Bug 21742

Summary: Fix acme to not require perl(Data::Dumper) and challenge pool in rare case where letsencrypt verification is delayed
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: acme-0.9-4.mga6.src.rpm CVE:
Status comment:

Description Raphael Gertz 2017-09-19 16:25:20 CEST 
Description of problem:
In some case the authorize return from letsencrypt has not validated all challenges, and there is a need of pooling pending one until they fail or succeed.

I removed as well the useless need of perl(Data::Dumper) and added a nginx configuration template in this version.

Commits are here :
https://git.rapsys.eu/?p=acme;a=summary
https://git.rapsys.eu/?p=acme;a=commitdiff;h=2a10253aea57d1e25280392a4f9b4e9420ece1b8
https://git.rapsys.eu/?p=acme;a=commitdiff;h=d17b7963e424d3574a4673e26ebd9aab38b741e6
https://git.rapsys.eu/?p=acme;a=commitdiff;h=3a2fe09540218ac59a327071c04938d8ffe2282c

Version-Release number of selected component (if applicable):
acme-0.9-4

How reproducible:
Difficult, it happened here reliably only and on my dedicated server only one time.

Steps to Reproduce:
1. acmeconf -r example.com
2. drop http traffic from outside with firewall
3. acmecert or acmecron to generate a certificate
4. The script will exit directly while silently failing instead of pooling pending test until they fail.
Comment 1 Herman Viaene 2017-09-26 11:20:37 CEST 
MGA6-32 on Asus A6000VM MATE
Installed acme-0.9-4 first to see whether I can run those commands.
It is not clear from above whether these should be run as normal user or as root, but in either case I get an unexpected result.
at CLI:
# acmeconf -r example.com
{
   "thumbprint" : "/etc/acme/thumbprint",
   "term" : "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
   "pending" : "/tmp/acme.pending",
   "certificates" : [
      {
         "cert" : "/etc/pki/tls/certs/example.com.pem",
         "key" : "/etc/pki/tls/private/example.com.pem",
         "account" : "/etc/acme/account.pem",
         "mail" : "webmaster@example.com",
         "domain" : "example.com",
         "domains" : [],
         "prod" : 0
      }
   ]
}
then I launch a ping from another desktop, knowing it is rejected by this laptop, and then
# acmecert
Config file /etc/acme/config is not readable or invalid

Indeed, there is no such file. The acmeconf seems to have done nothing in the /etc/acme/ directory , the file /etc/acme/thumbprint is empty before and after the acmeconf.

CC: (none) => herman.viaene

Comment 2 Raphael Gertz 2017-09-26 11:29:54 CEST 
Hi, sorry, you should do a :
acmeconf -r example.com > /etc/acme/config

I didn't wanted to write with acmeconf the config file to avoid trashing a working config in case of mistakes.
(I will maybe add a renaming later)

If you have a fix public ip, I may point a valid test subdomain on it for your tests (or do a CNAME on a dyndns like domain).

Best regards
Comment 3 Raphael Gertz 2017-09-26 11:31:09 CEST 
It was in the man about acmeconf and in --help by the way :)
Comment 4 Lewis Smith 2017-09-26 13:56:06 CEST 
@Raphael
Admit to being puzzled by the 'steps to reproduce'.
Can you do this on a stand-alone machine?

1. # acmeconf -r example.com > /etc/acme/config      [OK]

2. drop http traffic from outside with firewall
Do you mean block incoming HTTP requests in the firewall? Just that, even if there are none?

3. # acmecert or # acmecron to generate a certificate
Just these raw commands?

4. The script will exit directly while silently failing instead of pooling pending test until they fail.
What script? The commands above? Does the fact of exiting directly indicate success? What would you expect *before* the update?

CC: (none) => lewyssmith

Comment 5 Herman Viaene 2017-09-26 14:13:15 CEST 
OK I went:
# acmeconf -r example.com > /etc/acme/config
no feedback, config file created
launch ping command from other desktop
# acmecert
Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135.
	Acme::new("Acme", 0, HASH(0x9a94aa8), HASH(0x9a81a80)) called at /usr/bin/acmecert line 127
Comment 6 Raphael Gertz 2017-09-26 14:34:16 CEST 
The script will generate /etc/pki/tls/certs/example.com.pem if it succeed.

