I am quite baffled as to how the challenge succeeded, with a fresh certificate in a cloned VM that is not accessible from internet. Or are tokens completely deterministic and thus the same on original and cloned VM ?
Here’s the situation :
- let’s say website aaa.fr is running inside a VM, uses letsencrypt with apache auto renewal.
- a month ago, this VM is cloned
- the original VM runs 24/7, under aaa.fr while clone is shut down and does not respond to any URL.
- 3 days before renewal is due, I start the cloned VM (whose IP is not getting hit from aaa.fr, and is not even accessible from internet), and auto renewal is run and a new certificate magically appears on cloned VM.
Only explaination I can think of is maybe the same token was issued to the cloned VM than to the original one, and token file was still on the /.well-known/acme-challenge/ folder of the original website, thus validating the challenge.
It somewhat sounds like a vulnerability that a clone of a VM could still present a valid, renewed cert of the original website.
What am I missing ?