I'm trying to automatically update my Let's encrypt certificates. For this I'm using certbot which will write a TXT record in my DNS entry. Unfortunately this update keeps in PENDING state. If I manually update the TXT record when certbot is waiting, everything works fine.
What could be the cause that these updates remain in PENDING state?
Note: some sensitive data has been replaced by <placeholders>
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "dns-service-account#dns-hosting-<projectnr>.iam.gserviceaccount.com",
"serviceAccountKeyName": "//iam.googleapis.com/projects/dns-hosting-<projectnr>/serviceAccounts/dns-service-account#dns-hosting-<projectnr>.iam.gserviceaccount.com/keys/0437a910973f0bb3c13d95648ab0fc663aee9a63"
},
"requestMetadata": {
"callerIp": "<my-ip>",
"requestAttributes": {
"time": "2022-01-10T06:19:39.948727Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "dns.googleapis.com",
"methodName": "dns.changes.create",
"authorizationInfo": [
{
"permission": "dns.resourceRecordSets.delete",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "managedZones/<zone-nr>",
"request": {
"#type": "type.googleapis.com/cloud.dns.api.ChangesCreateRequest",
"change": {
"deletions": [
{
"rrdata": [
"\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
],
"name": "_acme-challenge.<domain>.com.",
"ttl": 60,
"type": "TXT"
}
]
},
"managedZone": "<zone-nr>",
"project": "dns-hosting-<projectnr>"
},
"response": {
"change": {
"startTime": "2022-01-10T06:19:39.717Z",
"deletions": [
{
"rrdata": [
"\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
],
"ttl": 60,
"name": "_acme-challenge.<domain>.com.",
"type": "TXT"
}
],
"status": "PENDING",
"id": "31"
},
"#type": "type.googleapis.com/cloud.dns.api.ChangesCreateResponse"
} }, "insertId": "-gct1lxe6d30o", "resource": {
"type": "dns_managed_zone",
"labels": {
"location": "global",
"project_id": "dns-hosting-<projectnr>",
"zone_name": "<zone-nr>"
} }, "timestamp": "2022-01-10T06:19:39.711566Z", "severity": "NOTICE", "logName": "projects/dns-hosting-<projectnr>/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2022-01-10T06:19:40.311274041Z" }
I don't know the details behind the software it's just a certbot command with the proper arguments to renew the certificate. For that, the software creates a txt record in DNS and then validates if the txt record exists. This proves I'm the owner with the right permissions. After that, the new certificates are released. Since the creation/update of the txt records remains in the pending state, the certbot cannot validate and will fail. If I update the record manually via Google DNS, while certbot is taking a nap for the propagation, it all works fine.
The only issue is that these actions are not executed but remain in status pending.
The command used is:
certbot certonly --dns-google --dns-google-propagation-seconds 120 --dns-google-credentials ~/bin/dns-hosting-331818-0437a910973f.json -d "*.famderidder.com"
Related
My colleagues and I have been working to fix a reported issue on our Amazon Alexa CBT Test regarding the value “DeepQuery=true”.
Our code has been modified, so that every state change is reported automatically and all the used interfaces have the properties “proactivelyReported” and “retrievable” set to true.
As has been suggested by the WWA-Support we used the Smart Home Debugger of the Developer Console to validate the ReportEvents (e.g. Discovery or ChangeReport) and we checked the state of our device on the “View Device State” page (both pages are referenced on: https://developer.amazon.com/en-US/docs/alexa/smarthome/debug-your-smart-home-skill.html).
For debugging purposes we scaled our device capabilities down to just the PowerController. The AddOrUpdateReport of Alexa.Discovery looks to our eyes now exactly as expected/documented. Same goes for the ChangeReport, which we proactively send right after the AddOrUpdateReport (Two sample-Reports for both are provided at the end).
Unfortunately we are still faced with the issue, that “DeepQuery=true” on the “View Device State” page.
If we set the interface property “retrievable” to false, “DeepQuery=false”, but the Alexa-App does not retain the current state of the device. In this configuration the Alexa-App can only be used to send commands, which unfortunately will lead to other test cases to fail.
Does anyone know how to solve this issue?
How can we set “proactivelyReported” and “retrievable” to true and have “DeepQuery=false”?
Any help would be greatly appreciated and I will gladly provide more informations if needed.
