DNS Made Easy: Plain text (http) API communication and InsecureSkipVerify

[vanbroup]

The DNS Made Easy API is redirecting traffic to plain text (http) communication and is also setting the InsecureSkipVerify setting to accept untrusted (and potentially MITM) certificates. While this is an issue with DNS Made Easy, I think go-acme/lego would benefit from stricter security policy and this should clearly not be permitted.

lego/providers/dns/dnsmadeeasy/dnsmadeeasy.go

Line 52 in 27bb3f2

TLSClientConfig: &tls.Config{InsecureSkipVerify: true},

curl -I https://api.dnsmadeeasy.com/V2.0
HTTP/1.1 302 Moved Temporarily
Date: Thu, 30 Dec 2021 15:38:28 GMT
Connection: keep-alive
Location: http://api.dnsmadeeasy.com/V2.0/
Server: DNSME API

[ldez]

Your curl illustrates the problem: DNS Made Easy redirect HTTPS to HTTP.

So the constraint seems coming from the API and not from lego.

[ldez]

curl -I https://api.dnsmadeeasy.com/V2.0/
HTTP/1.1 500 Internal Server Error
Date: Thu, 30 Dec 2021 16:58:08 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: keep-alive
x-dnsme-requestId: 0115763f-3b70-45b0-bc4e-988b701eb983
Set-Cookie: JSESSIONID=B628068707F35FB450E8278FD8F8DA03; Path=/V2.0; HttpOnly
Server: DNSME API

the redirection was related to a missing / in your curl command.

[vanbroup]

The certificate is used in the initial handshake as the https url is configured. But the API seems to redirect to the secure connection directly to an unsecure connection after it's established.

The result would be the same as connecting to an unsecure connection in the first place.

In the end Lego users are at risk by both issues, something that is probably not desired.

[ldez]

are you a DNS Made Easy customer?

if yes, are you are able to run the curl suggested here: https://api-docs.dnsmadeeasy.com/#ae20deac-3681-48fd-a8ee-aca15d0edafd

[vanbroup]

I'm not a customer, just identified the TLS config problem in Lego.

The redirect is a problem in their system and not in Lego, it might be that some URLs are not redirecting to http. Instead all http request should be redirect to http or not answered at all.

[ldez]

FYI, the problem with InsecureSkipVerify and DNS Made Easy was already known, and our linter can detect that but the detection of this problem is disabled.

The first implementation of the provider already contains that #238

As I'm not able to validate the change and you too, I will wait for someone with a DNS Made Easy account, that can validate a modification to avoid a regression.