I am one of the co-founders of Cloudron. Thanks for reporting this issue @cdolson .
Just looking into the issue, I think the issue is that the DigitalOcean 1-click image on Cloudron has an issue that it is reusing the acme account key. Looks like this regression was introduced in our previous release which indeed happened a couple of months ago.
I am looking into a fix and will report back here. Sorry for the spam @cdolson !
@jsha thanks for investigating.
An update on what I found: Every Cloudron install gets it's own account key. They all start with the same email id (webmaster@cloudron.io) but it then gets later updated to the email of the cloudron admin. The issue only happens in the DO 1-click image because we have mistakenly taken the VM "snapshot" along with an account key.
We pushed a new image 2 weeks ago, so I think @cdolson should already not receive any more mails. IIUC, @cdolson was probably the last person who used the last version of the 1-click image and this is why he gets all the emails.
@girish: So, I think that one would consider the account key as being compromised (as many of your customers have access to it), so as @jsha said you should deactivate the ACME account. (Using certbot it's the unregister command, for example, but it looks like you're using your own client.)
Are these clients with a shared account key still likely running out "in the wild"? If so, I hope that they're configured that if the account key they're trying to use gets deactivated that they'll try to create a new one. I think I've read somewhere that that was the recommended approach for people developing their own ACME clients, though I'm not sure where (as I don't see it in the Integration Guide).
@petercooperjr yes, the account key in the wild is already deactivated now (thanks to @JamesLE). I think there is another key in the wild but it's part of our old DO 1-click image. I am in touch with the DO team to get access to the older image, so I can revoke it as well (since they only make the latest image available even to the publisher).
We are pushing out an update later today that will automatically generate new acme account keys for cloudrons using the compromised keys.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.