Sample AddOrUpdateReport from Smart Home Debugger
{
"header": {
"namespace": "SkillDebugger",
"name": "CaptureDebuggingInfo",
"messageId": "05b030fb-6393-4ae0-80d0-47fc27876f0e"
},
"payload": {
"skillId": "amzn1.ask.skill.055ca62d-3cf8-4f51-a683-9a98b36f4637",
"timestamp": "2021-09-09T13:28:21.629Z",
"dialogRequestId": null,
"skillRequestId": null,
"type": "SmartHomeAddOrUpdateReportSuccess",
"content": {
"addOrUpdateReport": {
"event": {
"header": {
"namespace": "Alexa.Discovery",
"name": "AddOrUpdateReport",
"messageId": "2458b969-7c3e-47e2-ab0b-6e13a999be76",
"payloadVersion": "3"
},
"payload": {
"endpoints": [
{
"manufacturerName": "Our Company Name",
"description": "Our Product Name",
"endpointId": "device--cb12b420-1171-11ec-81f3-cb34e87ea438",
"friendlyName": "Lampe 1",
"capabilities": [
{
"type": "AlexaInterface",
"version": "3",
"interface": "Alexa.PowerController",
"properties": {
"supported": [
{
"name": "powerState"
}
],
"proactivelyReported": true,
"retrievable": true
}
},
{
"type": "AlexaInterface",
"interface": "Alexa",
"version": "3"
}
],
"displayCategories": [
"LIGHT"
],
"connections": [],
"relationships": {},
"cookie": {}
}
],
"scope": null
}
}
}
}
}
}
Sample ChangeReport from Smart Home Debugger
{
"header": {
"namespace": "SkillDebugger",
"name": "CaptureDebuggingInfo",
"messageId": "194a96a1-6747-46ba-8751-5c9ef715fd34"
},
"payload": {
"skillId": "amzn1.ask.skill.055ca62d-3cf8-4f51-a683-9a98b36f4637",
"timestamp": "2021-09-09T13:28:23.227Z",
"dialogRequestId": null,
"skillRequestId": null,
"type": "SmartHomeChangeReportSuccess",
"content": {
"changeReport": {
"event": {
"header": {
"namespace": "Alexa",
"name": "ChangeReport",
"messageId": "8972e386-9622-40e6-85e7-1a7d81c79c8a",
"payloadVersion": "3"
},
"endpoint": {
"scope": null,
"endpointId": "device--cb12b420-1171-11ec-81f3-cb34e87ea438"
},
"payload": {
"change": {
"cause": {
"type": "APP_INTERACTION"
},
"properties": [
{
"namespace": "Alexa.PowerController",
"name": "powerState",
"value": "ON",
"timeOfSample": "2021-09-09T13:28:18.088Z",
"uncertaintyInMilliseconds": 500
}
]
}
}
},
"context": {
"properties": []
}
}
}
}
}
I am trying to create my own security scanner which will check dependencies. To test the functionality, I created a "mock scanner" which downloads a file from webhook, and saves it as an artifact ought to be uploaded to the server.
The artifact is uploaded successfully and in the CI output I can see the 201 code, but for some reason it is not presented in the security dashboard.
What am I doing wrong?
Thank you!
The CI job looks as following:
mysec_dependency_scanning:
stage: test
script:
- curl https://webhook.site/XXXX -o gl-dependency-scanning-report.json
- sleep 3
allow_failure: true
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
The content of the json file is from the example provided by gitlab and it as following:
{
"version": "2.0",
"vulnerabilities": [
{
"id": "51e83874-0ff6-4677-a4c5-249060554eae",
"category": "dependency_scanning",
"name": "alik alik",
"message": "Regular Expression Denial of Service in debug",
"description": "alik to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
"severity": "Unknown",
"solution": "Upgrade to latest versions.",
"scanner": {
"id": "dadada",
"name": "dadada"
},
"location": {
"file": "yarn.lock",
"dependency": {
"package": {
"name": "debug"
},
"version": "1.0.5"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a",
"value": "37283ed4-0380-40d7-ada7-2d994afcc62a",
"url": "https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories"
}
],
"links": [
{
"url": "https://nodesecurity.io/advisories/534"
},
{
"url": "https://github.com/visionmedia/debug/issues/501"
},
{
"url": "https://github.com/visionmedia/debug/pull/504"
}
]
},
{
"id": "5d681b13-e8fa-4668-957e-8d88f932ddc7",
"category": "dependency_scanning",
"name": "Authentication bypass via incorrect DOM traversal and canonicalization",
"message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js",
"description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment, therefore, has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.",
"severity": "Unknown",
"solution": "Upgrade to fixed version.\r\n",
"scanner": {
"id": "dadada",
"name": "dadada"
},
"location": {
"file": "yarn.lock",
"dependency": {
"package": {
"name": "saml2-js"
},
"version": "1.5.0"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98",
"value": "9952e574-7b5b-46fa-a270-aeb694198a98",
"url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories"
},
{
"type": "cve",
"name": "CVE-2017-11429",
"value": "CVE-2017-11429",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429"
}
],
"links": [
{
"url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279"
},
{
"url": "https://github.com/Clever/saml2/issues/127"
},
{
"url": "https://www.kb.cert.org/vuls/id/475445"
}
]
}
],
"remediations": [
{
"fixes": [
{
"id": "5d681b13-e8fa-4668-957e-8d88f932ddc7",
}
],
"summary": "Upgrade saml2-js",
"diff": "ZGlmZiAtLWdpdCBhL...OR0d1ZUc2THh3UT09Cg==" // some content is omitted for brevity
}
]
}
I was able to fix the problem, the issue was an invalid json format.
