0

I am using https://github.com/jhaals/yopass#docker-compose to configure otm service. And I have some question about nginx-proxy-letsencrypt and its logging. When I did docker logs -f otm-nginx-proxy-letsencrypt-1, I can see that cert is logged:

2022/10/10 10:31:27 [notice] 59#59: signal process started
Creating/renewal otm.my.domain certificates... (otm.my.domain)
[Mon Oct 10 10:31:28 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Oct 10 10:31:29 UTC 2022] Creating domain key
[Mon Oct 10 10:31:30 UTC 2022] The domain key is here: /etc/acme.sh/info@otm.my.domain/otm.my.domain/otm.my.domain.key
[Mon Oct 10 10:31:30 UTC 2022] Single domain='otm.my.domain'
[Mon Oct 10 10:31:30 UTC 2022] Getting domain auth token for each domain
[Mon Oct 10 10:31:32 UTC 2022] Getting webroot for domain='otm.my.domain'
[Mon Oct 10 10:31:32 UTC 2022] Verifying: otm.my.domain
[Mon Oct 10 10:31:36 UTC 2022] Success
[Mon Oct 10 10:31:36 UTC 2022] Verify finished, start to sign.
[Mon Oct 10 10:31:36 UTC 2022] Lets finalize the order.
[Mon Oct 10 10:31:36 UTC 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/3***/1*********'
[Mon Oct 10 10:31:37 UTC 2022] Downloading cert.
[Mon Oct 10 10:31:37 UTC 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/8...f'
[Mon Oct 10 10:31:37 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA9Y2oiyXcvf0rbdIWa6HeqdvMA0GCSqGSIb3DQEBCwUA
...
TwgOT5rz9z6bx9BVHsmKqw1uWwcA7ltIGWT6cJd5k8VIdnS59xfYJLiqNWNW+v0=
-----END CERTIFICATE-----
[Mon Oct 10 10:31:37 UTC 2022] Your cert is in  /etc/acme.sh/info@otm.my.domain/otm.my.domain/otm.my.domain.cer 
[Mon Oct 10 10:31:37 UTC 2022] Your cert key is in  /etc/acme.sh/info@otm.my.domain/otm.my.domain/otm.my.domain.key 
[Mon Oct 10 10:31:38 UTC 2022] The intermediate CA cert is in  /etc/acme.sh/info@otm.my.domain/otm.my.domain/ca.cer 
[Mon Oct 10 10:31:38 UTC 2022] And the full chain certs is there:  /etc/acme.sh/info@otm.my.domain/otm.my.domain/fullchain.cer 
[Mon Oct 10 10:31:38 UTC 2022] Installing cert to:/etc/nginx/certs/otm.my.domain/cert.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing CA to:/etc/nginx/certs/otm.my.domain/chain.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing key to:/etc/nginx/certs/otm.my.domain/key.pem
[Mon Oct 10 10:31:38 UTC 2022] Installing full chain to:/etc/nginx/certs/otm.my.domain/fullchain.pem
Reloading nginx proxy (7a...b2)...

Is this OK that there is -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- at logs?

Eugen Konkov
  • 194
  • 1
  • 2
  • 13

1 Answers1

2

If you concern about security, then there is nothing wrong for certificate to appear in logs. This object contains only public certificate information and if someone steals this string, attacker cannot do anything with it, because private key is not included in logs. And private key is the essential part an attacker can go for.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • How can I know that this is public information? – Eugen Konkov Oct 10 '22 at 11:22
  • @EugenKonkov: They mean the *public key* component of the certificate is intended to be public/shared, not secret. – Greg Askew Oct 10 '22 at 12:37
  • The certificate itself is also publicly available and searchable from a number of Certificate Transparency aggregators such as crt.sh. For example, here's [Google's most recent wildcard cert](https://crt.sh/?id=3144337544). – Ryan Bolger Oct 10 '22 at 16:28