Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin sends renewal notifications to ALL cert users on the same machine, regardless of separate customer accounts #91

Closed
Bitpalast opened this issue Mar 29, 2016 · 15 comments
Milestone

Comments

@Bitpalast
Copy link

@Bitpalast Bitpalast commented Mar 29, 2016

Let's Encrypt sends renewal messages for certificates when a cert comes close to its expiration date. In the Plesk environment these messages are distributed to all users who have installed a certificate using the Plesk plugin. Owners of domain A receive messages intended for domains B, C, D, E ..., owners of Domain B receive all messages intended for domains A, C, D, E ... and so on.

This behavior should be changed, because users only want to receive messages that were intended for their own certificate, not for the certificates that others are using.

We did try to blacklist the letsencrypt.org domain in the mail server, but this was not successful. It seems as if the plugin is mailing directly into the users' mailboxes on the machine.

@korsarnsk

This comment has been minimized.

Copy link
Member

@korsarnsk korsarnsk commented Mar 31, 2016

Thank you for the bug report. We will check and fix the issue.

@vlikhtanskiy

This comment has been minimized.

Copy link

@vlikhtanskiy vlikhtanskiy commented Mar 31, 2016

Could you please provide the following information:

  1. What is the version of the extension (you can see it on extensions list)?
  2. Who sends these emails (Plesk or Let's encrypt service)? Could you please post headers of the message?
@tyrann0us

This comment has been minimized.

Copy link

@tyrann0us tyrann0us commented Mar 31, 2016

The emails are being sent from expiry@letsencrypt.org.
@Bitpalast do you have an example mail header to post? I can post one if you want.
(I reported Bugtracker ID 0005395.)

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Mar 31, 2016

Could you describe how the certificates were issued?
Did you create it with CLI?
Did the domain's owner create it by himself?
The email for the notification is specified during the certificate creation.

The notification is sent by Let's Encrypt CA server, not by Plesk or by the plugin.
That's why you could not blacklist it.

@Bitpalast

This comment has been minimized.

Copy link
Author

@Bitpalast Bitpalast commented Mar 31, 2016

Version of extension?
1.5, Plesk is set to auto-update the extension

Sender of mails?
expiry@letsencrypt.org

Method of certificate generation?
Using the Plesk extension only, not any console client. All settings are default.

Blacklist? Well, we have blacklisted the "letsencrypt.org" domain server-wide AND we have blacklisted the "expiry@letsencrypt.org" address in the server-wide anti-spam settings. Yet all mails go through.

Sample mail header? Did not save any, but when we did look at the header, it was only addressed to a single recipient. I'll watch out for a sample header and post it as it becomes available.

Who created the certs?
The domain owners from within their customer accounts in Plesk did. All domain owners have only entered their own e-mail address into the extension's e-mail field, we've checked that as we went through the list that the extension provides. We also have a domain with a cert on a host ourselves and we are also receiving the notifications that are sent to the other cert owners. However, our e-mail address is external to that host.

Preliminiary conclusion: As we are receiving notifications on an external (OFF machine) address that are also being sent to other customers ON the machine in question, it seems likely that upon certificate creation request the plugin is sending a list of addresses for notification to the authority.

We are sure that there must be a bug, because when we asked in Plesk forum to find other users who experience the same issue we did get at least one confirmation from another provider that they are experiencing the same.

@tyrann0us

This comment has been minimized.

Copy link

@tyrann0us tyrann0us commented Mar 31, 2016

Anonymized sample header posted in consultation with @Bitpalast:

Return-Path: bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on xy.xyz.net
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=98.9 required=4.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD,
URIBL_BLOCKED,USER_IN_BLACKLIST autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
* See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: letsencrypt.org]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [198.2.180.5 listed in wl.mailspike.net]
* 100 USER_IN_BLACKLIST From: address is in the user's black-list
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
* domains are different
* -1.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Original-To: abc@abc.org
Delivered-To: abc@abc.org
Received: from mail180-5.suw31.mandrillapp.com (mail180-5.suw31.mandrillapp.com [198.2.180.5])
by xy.xyz.net (Postfix) with ESMTPS id 0459741406A7
for abc@abc.org; Tue, 29 Mar 2016 20:08:20 +0200 (CEST)
Received-SPF: pass (xy.xyz.net: domain of mandrillapp.com designates 198.2.180.5 as permitted sender) client-ip=198.2.180.5; envelope-from=bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com; helo=mail180-5.suw31.mandrillapp.com;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=letsencrypt.org;
h=From:Subject:Message-Id:List-Unsubscribe:To:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; i=expiry@letsencrypt.org;
bh=2vEvDoznhzpjATHTVHWN7QANLkE=;
b=ZbktJJhzIcJzpNss4+G9Hju55nPNugKC7muD9jpAehTW2VpLzuleAQK5xsXsVEG6S+LVRsjX4tg1
o1VTK7ePiH/+lFEZ8q4nQzYAZLZQA8fnHUXbqROCV+GWId+BIOj+MD8ZibQVkm2wbLU4C1oPQX5I
NcWTapAyEPx4Lj78Eqs=
Received: from pmta03.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail180-5.suw31.mandrillapp.com id hvb29g22sc0e for abc@abc.org; Tue, 29 Mar 2016 18:08:22 +0000 (envelope-from bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1459274901; h=From :
Subject : Message-Id : List-Unsubscribe : To : Date : MIME-Version :
Content-Type : Content-Transfer-Encoding : From : Subject : Date :
X-Mandrill-User : List-Unsubscribe;
bh=R7i7GwodPBfVAsV0RVKurfMFuZxJpZzH7f8fFTrdWIw=;
b=N2EG2KdqPZCyjrFBP0eWYIrSKI/hemU9QA1BF5DVPCTQhLAsorclNH1PDdcrlwYiGEWDhu
s5awSmzKiBBDa4ZgBqeHGzn1f+92qrStWznPGsQkFZJjJm2XW2lWk2XkHpZtaI4muoqFjSps
OmVA1mFogdD1LyHuW0zmgXAnmVYfk=
From: expiry@letsencrypt.org
Subject: Let's Encrypt certificate expiration notice
Received: from [66.133.109.36] by mandrillapp.com id 10b185d06d2b45deb16b2aef14325245; Tue, 29 Mar 2016 18:08:21 +0000
Message-Id: 20160329T180821.3492917161615896397.expiry@letsencrypt.org
List-Unsubscribe: mailto:unsubscribe-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mailin1.us2.mcsv.net?subject=unsub
To: abc@abc.org
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30850198.10b185d06d2b45deb16b2aef14325245
X-Mandrill-User: md_30850198
Date: Tue, 29 Mar 2016 18:08:21 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