Had to do alot of trial and error but I was able to create a working template for a dependency scanning report.
{
"version": "3.0.0",
"vulnerabilities": [
{
"id": "dfa1f7f3d56db6e1c3451a232de42f153e0335611de6f0344443d84e448ee2cf",
"category": "dddda",
"name": "dddda",
"message": "ddda",
"description": "dddda lack of validation in `index.js`.",
"cve": "dada",
"severity": "Critical",
"solution": "Upgrade to version 2.0.5 or above.",
"scanner": {
"id": "lalal",
"name": "Code_Analyzer"
},
"location": {
"file": "yarn.lock",
"dependency": {
"iid": 447,
"package": {
"name": "copy-props"
},
"version": "2.0.4"
}
},
"identifiers": [
{
"type": "dada",
"name": "dada-e9e12690-2e4d-4251-bef0-7357ddc05881",
"value": "e9e57890-5e4d-4832-bef2-7337ddc05889",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/npm/copy-props/CVE-2219-28503.yml"
},
{
"type": "cve",
"name": "CVE-2237-28503",
"value": "CVE-2237-28503",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2237-28503"
}
],
"links": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2237-28503"
}
]
}
],
"remediations": [],
"dependency_files": [
{
"path": "yarn.lock",
"package_manager": "yarn",
"dependencies": [
{
"iid": 447,
"dependency_path": [
{
"iid": 708
},
{
"iid": 707
}
],
"package": {
"name": "copy-props"
},
"version": "2.0.4"
}
]
}
],
"scan": {
"scanner": {
"id": "lalal",
"name": "Code_Analyzer",
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
"vendor": {
"name": "lalal"
},
"version": "2.29.5"
},
"type": "dependency_scanning",
"start_time": "2021-05-03T06:47:29",
"end_time": "2021-05-03T06:47:30",
"status": "success"
}
}
I'm deploying an application gateway with ARM Template and wants to loop through the creation of listeners.
This is how far I got:
"copy": [
{
"name": "httpListeners",
"count": "[length(parameters('APPLICATIONS'))]",
"input": {
"name": "[concat(parameters('APPLICATIONS')[copyIndex('httpListeners')].site,'-',parameters('APPLICATIONS')[copyIndex('httpListeners')].protocol,'listener')]",
"properties": {
"FrontendIPConfiguration": {
"Id": "[concat(variables('applicationGatewayID'), '/frontendIPConfigurations/', variables('frontendIpConfigName'))]"
},
"FrontendPort": {
"Id": "[concat(variables('applicationGatewayID'), '/frontendPorts/', variables('frontendPortName443'))]"
},
"Protocol": "[parameters('APPLICATIONS')[copyIndex('httpListeners')].protocol]",
"SslCertificate": {
"Id": "[parameters('APPLICATIONS')[copyIndex('httpListeners')].cert]"
},
"HostName": "[parameters('APPLICATIONS')[copyIndex('httpListeners')].site]",
"RequireServerNameIndication": "[if(equals(parameters('APPLICATIONS')[copyIndex('httpListeners')].protocol, 'HTTPS'), json('true'), json('false'))]"
}
}
}
]
It works well as long as I only create HTTPS listeners, but when I create a HTTP listener I want to get rid of this part:
"SslCertificate": {
"Id": "[parameters('APPLICATIONS')[copyIndex('httpListeners')].cert]"
}
Just setting the parameter parameters('APPLICATIONS')[copyIndex('httpListeners')].cert to null doesn't help.
Any suggestions?
I'm trying to get familiar with Hashicorp Vault and I don't understand how to use its audit log?
