I am quite baffled as to how the challenge succeeded, with a fresh certificate in a cloned VM that is not accessible from internet. Or are tokens completely deterministic and thus the same on original and cloned VM ?
Here’s the situation :
let’s say website aaa.fr is running inside a VM, uses letsencrypt with apache auto renewal.
a month ago, this VM is cloned
the original VM runs 24/7, under aaa.fr while clone is shut down and does not respond to any URL.
3 days before renewal is due, I start the cloned VM (whose IP is not getting hit from aaa.fr, and is not even accessible from internet), and auto renewal is run and a new certificate magically appears on cloned VM.
Only explaination I can think of is maybe the same token was issued to the cloned VM than to the original one, and token file was still on the /.well-known/acme-challenge/ folder of the original website, thus validating the challenge.
It somewhat sounds like a vulnerability that a clone of a VM could still present a valid, renewed cert of the original website.
If you cloned the ACME account key onto the new machine as well, then this is not unexpected.
When you authorize a domain on an ACME account, that authorization remains valid for some time (currently ~30 days).
If you order a new certificate, and your account already has valid authorizations for all of the domains, you will get a new certificate without having to perform any challenges.
That would suggest the authorization is at least 57 days old, which is more than 30 obviously.
Unless the certificate of the cloned VM was older than a more recent (<30 days) authorization for the same domain which was used for a different certificate on a different VM.
The way I read it, the original VM was never stopped and would keep renewing its own copy of the certificate, so there would be an active authz on the account from (30-3)=27 days ago.
Edit: might also be subject to interpretation of what “renewal is due” means (30 day buffer, or actual expiry date?)
Yes, it was 3 days before the actual expiry date, and yes the original VM was still actively renewing.
The VM clone is from only 20 days ago and not a month old as I said, so fits with your explanation : it was cloned after an authorization was made, and this authorization is not older than 30 days.