Default host certificate leaks implementation information in organization subject

[qriff]

Describe the bug
The generated default self signed host certificate leaks implementation name "Nginx Proxy Manager" in the "Organizational" (O) subject field.

To Reproduce
Steps to reproduce the behavior:

1. Browse to default https host
2. Review certificate details

Expected behavior
Field should be generic (not reference implementation), like localhost or empty, or definable.

In \docker\rootfs\etc\services.d\nginx\run
`

Generate dummy self-signed certificate.

if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]
then
echo "Generating dummy SSL certificate..."
openssl req
-new
-newkey rsa:2048
-days 3650
-nodes
-x509
-subj '/O=Nginx Proxy Manager/OU=Dummy Certificate/CN=localhost'
-keyout /data/nginx/dummykey.pem
-out /data/nginx/dummycert.pem
echo "Complete"
fi
`

[l4rm4nd]

I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate.

Just replace /data/nginx/dummykey.pem and /data/nginx/dummycert.pem with your own SSL cert.

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem

[bmbvenom]

I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate.

Just replace /data/nginx/dummykey.pem and /data/nginx/dummycert.pem with your own SSL cert.

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem

I don't disagree with you, it is easy enough to replace with a new dummy cert. However, considering that ssllabs.com (and I can only assume similar tools) picks up this dummy cert in their "No SNI" scan I agree with @qriff that this could expose potential attack vectors and it should be fixed. As such I've submitted PR #1338

[jc21]

Agreed :)

[jstrat31]

Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP.
Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot.

Thanks!!

[l4rm4nd]

Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP. Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot.

Thanks!!

Use internal risk management and lower the severity to informational.

Pentesters will just report anything they find and apply a risk rating. It's your job too, to also assess the risk. As outlined, there is no risk by using a self-signed certificate for the NPM network service reachable by IP. It's a reverse proxy, which proxies hostnames / subdomains. Therefore, accessing the IP directly is not the key aspect of the product and neglectable.

In the end, it's still a proper SSL certificate. It's just self-signed and therefore not in the regular root trust stores of end devices and browsers, which will lead to warning messages. As for any internal PKI, you can just put the cert into all trust stores of your clients and it will be trusted. Applying a medium risk rating due to self-signed certificates is kinda harsh. May talk to the pentesters and challenge them. Ask for a recommendation on how to resolve properly. They will likely just lower the risk.

Cheers from a pentester

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍

[qriff]

Seems fixed in merge for #1338