Challenge success on VM clone without ownership of the website

Aplanos · May 9, 2020, 9:54pm

Hi

I am quite baffled as to how the challenge succeeded, with a fresh certificate in a cloned VM that is not accessible from internet. Or are tokens completely deterministic and thus the same on original and cloned VM ?

Here’s the situation :

let’s say website aaa.fr is running inside a VM, uses letsencrypt with apache auto renewal.
a month ago, this VM is cloned
the original VM runs 24/7, under aaa.fr while clone is shut down and does not respond to any URL.
3 days before renewal is due, I start the cloned VM (whose IP is not getting hit from aaa.fr, and is not even accessible from internet), and auto renewal is run and a new certificate magically appears on cloned VM.

Only explaination I can think of is maybe the same token was issued to the cloned VM than to the original one, and token file was still on the /.well-known/acme-challenge/ folder of the original website, thus validating the challenge.

It somewhat sounds like a vulnerability that a clone of a VM could still present a valid, renewed cert of the original website.

What am I missing ?

_az · May 9, 2020, 10:02pm

If you cloned the ACME account key onto the new machine as well, then this is not unexpected.

When you authorize a domain on an ACME account, that authorization remains valid for some time (currently ~30 days).

If you order a new certificate, and your account already has valid authorizations for all of the domains, you will get a new certificate without having to perform any challenges.

Aplanos · May 9, 2020, 10:05pm

Oh I see, thanks for your answer I understand now. I wasn’t aware the authorization remained valid for a while.

Mystery solved !

Osiris · May 9, 2020, 10:30pm

But @Aplanos said:

That would suggest the authorization is at least 57 days old, which is more than 30 obviously.

Unless the certificate of the cloned VM was older than a more recent (<30 days) authorization for the same domain which was used for a different certificate on a different VM.

_az · May 9, 2020, 10:42pm

The way I read it, the original VM was never stopped and would keep renewing its own copy of the certificate, so there would be an active authz on the account from (30-3)=27 days ago.

Edit: might also be subject to interpretation of what “renewal is due” means (30 day buffer, or actual expiry date?)

Aplanos · May 9, 2020, 10:55pm

Yes, it was 3 days before the actual expiry date, and yes the original VM was still actively renewing.
The VM clone is from only 20 days ago and not a month old as I said, so fits with your explanation : it was cloned after an authorization was made, and this authorization is not older than 30 days.

system · June 8, 2020, 10:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.