For example, let's say, one of the admins was compromised and somebody with root-token created another one root-token. I'm getting an audit log like this:
{
"time": "2019-08-17T21:53:07.625384189Z",
"type": "request",
"auth": {
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
},
"request": {
"id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
"operation": "update",
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"namespace": {
"id": "root"
},
"path": "auth/token/create",
"data": {
"display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
"period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"renewable": true,
"ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
},
"remote_address": "127.0.0.1"
}
}
{
"time": "2019-08-17T21:53:07.709275872Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
},
"request": {
"id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
"operation": "update",
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"namespace": {
"id": "root"
},
"path": "auth/token/create",
"data": {
"display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
"period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"renewable": true,
"ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
},
"remote_address": "127.0.0.1"
},
"response": {
"auth": {
"client_token": "hmac-sha256:fdb305fbabaf0044fc6d696fb2d0ff3d96574ff4d7fab804e8d5d36b7f2ddd14",
"accessor": "hmac-sha256:19f3a70ceea337f067c053249504fbf8e8c164304b66a8c97fad421d43b5e4af",
"display_name": "token",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
}
}
}
How can I find out who it was?
How can I get the accessor of the token that was compromised?
Where can I get an accessor of the just created token to revoke it?
Or maybe I didn't get purposes of the Vault audit right?
I've found a cool option that hepled me: hmac_accessor = false, here is the audit log with tis option enabled:
{
"time": "2019-08-27T07:55:57.888464574Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
"display_name": "root",
...
},
"request": {
"id": "f4dc76af-b562-ae2c-8d6f-dd6a0d6f7ef6",
"operation": "update",
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"client_token_accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
...
},
"response": {
...
},
"error": ""
}
UPD: list of current accessors:
$ vault list auth/token/accessors
Keys
----
MelMLthx4K4FznCbNIB8xbC6
bOnatDe7MXfdB9f3CRuGPo0h
y1lRcyzxkPgL0gmQ45WqliPy
VerAvaBln92HG38gKbKEcXOZ
Get info about token by the accessor:
$ vault write auth/token/lookup-accessor accessor=VerAvaBln92HG38gKbKEcXOZ
Key Value
--- -----
accessor VerAvaBln92HG38gKbKEcXOZ
creation_time 1566893336
creation_ttl 3m
display_name token
entity_id n/a
expire_time 2019-08-27T11:11:56.903211142+03:00
explicit_max_ttl 0s
id n/a
issue_time 2019-08-27T11:08:56.903210949+03:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
period 3m
policies [root]
renewable true
ttl 2m55s
type service
On my Sensu server (non-enterprise) I first installed the https://github.com/sensu-plugins/sensu-plugins-slack plugin via sudo sensu-install -p slack.
My configuration files located on my sensu server are as following.
/etc/sensu/conf.d/handler_config_slack.json:
{
"handlers": {
"slack": {
"type": "pipe",
"command": "/usr/local/bin/handler-slack.rb",
"severites": ["critical", "unknown"]
}
},
"slack": {
"webhook_url": "https://hooks.slack.com/services/...",
"username": "sensu",
"channel": "#ops",
"timeout": 10
}
}
/etc/sensu/conf.d/client.json:
{
"client": {
"name": "sensu-server-client-test",
"address": "x.x.x.x",
"subscriptions": [
"test"
],
"keepalive": {
"thresholds": {
"warning": 30,
"critical": 40
},
"handlers": ["slack"],
"refresh": 300
}
}
}
And the sensu remote client servers file /etc/sensu/conf.d/client.json:
{
"client": {
"name": "sensu-client-test",
"address": "x.x.x.x",
"subscriptions": [
"test"
],
"keepalive": {
"thresholds": {
"warning": 30,
"critical": 40
},
"handlers": ["slack"],
"refresh": 300
}
}
}
/var/log/sensu/sensu-srver.log:
{"timestamp":"2016-02-21T15:04:59.771989+0000","level":"info","message":"handler output","handler":{"type":"pipe","command":"handler-slack.rb","severites":["critical","unknown"],"name":"slack"},"output":["only handling every 180 occurrences: sensu-server-client-test/disk\n"]}
I get a remote sensu client running and connected and I then deliberately stop the remote client server to produce warning and critical events from the keepalive checks. I would like a message to be sent to my slack channel however nothing is being sent.
What am I doing wrong?
Simple error, changed the following:
"command": "/usr/local/bin/handler-slack.rb",
To the following:
"command": "handler-slack.rb",