SSL certificate initial issue error

Question

SSL certificate initial issue error

IISometric opened this issue 2 years ago · 1 comments

Interactsh version:

1.1.0

Current Behavior:

SSL certificate initial issue error.
The problem is that certmagic stores SSL certificates with the wildcard_ prefix, while interactsh tries to use certificates without that prefix.

Expected Behavior:

During the initial release of an SSL certificate, it is written along the path: [user_home_dir]/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.[domain]/wildcard_.[domain].crt while interactsh tries to load the certificate from [user_home_dir]/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/[domain]/[domain].crt, which causes an error: file not found.

Application log:

interactsh_server  | [INF] Requesting SSL Certificate for:  [*.<domain.com>, <domain.com>]
interactsh_server  | <time>+09     info    obtain  acquiring lock  {"identifier": "*.<domain.com>"}
interactsh_server  | <time>+09     info    obtain  lock acquired   {"identifier": "*.<domain.com>"}
interactsh_server  | <time>+09     info    obtain  obtaining certificate   {"identifier": "*.<domain.com>"}
interactsh_server  | <time>+09     info    maintenance     started background certificate maintenance      {"cache": "0xc00041e380"}
interactsh_server  | <time>+09     info    waiting on internal rate limiter        {"identifiers": ["*.<domain.com>"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@<domain.com>"}
interactsh_server  | <time>+09     info    done waiting on internal rate limiter   {"identifiers": ["*.<domain.com>"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@<domain.com>"}
interactsh_server  | <time>+09     info    acme_client     trying to solve challenge       {"identifier": "*.<domain.com>", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
interactsh_server  | <time>+09     error   acme_client     cleaning up solver      {"identifier": "*.<domain.com>", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.<domain.com>\" (usually OK if presenting also failed)"}
interactsh_server  | <time>+09     info    acme_client     authorization finalized {"identifier": "*.<domain.com>", "authz_status": "valid"}
interactsh_server  | <time>+09     info    acme_client     validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/<int>/<int>"}
interactsh_server  | <time>+09     info    acme_client     successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/<string>"}
interactsh_server  | <time>+09     info    obtain  certificate obtained successfully       {"identifier": "*.<domain.com>"}
interactsh_server  | <time>+09     info    obtain  releasing lock  {"identifier": "*.<domain.com>"}
interactsh_server  | <time>+09     info    obtain  acquiring lock  {"identifier": "<domain.com>"}
interactsh_server  | <time>+09     info    obtain  lock acquired   {"identifier": "<domain.com>"}
interactsh_server  | <time>+09     info    obtain  obtaining certificate   {"identifier": "<domain.com>"}
interactsh_server  | <time>+09     info    waiting on internal rate limiter        {"identifiers": ["<domain.com>"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@<domain.com>"}
interactsh_server  | <time>+09     info    done waiting on internal rate limiter   {"identifiers": ["<domain.com>"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@<domain.com>"}
interactsh_server  | <time>+09     info    acme_client     trying to solve challenge       {"identifier": "<domain.com>", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
interactsh_server  | <time>+09     error   acme_client     cleaning up solver      {"identifier": "<domain.com>", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.<domain.com>\" (usually OK if presenting also failed)"}
interactsh_server  | <time>+09     error   obtain  could not get certificate from issuer   {"identifier": "<domain.com>", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[<domain.com>] solving challenges: presenting for challenge: expected one record, got 2: [{ TXT  <TXT1> 0s 0} { TXT  <TXT2>-<string> 0s 0}] (order=https://acme-v02.api.letsencrypt.org/acme/order/<int>/<int>) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
interactsh_server  | <time>+09     info    obtain  releasing lock  {"identifier": "<domain.com>"}
interactsh_server  | [ERR] Could not manage certmagic certs: <domain.com>: obtaining certificate: [<domain.com>] Obtain: [<domain.com>] solving challenges: presenting for challenge: expected one record, got 2: [{ TXT  <TXT1> 0s 0} { TXT  <TXT2>-<string> 0s 0}] (order=https://acme-v02.api.letsencrypt.org/acme/order/<int>/<int>) (ca=https://acme-v02.api.letsencrypt.org/directory)
interactsh_server  | [INF] Successfully Created SSL Certificate at: <user_home_dir>/.local/share/certmagic
interactsh_server  | [ERR] An error occurred while applying for a certificate, error: open <user_home_dir>/.local/share/certmagic/certificates/acme-v02.api.letsencrypt.org-directory/<domain.com>/<domain.com>.crt: no such file or directory
interactsh_server  | [ERR] Could not generate certs for auto TLS, https will be disabled

