getssl icon indicating copy to clipboard operation
getssl copied to clipboard

Published 20 hours ago verified publisher icon srvrco

http-01 files left behind with ftpes, ftps, ...

Open tlhackque opened this issue 3 years ago • 3 comments

Code reading bug.

While debugging something else, I noticed that fulfill_challenges only knows how to remove tokens with (regular) FTP and SSH.

But copy_file_to_location also knows how to place tokens with SFTP, DAVS, FTPES, and SFTP.

fulfill_challenges will try to remove such tokens as local files (hopefully and usually failing), thus leaving them behind in .well-known/acme-challenge.

fulfill_challenges needs to learn how to remove files using these protocols - or at least not try to delete them as local files.

See curl -Q and -X for an approach. Something like curl ... server/locn/token -Q "-DELE token" >/dev/null should work for the FTP versions. (Yes, there's a '-' before DELE. And it will transfer the (small) file before deleting it.) SFTP would be similar, but -Q "rm token". And DAVS would be -X DELETE.

I haven't coded and tested these - too busy working on something else, and not setup for the protocols. Treat them as clues.

tlhackque avatar Jul 31 '21 19:07 tlhackque

@tlhackque thanks for pointing the issue out, I'd not noticed this when looking through the code but will fix.

timkimber avatar Aug 09 '21 21:08 timkimber

Might want to have tests verify that .well-known/acme-challenge is empty after tests (or depending on your test setup, have the same contents as before each test).

Same for DNS _acme-challenge TXT records - should be none (or same) after tests.

Would have caught this issue.

tlhackque avatar Aug 10 '21 12:08 tlhackque

I thought I was going to have to use FTP a while ago - but it turned out otherwise.

However, below is (untested in getssl) code that should fix this. You'll need to adapt it a little since it seems that the FTP code has been fiddled with since I wrote the patch. But the curl commands work at the command line, and the bug is still present in getssl. Might consider using curl instead of running the ftp command in the nearby code as well. Simpler.

Also, with respect to left-over DNS records: see acme_token_check in https://github.com/tlhackque/certtools. It will report, and optionally remove these. There are other tools in that repo that getssl users may find useful.

diff --git a/getssl b/getssl
index 208ff22..30d0f80 100755
--- a/getssl
+++ b/getssl
@@ -1538,6 +1538,20 @@ for d in "${alldomains[@]}"; do
                                        cd $ftplocn
                                        delete ${token:?}
                                        EOF
+        elif [[ "${t_loc:0:6}" == "ftpes:" ]] || [[ "${t_loc:0:5}" == "ftps:" ]] ; then
+            debug "using ftp to delete the file from $from"
+            ftpuser=$(echo "${t_loc}"| awk -F: '{print $2}')
+            ftppass=$(echo "${t_loc}"| awk -F: '{print $3}')
+            ftphost=$(echo "${t_loc}"| awk -F: '{print $4}')
+            ftplocn=$(echo "${t_loc}"| awk -F: '{print $5}')
+            debug "ftp user=$ftpuser - pass=$ftppass - host=$ftphost file=${ftplocnn/${token:?}"
+            if [[ "${to:0:5}" == "ftps:" ]] ; then
+            # shellcheck disable=SC2086
+                curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" --silent -Q "DELE ${token:?}}" "
ftp://${ftphost}${ftplocn}:990/"
+            else
+            # shellcheck disable=SC2086
+                curl ${_NOMETER} $FTPS_OPTIONS --ftp-ssl --ftp-ssl-reqd -u "${ftpuser}:${ftppass}" --silent -Q "DELE ${token:?}" "f
tp://${ftphost}${ftplocn}/"
+            fi
         else
           rm -f "${t_loc:?}/${token:?}"
         fi

tlhackque avatar Mar 16 '24 02:03 tlhackque