There is no way to validate without a valid subdomain + email.

My script validate there is a MX record for the configured email in /etc/acme/config.

By "drop http traffic from outside with firewall", I mean drop the incomming traffic on configured apache (or nginx) from internet.

So that the letsencrypt verification bot will fail after a tcp timeout and keep challenge pending for a long time before failure.

Acmecert force the generation of a certificate even if one exists.
(see man)

Acmecron do that only if it don't exists and certificate is older than 60 days.
(see man)

If you want to validate, you need :
- a valid mail configured in /etc/acme/config on a domain with MX record (any @yopmail.com will work for example)
- a valid subdomain name which point on current public ip
- a configured apache+php (should be automagic) or nginx+php (no magic here, only sample config provided)

The goal of acme toolset is to generate valid https letsencrypt certificate.

Sorry if it was not clear.
Comment 7 Lewis Smith 2017-10-08 13:01:09 CEST 
Trying M6/64 mainly for clean update

BEFORE: acme-0.9-4.mga6
 # acmeconf -r localdomain > /etc/acme/config

 # cat /etc/acme/config
{
   "thumbprint" : "/etc/acme/thumbprint",
   "term" : "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
   "pending" : "/tmp/acme.pending",
   "certificates" : [
      {
         "cert" : "/etc/pki/tls/certs/localdomain.pem",
         "key" : "/etc/pki/tls/private/localdomain.pem",
         "account" : "/etc/acme/account.pem",
         "mail" : "webmaster@localdomain",
         "domain" : "localdomain",
         "domains" : [],
         "prod" : 0
      }
   ]
}

 # acmecron
Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135.
	Acme::new("Acme", 0, HASH(0x3197b18), HASH(0x1d76ad0)) called at /usr/bin/acmecron line 132

 # acmecert
Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135.
	Acme::new("Acme", 0, HASH(0x29a3f90), HASH(0x299c3f0)) called at /usr/bin/acmecert line 127

Putting my own e-mail address in the config file yielded instead:
 # acmecron
localdomain's tld extraction failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 149.
	Acme::new("Acme", 0, HASH(0x63ead0), HASH(0x1a5fd50)) called at /usr/bin/acmecron line 132

 # acmecert
localdomain's tld extraction failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 149.
	Acme::new("Acme", 0, HASH(0x23e5b90), HASH(0x3807498)) called at /usr/bin/acmecert line 127

AFTER uneventful update: acme-1.1-1.mga6.noarch
 *** is this version number what is wanted? ***
and repeating all the previous steps gave identical output, even though that was probably meaningless.

@Raphael
Accepting that I have put my proper e-mail address in the config file, if there is anything else I can change in it for a single system with Ethernet gateway to Internet, I shall be happy to try. If you can point me what else to change, please do.
FWIW I have the following IP addresse: 192.168.0.10 (gateway 254). I should have an external one via the DSL box - if I can find it.
Comment 8 Lewis Smith 2017-10-12 21:41:30 CEST 
In consultation with QA team leaders, this is being validated as-is.
Not up to our normal standards; just a clean update.
Advisory devised from Description & bug RPM link.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Raphael Gertz 2017-10-13 18:08:21 CEST 
Advisory :
type: bugfix
subject: Updated acme package fixes race condition while pooling letsencrypt check
src:
    6:
        core:
            - acme-1.1-1.mga6
description:
    Acmecron and acmecert was sometime broken while pooling letsencrypt check
    if it wasn't validated right away by their bot.
    The updated package fix this bug, remove an useless dependancy on
    perl(Data::Dumper) and add a nginx configuration template.
references:
    - https://bugs.mageia.org/show_bug.cgi?id=21742
ID: MGASA-2017-0369
Comment 10 Dave Hodgins 2017-10-14 01:10:46 CEST 
Closing as Mageia robot failed to do so due to lack of permissions, which has
now been fixed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2017-10-18 22:20:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2017-0095.html