Bug#981449: dehydrated: certificate specific settings may affect other certificates

Sun, 31 Jan 2021 05:51:16 -0800 

Package: dehydrated
Version: 0.7.0-1~bpo10+1
Severity: normal

Dear Maintainer,

Dehydrated supports two locations for config settings:
- The main config file, /etc/dehydrated/config by default
- Per-certificate config files, i.e. certs/*/config

Settings defined in the per-certificate config files are expected to
only affect that particular certificate. But, this doesn't seem to be
the case - in particular, I noticed that PRIVATE_KEY_ROLLOVER was also
affecting certificates that are processed later in the run.

Looking at the code, I think I found the root cause.

The per-certificate config files are loaded in command_sign_domains();
there is a case statement filtering the settings that are allowed in a
per-certificate config file and transfering those settings into global
shell variables. In my dehydrated installation, the supported
per-certificate config settings are:
          
KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)

The store_configvars() and reset_configvars() are expected to save the
canonical (as per the global config file) settings and restore them
before processing each certificate. But, the set of variables that are
saved by these functions is only a subset of those that can be set in
per-certificate config files; in particular the OCSP_FETCH, OCSP_DAYS,
and PRIVATE_KEY_ROLLOVER settings are missing.


-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dehydrated depends on:
ii  ca-certificates  20200601~deb10u2
ii  curl             7.64.0-4+deb10u1
ii  openssl          1.1.1d-0+deb10u4

dehydrated recommends no packages.

dehydrated suggests no packages.

-- no debconf information

Reply via email to