13108850004
#4788 (comment)
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKqkk1rZcu4/tD+fYh6SrLX8QBzWyIpRyUhJkgItok6YoAoGCCqGSM49
AwEHoUQDQgAEj7fUB56An+/SwBPDwKm0+c2Jx4VPhak5YMMGYUr76vY+Ky8KYPg5
pJrhobIEtMkTLzltcjGGFmB62kuRK6NJsw==
-----END EC PRIVATE KEY-----
Certificate: https://crt.sh/?id=10532645172
None of these keys are currently being used. The certificates have either expired or been revoked. But this could definitely happen again in the future with valid certificates.
While it's up to each individual to make sure they're not sharing logs/files with important secrets, I think tools like
acme.shshould also avoid logging this information, especially by default (e.g., it should require an opt-in flag like--output-insecure).My suggestions:
--output-insecure_post()logs the request body