Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Indicate known certificates in sent mails #88

Open
stoecker opened this issue May 14, 2024 · 5 comments · May be fixed by #90
Open

Indicate known certificates in sent mails #88

stoecker opened this issue May 14, 2024 · 5 comments · May be fixed by #90
Labels
Milestone

Comments

@stoecker
Copy link

stoecker commented May 14, 2024

I have about 50 entries in my watchlist (heavily using subdomains) and separating mails for legitimate use and fraud is hard.

Please add a check whether the certificate matches a known private key
I.e. by adding the modulus of the private key: "openssl rsa -in private.key -modulus -noout" in a knownkeyslist and check the certificates again this: "openssl x509 -in cert.pem -modulus --noout" [editor's note: comparing by modulus only is not correct]. When it matches the mail subject could then include a "known" or another keyword.

This way it would be much easier to find bad certificates.

@stoecker
Copy link
Author

stoecker commented May 14, 2024

This could also solve #13, #74 and #76.

@AGWA AGWA added this to the Less noise milestone May 14, 2024
@AGWA AGWA added the feature label May 14, 2024
@stoecker
Copy link
Author

@AGWA: If you modify my text please also explain why. The two components to identify a private key are modulus and exponent. Modulus alone should be enough to identify a matching private key for the given purpose. If you want to be 100% exact it's modulus and exponent (Can be output with -text).

@stoecker stoecker linked a pull request May 23, 2024 that will close this issue
@Blason
Copy link

Blason commented Jun 27, 2024

@stoecker I am keen to know about the email notifications you configured. did you use sendmail or any other MTA to send emails? Would you mind sharing your email settings of course with masking all your private information. And how are you monitoring the certspotter continuously? Have you created the service for it?

@stoecker
Copy link
Author

In /etc/systemd/system/certspotter.service

[Unit]
Description=Certificate Transparency Log Monitor
Documentation=man:certspotter(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=certspotter
Environment=CERTSPOTTER_CONFIG_DIR=/etc/certspotter CERTSPOTTER_STATE_DIR=/var/cache/certspotter EMAIL=...mymail...
ExecStart=/home/euronav/certspotter/certspotter -verbose -start_at_end
ConfigurationDirectory=certspotter
CacheDirectory=certspotter
# not strict, because we want to allow some flexibility to hooks
ProtectSystem=full

[Install]
WantedBy=multi-user.target

in /etc/certspotter email_recipients, keylist, watchlist

The file needs a modification with email address. I was to lazy yet to move that into a config file ;-)

I use a local running postfix with opendkim as signature service. If wanted I can describe that setup here, but that's a bit harder to describe and setup and it needs a bit knowledge about mail server setup to do it right. Operating a proper mail server is no easy task nowadays,

On the mail receiving server side is used dovecot with server side filtering with sieve to sort mails into the corresponding mail folders.

Due the amount of domains I monitor getting the mails is enough to see if service is running. Usually there are Let'sEncrypt renewals every week, so there is no special monitor service beside systemd daemon handling.

@stoecker
Copy link
Author

If mail server knowledge is missing something like this can help: https://phoenixnap.com/kb/postfix-smtp - Configure postfix to relay any mail to submission port of another server with username/password. Here it's not so important to setup all details right, as the target server has to do all the proper email stuff, the local postfix acts as MDA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants