plugins
plugins copied to clipboard
opnsense
security/acme-client: DOS line-endings in generated config lead to operational failure
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] The title contains the plugin to which this issue belongs
Describe the bug A clear and concise description of what the bug is, including last known working version (if any).
Acme Client generates config files with DOS line endings, which results in settings gaining a carriage-return character when interpreted, resulting in things like new certificates being placed under /var/etc/acme-client/home^M, instead of /var/etc/acme-client/home, and parts of the activity being logged to /var/log/acme.sh.log^M instead of /var/log/acme.sh.log. Note: on the console, the ^M is displayed as a ?.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce Steps to reproduce the behavior:
Unclear, unfortunately. The specific setup was pushed through all updates from 19.x to 22.1.6 in quick succession via the Web GUI. I think, the issue is in this line of code in the update migration path, but I also realize that the code is two years old, and, so, would've expected to find more People reporting this issue.
Expected behavior A clear and concise description of what you expected to happen.
Acme client would continue to function.
Screenshots If applicable, add screenshots to help explain your problem.
We are seeing /var/etc/acme-client/accounts/.../account.conf files generated that have DOS line-endings, reading like this:
CERT_HOME='/var/etc/acme-client/home'^M
LOG_FILE='/var/log/acme.sh.log'^M
ACCOUNT_KEY_PATH='/var/etc/acme-client/accounts/5d1c791e804ff9.78199304_prod/account.key'^M
ACCOUNT_JSON_PATH='/var/etc/acme-client/accounts/5d1c791e804ff9.78199304_prod/account.json'^M
CA_CONF='/var/etc/acme-client/accounts/5d1c791e804ff9.78199304_prod/ca.conf'^M
ACCOUNT_EMAIL='[email protected]'
LOG_LEVEL='1'
SYS_LOG='6'
USER_PATH='/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin'
Relevant log files If applicable, information from log files supporting your claim.
Happy to answer questions, but not providing acme.sh.log, as they're full of sensitive information. It is noteworthy that there exist both /var/log/acme.sh.log^M and /var/log/acme.sh.log files...
Additional context Add any other context about the problem here.
As a workaround, we edit the generated account.conf files manually.
Environment Software version used and hardware type if relevant. ~~e.g.:~~
OPNsense 22.1.6-amd64 FreeBSD 13.0-STABLE OpenSSL 1.1.1n 15 Mar 2022
Cannot find DOS line-endings on my firewalls. Even account.conf files created way back in 2017 are still OK. So whatever caused this is either extremely rare and/or already fixed.
@fraenki FWIW, the commit https://github.com/cluck/opnsense-plugins/commit/a56720447 looks correct
Hm, that commit fixes a almost 3 year old migration. Not sure if this fix will ever affect any users. @cluck, if you submit a PR I'll merge it.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
