Bug#981449: dehydrated: certificate specific settings may affect other certificates
Got the fix upstream as commit 527933db2434cc103428e04cf72fdd04c13a06a9 On Mon, Feb 1, 2021 at 6:27 AM Mattia Rizzolo wrote: > > Hi! > > On Sun, Jan 31, 2021 at 05:48:25AM -0800, Michel Lespinasse wrote: > > Dehydrated supports two locations for config settings: > > - The main config file, /etc/dehydrated/config by default > > - Per-certificate config files, i.e. certs/*/config > > > > Settings defined in the per-certificate config files are expected to > > only affect that particular certificate. But, this doesn't seem to be > > the case - in particular, I noticed that PRIVATE_KEY_ROLLOVER was also > > affecting certificates that are processed later in the run. > > > > Looking at the code, I think I found the root cause. > > Could I ask if you'd be willing to forward this issue directly upstream > at https://github.com/dehydrated-io/dehydrated/issues ? > > > The store_configvars() and reset_configvars() are expected to save the > > canonical (as per the global config file) settings and restore them > > before processing each certificate. But, the set of variables that are > > saved by these functions is only a subset of those that can be set in > > per-certificate config files; in particular the OCSP_FETCH, OCSP_DAYS, > > and PRIVATE_KEY_ROLLOVER settings are missing. > > So, only from reading your report, this might be as trivial as you say. > If you tried to patch it and it works you might as well also propose > this in the form of a merge request in the above github repository :) > > -- > regards, > Mattia Rizzolo > > GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. > More about me: https://mapreri.org : :' : > Launchpad user: https://launchpad.net/~mapreri `. `'` > Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Bug#981449: dehydrated: certificate specific settings may affect other certificates
Hi! On Sun, Jan 31, 2021 at 05:48:25AM -0800, Michel Lespinasse wrote: > Dehydrated supports two locations for config settings: > - The main config file, /etc/dehydrated/config by default > - Per-certificate config files, i.e. certs/*/config > > Settings defined in the per-certificate config files are expected to > only affect that particular certificate. But, this doesn't seem to be > the case - in particular, I noticed that PRIVATE_KEY_ROLLOVER was also > affecting certificates that are processed later in the run. > > Looking at the code, I think I found the root cause. Could I ask if you'd be willing to forward this issue directly upstream at https://github.com/dehydrated-io/dehydrated/issues ? > The store_configvars() and reset_configvars() are expected to save the > canonical (as per the global config file) settings and restore them > before processing each certificate. But, the set of variables that are > saved by these functions is only a subset of those that can be set in > per-certificate config files; in particular the OCSP_FETCH, OCSP_DAYS, > and PRIVATE_KEY_ROLLOVER settings are missing. So, only from reading your report, this might be as trivial as you say. If you tried to patch it and it works you might as well also propose this in the form of a merge request in the above github repository :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#981449: dehydrated: certificate specific settings may affect other certificates
Package: dehydrated Version: 0.7.0-1~bpo10+1 Severity: normal Dear Maintainer, Dehydrated supports two locations for config settings: - The main config file, /etc/dehydrated/config by default - Per-certificate config files, i.e. certs/*/config Settings defined in the per-certificate config files are expected to only affect that particular certificate. But, this doesn't seem to be the case - in particular, I noticed that PRIVATE_KEY_ROLLOVER was also affecting certificates that are processed later in the run. Looking at the code, I think I found the root cause. The per-certificate config files are loaded in command_sign_domains(); there is a case statement filtering the settings that are allowed in a per-certificate config file and transfering those settings into global shell variables. In my dehydrated installation, the supported per-certificate config settings are: KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS) The store_configvars() and reset_configvars() are expected to save the canonical (as per the global config file) settings and restore them before processing each certificate. But, the set of variables that are saved by these functions is only a subset of those that can be set in per-certificate config files; in particular the OCSP_FETCH, OCSP_DAYS, and PRIVATE_KEY_ROLLOVER settings are missing. -- System Information: Debian Release: 10.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dehydrated depends on: ii ca-certificates 20200601~deb10u2 ii curl 7.64.0-4+deb10u1 ii openssl 1.1.1d-0+deb10u4 dehydrated recommends no packages. dehydrated suggests no packages. -- no debconf information
