Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1
Each ACME function is accomplished by the client sending a sequence
of HTTPS requests to the server [RFC2818], carrying JSON messages
[RFC8259]. Use of HTTPS is REQUIRED. Each subsection of Section 7
below describes the message formats used by the function and the
order in which messages are sent.
However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.
If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.
Reproducing
This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.
Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.
package api
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"
"net/http"
"strings"
"testing"
"time"
"github.com/go-acme/lego/v4/acme"
)
const letsEncryptURLHTTP = "http://acme-v02.api.letsencrypt.org/directory"
const letsEncryptURLHTTPS = "https://acme-v02.api.letsencrypt.org/directory"
func changeToHTTP(url *string) {
if strings.HasPrefix(*url, "https:") {
*url = "http" + (*url)[len("https"):]
}
}
func changeToHTTPS(url *string) {
if strings.HasPrefix(*url, "http:") {
*url = "https" + (*url)[len("http"):]
}
}
func TestHTTPURLs(t *testing.T) {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("error generating a private key: %v", err)
}
func() {
t.Log("testing that Discover enforces https")
_, err := New(&http.Client{
Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
Timeout: 20 * time.Second,
}, "", letsEncryptURLHTTP, "", privateKey)
if err != nil {
t.Errorf("New error: %v", err)
}
}()
core, err := New(&http.Client{
Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
Timeout: 20 * time.Second,
}, "", letsEncryptURLHTTPS, "", privateKey)
if err != nil {
t.Fatalf("New error: %v", err)
}
func() {
t.Log("testing that account creation enforces https")
// Simulate a misconfigured CA that gives out HTTP directory URLs and when
// we're done change it back to HTTPS to test the rest.
changeToHTTP(&core.directory.NewAccountURL)
defer changeToHTTPS(&core.directory.NewAccountURL)
_, err := core.Accounts.New(acme.Account{
TermsOfServiceAgreed: true,
Contact: []string{},
})
if err != nil {
t.Errorf("core.Accounts.New error: %v", err)
}
}()
_, err = core.Accounts.New(acme.Account{
TermsOfServiceAgreed: true,
Contact: []string{},
})
if err != nil {
t.Fatalf("core.Accounts.New error: %v", err)
}
}
type httpsOnlyRoundTripper struct {
inner http.RoundTripper
}
func (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
if req.URL.Scheme != "https" {
return nil, fmt.Errorf("non-https request is being sent")
}
return r.inner.RoundTrip(req)
}
_
References
songgao Reporter
chrisnojima Reporter
Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1
However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.
If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.
Reproducing
This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.
Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.
_
References