Using Lego with eab and security concerns #1752
-
|
Our SSL cert provider, Sectigo, uses EAB and pre-registered domains with its ACME SSL offering. This means we must provide the eab account id and hmac when we both generate SSL certs and renew and don;t need to worry about domain validation. I'm a little concerned about exposing the HMAC and KID values on the command line when this occurs. While we aren't going to lose control of either the ability to pre-validate the domains, or of our DNS servers, I am worried about these being used to either revoke the existing certificate or cause disruption by generating a near-endless number of certs (albeit for a single CN) using this account. Is there any effective way of hiding this info, or parsing it via a config file or similar? Or would I be best to just do the cert requesting and renewal on a separate machine that only I can access (and view the process list on), or use a different ACME client? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Hello, FYI issuing or renewing a certificate, from the point of view of the ACME spec, is exactly the same thing. (technically, renewing is just issuing). I don't know the implementation of the ACME server by Sectigo, but in theory, the HMAC and KID tuple can be a one-time use, and the scope of the tuple can be limited. You want to hide the tuple from who exactly? Because even with a file the information will be in clear text. For now, the CLI of lego only supports CLI flags for these parameters. |
Beta Was this translation helpful? Give feedback.
-
|
Well, concerned by non-root users on the linux systems that will be renewing certs getting hold of these details (I work at an educational establishment). We can certainly limit the scope to one domain per hmac - which limits the scope for mischief. But a config file is not less secure as we would not allow unauthorised users access to read it. Thanks for confirming that lego only support flags - I'll look into using another tool. |
Beta Was this translation helpful? Give feedback.
-
|
You can also use something else than Sectigo, like Let's Encrypt. |
Beta Was this translation helpful? Give feedback.
-
|
Indeed, I have in the past - but our management wants to use our mainline SSL cert provider as they regard 'LetsEncrypt' as not as professional sounding - nothing to do with technical details. Personally, I'm only interested in automation. Thanks again. |
Beta Was this translation helpful? Give feedback.
Hello,
FYI issuing or renewing a certificate, from the point of view of the ACME spec, is exactly the same thing. (technically, renewing is just issuing).
I don't know the implementation of the ACME server by Sectigo, but in theory, the HMAC and KID tuple can be a one-time use, and the scope of the tuple can be limited.
You want to hide the tuple from who exactly? Because even with a file the information will be in clear text.
For now, the CLI of lego only supports CLI flags for these parameters.