SSL cert : one user can kill all our cert

Discussion in 'ISPConfig 3 Priority Support' started by ledufakademy, Mar 2, 2021.

  1. ledufakademy

    ledufakademy Member HowtoForge Supporter

    https://www.ilinux.fr

    One of our client can put his SSL cert (not let's encrypt) then he can kill for all the other client (using Let's Encrypt cert SSL) that are hosted on this web server !
    So kill all websites ... all using Let's Encrypt.
    I'm investigating why ...
    he had put key and cert. in SSL tab then save ... then kill all other SSL cert (LE), all other website retrieve his SSL cert.
    Edit : security tag , removed
     
    Last edited: Mar 2, 2021
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You should not post before you investigated what happened on your system and even more not claim that you found a security issue as it's more likely that you expose a misconfiguration on your side than an issue in ISPConfig. Just a guess, did you mix * and IP address in websites IPv4 field?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Read my post again and check what I mentioned there.
     
  4. ledufakademy

    ledufakademy Member HowtoForge Supporter

    hello Till,
    yes the client put internal web server IP address in "IPv4-Address" field and not * like other website.
    But this is allowed !
    And the problem is , if one client is playing with is cert conf. (or anything else in his environment) he can kill other one ... that not a good thing.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    It is allowed because you, the administrator that is responsible for that server, configured your server to allow it. An IP has always precedence over a wildcard. To fix your server configuration, go to System > Server IP and uncheck the namevirtualhost option in the settings of the IP address and click save.

    You meant to make this sentence in bold, after I reminded you to not post such things before you even investigated the issue, really? Here my reply: it's not a security issue, it's just an admin that did not know how to configure and maintain a web server. It is common knowledge under webmasters how an apache and nginx server works and that an IP has always precedence over a wildcard and when you decide that you allow both options to your customers, then what you describe must happen when someone selects the Ip while others use the wildcard.
     
    ahrasis likes this.
  6. ledufakademy

    ledufakademy Member HowtoForge Supporter

    it's was the default option, i haven't touched nothing.
    you mean this option : " HTTP NameVirtualHost" ? if yes, by default it's checked.
    So i unckeck (namevirtualhost - HTTP NameVirtualHost) , as mentioned below, but ... when i go to Sites\Websites tab (with client interface) , then choose, or addnew, site ... it' always possible to choose * or web server ip address.
    What 's i am doing wrong ?

    "IP has always precedence over a wildcard and when you decide that you allow both options to your customers," , so how to disable this possibility for our customer ?

    thank you for you're answer till.
     
    Last edited: Mar 2, 2021
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It was, it is not anymore when installing new systems.
    Uncheck HTTP NameVirtualHost for every IP.
    Then open the web, select *, and click save. Do this for every site.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I've just tested it here in ISPConfig 3.2.2 and the IP does not show up in the IPv4 selector of the website, neither for admin nor client, when you have unticked the namevirtualhost checkbox in the IP settings.
     
    ahrasis likes this.
  9. ledufakademy

    ledufakademy Member HowtoForge Supporter

    i'm on "This Version: 3.1.15p3" ... :rolleyes:
    we are speaking of :
    System \ Server IP Addresses \ then "HTTP NameVirtualHost" uncheck
    is it right ?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It should work fine for that aswell, but you should update as several security issues have been fixed in the last releases.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Beside of that what @Th0m mentioned, if you do not use automatic network configuration (which is disabled by default), then you can even delete the IP address under System > Server IP.
     
  12. ledufakademy

    ledufakademy Member HowtoForge Supporter

    ouhhh, delete delete ... no no ! ;-)
    it's work in fact, end-user can see the local ip BUT cannot save !
    So it's working.

    but that 's was very strange to seer all this server site's having our client cert !!!.
    This solved for me.
    Thank to all you.
    :D
     

Share This Page