Skip to content

Commit ad7310d

Browse files
bavshin-f5bavshin-f5
committed
ACME: forbid specifying files in "acme_certificate key=...".
The ACME protocol assumes short-term certificates to ensure a regular revalidation of ownership and to limit consequences of key compromise. Allowing to request certificate renewals with the same key goes agains the second goal and should not be supported without a good reason. This was an oversight inherited from the proof-of-concept code and was not supposed to be committed here.
1 parent af6fffb commit ad7310d

File tree

2 files changed

+4
-8
lines changed

2 files changed

+4
-8
lines changed

README.md

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -218,7 +218,7 @@ challenge data for all the configured certificate issuers.
218218

219219
### acme_certificate
220220

221-
**Syntax:** acme_certificate `issuer` [`identifier` ...] [ `key` = `alg[:size]` | `file` ]
221+
**Syntax:** acme_certificate `issuer` [`identifier` ...] [ `key` = `alg[:size]` ]
222222

223223
**Default:** -
224224

@@ -234,17 +234,12 @@ regular expressions and wildcards are not supported.
234234

235235
[server_name]: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
236236

237-
The `key` parameter sets the type of generated private key or a
238-
path to an existing file. Supported key algorithms and sizes:
237+
The `key` parameter sets the type of a generated private key. Supported key
238+
algorithms and sizes:
239239
`ecdsa:256` (default), `ecdsa:384`,
240240
`ecdsa:521`,
241241
`rsa:2048` .. `rsa:4096`.
242242

243-
> Since 1.27.2, the `key` parameter supports the additional schemes implemented in the
244-
> [ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key)
245-
> directive: `data:` , `engine:` and more recently `store:` ,
246-
> with a caveat that password-protected keys are not supported.
247-
248243
## Embedded Variables
249244

250245
The `ngx_http_acme_module` module defines following embedded

src/conf.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,7 @@ extern "C" fn cmd_add_certificate(
284284
for value in &args[2..] {
285285
if let Some(key) = value.strip_prefix(b"key=") {
286286
order.key = match PrivateKey::try_from(key) {
287+
Ok(PrivateKey::File(_)) => return c"invalid \"key\" value".as_ptr().cast_mut(),
287288
Ok(val) => val,
288289
Err(err) => return cf.error(args[0], &err),
289290
};

0 commit comments

Comments
 (0)