@Brujo-oe

This comment has been minimized.

Copy link

@Brujo-oe Brujo-oe commented Apr 2, 2016

In my case the first created letsencrypt Certificate via plesk panel (not cli) was for example domain1.de with the email hostmaster@domain1.de. Now this email address hostmaster@domain1.de. receive now also the Let's Encrypt certificate expiration notice for later on created Certs of domain2.de, domain3.de and so on, independent if the Cert was issued as administrator or by the domain owner itself. The Certs mostly are first time issued early Febuary. I checked each Domain with a letsencrypt cert and each of them has his own mail address filed.

Actually Version is: plesk-letsencrypt-pre-1.0.0-centos6.16032214.x86_64 but I am sure the certs are issued before that Version, there was an update between.

The Mail Header looks similar the above one (exept the blacklist stuff) and comes from expiry@letsencrypt.org

Also what lead me to the result that this is/was an issue within letsencrypt is
On 14 March I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 03 Apr 16 13:43 +0000).

On March 23 I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 11 Apr 16 20:05 +0000).

On March 24 I received: Your certificate (or certificates) for the names listed below will expire in 9 days (on 03 Apr 16 13:43 +0000).

On March 26 I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 14 Apr 16 22:02 +0000).

and that for the same Domains with different ending date ? and the best the cert is valid from 04.03.2016 - 02.06.2016 ?? So it looks like it is also a trigger if the cert was automaticaly extended or by the user manualy on the panel?

@pfigel

This comment has been minimized.

Copy link

@pfigel pfigel commented Apr 2, 2016

and that for the same Domains with different ending date ? and the best the cert is valid from 04.03.2016 - 02.06.2016 ?? So it looks like it is also a trigger if the cert was automaticaly extended or by the user manualy on the panel?

Regarding this: Let's Encrypt made a change to their expiration mailer on March 17th. For any certificate issued after this date, you won't be receiving any expiration mails if you renew/extend them within 60 days. For certificates issued before this date, you will continue receiving notifications until those certificates expire (which, if my math is right, should be in about two weeks at the latest).

@Bitpalast

This comment has been minimized.

Copy link
Author

@Bitpalast Bitpalast commented Apr 2, 2016

Thank you for this info. It will help the expiration notice issue. However, the e-mail address associated with a cert could also be used for other notifications. We'd still prefer the issue itself to be solved, because else private messages from the cert authority could accidentally be distributed to users who are not entitled to read them.

@xgin xgin modified the milestone: 2.0 Mar 15, 2017
@bdaehlie

This comment has been minimized.

Copy link

@bdaehlie bdaehlie commented Mar 27, 2017

Josh from Let's Encrypt here. We are starting to receive a higher volume of email from people confused about receiving expiration notices for domains they do not control. Would be great if this bug could be fixed so as to avoid that confusion which often results in reports to our security@ address.

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Mar 27, 2017

Since 2.0 version we create a new registration for each unique email (assume domain owner).
I consider the issue is fixed now.

@xgin xgin closed this Mar 27, 2017
@h9k

This comment has been minimized.

Copy link

@h9k h9k commented Apr 4, 2017

I have v2.0.1 but customers are mailing me about the same issue, they get notifications for domains they do not own! Certificates were registered with pre v2 thoguh.
Does this mean I need to uninstall all the Let's Encrypt certificates and create new ones to fix the issue?

@rkosolapov

This comment has been minimized.

Copy link
Member

@rkosolapov rkosolapov commented Apr 12, 2017

@h9k , we have a plan to provide the solution soon.
Certificates reinstall will not help :(

@vvolodko

This comment has been minimized.

Copy link

@vvolodko vvolodko commented Apr 14, 2017

Certificates reinstall in ext-letsencrypt-2.* will create new LE.org account per subscription, this will prohibit notifications for foreign domains in future.

In order to unsubscribe from notifications for current LE.org account created by ext-letsencrypt-1.* one could visit the link in the notification email (something like "If you are receiving this email in error, unsubscribe at ...")

@h9k

This comment has been minimized.

Copy link

@h9k h9k commented Apr 14, 2017

So this means every client has to fix the problem by themselves and I cannot fix it for them in any way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.