[Vecr]

Even if this is just RCE in the script somehow (I doubt it, it can probably do anything the user running it can), it's horrifying. It means the certificate authority could just take your newly generated certificates and upload them anywhere they want. That's a catastrophic compromise in the TLS security model.

[tialaramex]

Somebody who cares about the acme.sh client specifically would be able to say, but in general it's not necessary that your ACME client has these keys.

What the ACME protocol wants to do is hand over a CSR (Certificate Signing Request), and get back a certificate, and to achieve that it has to explain how you'll prove you're entitled to such a certificate.

Most ACME clients will also make a suitable proof (in at least some cases), and also generate a suitable CSR from first principles, for which they will need to generate a new private key - but that's not a necessary part of the system, and it's certainly not rare to generate your own CSR, either because you must technically, or because your own security processes say strange women, lying in ponds, distributing swords is no basis for a system of government sorry, I mean, that this key is private and shouldn't be on the host running ACME services.

[Vecr]

I've looked at it more, it looks like this RCE could harvest the private key.

[tialaramex]

I have no idea, my point was that in general the ACME client can't necessarily give you the private key even if it wanted to, because if you provide a CSR the key needn't even be on the same machine, let alone accessible in its execution environment.

[diarrhea]

Why is distributing the certificate dangerous? It’s public knowledge anyway.

[Vecr]

The private key I mean, it's really supposed to be secret on your computer and not even the certificate authority is supposed to have access to it.

[paulgb]

If the CA is compromised, can’t they just bypass ACME verification and generate a cert for your domain anyway?

[mholt]

Yes, but with serious consequences (it would go into public transparency logs, at least for CAs in most public root stores).

If the CA can access your private key, then it can reuse (or worse, redistribute) it without anyone knowing.

[dspillett]

The CA isn't directly compromised so a third party couldn't generate any arbitrary certificate this way. Essentially though, assuming my understanding is correct, it would allow them to be a man-in-the-middle and take copies of the keys & certificates used by this tool, allowing them to use keys and certificates generated by that tool. Also, if such a tool is run by root (bad practise, but not uncommon practise) or other significantly privileged user, they potentially have access to far more.

[Vecr]

Yeah, but that's more likely to be noticed in cert transparency and by the website operator, as there's either a duplicate cert in the log or the website server does not work.