Steps To Reproduce:

Run interactsh-server -config ./config.yaml

Content of config.yaml:

# interactsh-server config file
# generated by https://github.com/projectdiscovery/goflags

# single/multiple configured domain to use for server
domain: <domain>

# public ip address to use for interactsh server
ip: <my_public_ipv4_address>

# public ip address to listen on
listen-ip: 0.0.0.0

# number of days to persist interaction data in memory
#eviction: 30

# disable periodic data eviction from memory
no-eviction: true

# enable authentication to server using random generated token
#auth: false

# enable authentication to server using given token
token: <my_token>

# origin url to send in acao header to use web-client)
#acao-url: *

# skip acme registration (certificate checks/handshake + tls protocols will be disabled)
#skip-acme: false

# scan canary token everywhere
scan-everywhere: true

# length of the correlation id preamble
correlation-id-length: 5

# length of the correlation id nonce
correlation-id-nonce-length: 4

# custom certificate path
#cert: 

# custom private key path
#privkey: 

# http header containing origin ip (interactsh behind a reverse proxy)
#origin-ip-header: 

# flag configuration file
#config: 

# enable setting up arbitrary response data
dynamic-resp: true

# custom dns records yaml file for dns server
#custom-records:

# custom index file for http server
#http-index: 

# directory with files to serve with http server
#http-directory: 

# disk based storage
#disk: false

# disk storage path
#disk-path:

# port to use for dns service
#dns-port: 53

# port to use for http service
#http-port: 80

# port to use for https service
#https-port: 443

# port to use for smtp service
#smtp-port: 25

# port to use for smtps service
#smtps-port: 587

# port to use for smtps autotls service
#smtp-autotls-port: 465

# port to use for ldap service
#ldap-port: 389

# enable ldap server with full logging (authenticated)
ldap: true

# enable wildcard interaction for interactsh domain (authenticated)
#wildcard: false

# start smb agent - impacket and python 3 must be installed (authenticated)
smb: true

# start responder agent - docker must be installed (authenticated)
#responder: false

# start ftp agent (authenticated)
ftp: true

# port to use for smb service
#smb-port: 445

# port to use for ftp service
#ftp-port: 21

# ftp directory - temporary if not specified
#ftp-dir:

# show version of the project
#version: false

# start interactsh server in debug mode
#debug: false

# enable pprof debugging server
#enable-pprof: false

# run diagnostic check up
#hc: false

# enable metrics endpoint

Answer 1 · 2023-02-26T10:16:26.000Z

A similar error occurred before with a Docker: #453
I also launch application in docker with my custom Dockerfile because in Docker hub no version 1.1.0.

My dockerfile

FROM ubuntu:22.04

ARG UID=10000
ARG GID=10000
ARG UNAME=user
ARG interactsh_version=1.1.0

RUN groupadd -g "${GID}" $UNAME \
  && useradd --create-home --no-log-init -d /app/ -u "${UID}" -g "${GID}" $UNAME
RUN mkdir -p /app/tmp/ /app/.local/share/certmagic/
WORKDIR /app/

RUN apt-get update && \
    apt-get -y upgrade && \
    apt-get -y install wget nano unzip libcap2-bin tmux net-tools python3 python3-impacket
	
RUN wget https://github.com/projectdiscovery/interactsh/releases/download/v${interactsh_version}/interactsh-server_${interactsh_version}_linux_amd64.zip -O /app/tmp/interactsh.zip

RUN unzip /app/tmp/interactsh.zip interactsh-server -d /app/

RUN rm -rf /app/tmp/

RUN setcap CAP_NET_BIND_SERVICE=+eip /app/interactsh-server

RUN chown ${UID}:${GID} -R /app/

VOLUME /app/.local/share/certmagic/

USER $UNAME

CMD /app/interactsh-server -config /app/config/config.yaml