Tags: NeySlim/ultimate-ca-manager
Tags
release(v2.124): ACME proxy email fix — issue #68 Hotfix for GitHub issue #68: win-acme and other ACME clients going through the LE proxy failed with 'contact email has invalid domain: Domain name does not end with a valid public suffix'. Root cause: proxy registered upstream account with a synthesized admin@<FQDN> address, ignoring the admin-configured email. On typical installs the FQDN resolves to a private TLD (.lan/.local/.internal) which LE rejects against the Public Suffix List. Fixes (comprehensive ACME proxy review): - _register_upstream_account now reads acme.proxy_email - register_proxy_account actually registers upstream, validates format and PSL, clears stale account URL - unregister_proxy_account cleans cached account URL too - Timeouts on _get_nonce (15s) and _post_jws (30s) - Wildcard lookup uses startswith slice instead of broken lstrip('*.') - Upstream response body no longer leaked in RuntimeError messages Testing: - 1476 backend pass (+5 new), 450 frontend pass - Functional against LE staging: good email registers real account, private TLD rejected, unregister cleans fully
release(v2.123): Phase 2 — unified SSRF + policy approval fix + error… … hygiene Security - Unified SSRF guard (validate_url_not_cloud_metadata): blocks cloud metadata IPs (AWS/GCP/Alibaba) + loopback only. RFC1918 remains allowed so internal AD/Keycloak/ACME CAs keep working. - Applied to ACME directory_url + proxy_upstream_url, OAuth2 discovery, SAML metadata fetch (replacing literal-IP-only check). - Removed str(e) leaks in MSCA, SSH CA KRL, webhook validation, DNS access test. Fixed - Policy approve_request self-check was permanently bypassed (read request.current_user which is always None; switched to g.current_user). - Policy reject_request logged 'system' as actor — now logs real user. - Policy create_policy set created_by=None — now records real user.
release(v2.122): Phase 1 security & bug hotfixes Critical fixes from the comprehensive UCM app review: Security: - SAML auth bypass: removed unsigned-XML fallback in /api/v2/sso/saml/callback; any process_response() error now hard-rejects with saml_validation_failed. - Webhook SSRF: /api/v2/settings/webhooks create + test now validate URL via validate_url_not_private() (parity with /api/v2/webhooks). - P12 password leak: reject password= query params + PKCS12/PFX/JKS formats on GET export endpoints. Password-bearing exports must use POST JSON body. - Brute-force protection: init_rate_limiter(app) is now actually called from create_app(); auth endpoints effectively rate-limited. - Rate limiter: added /.well-known/est/ to the protocol bucket. Bug fix: - Auto-renewal crash: services/auto_renewal_service.py referenced nonexistent Certificate columns (not_before, not_after, ca_id, status, superseded_by). Rewrote against real schema (caref/valid_from/valid_to/revoked/archived). Tests: 1471 backend tests pass.
PreviousNext