Role Allows Implicit Localhost Issuance
Perform the recommended actions that ensures roles do not unintentionally allow certificates to be issued for localhost-based domains.
This health check ensures that roles do not unintentionally allow certificates to be issued for localhost-based domains. Allowing implicit localhost issuance (via allow_localhost=true) in combination with non-empty allowed_domainsmay pose a security risk by enabling certificates for internal or unintended hostnames.
Health Check Name: role_allows_localhost
Accessed APIs
LIST /roles
Lists all defined roles
READ /roles/:name
Reads the configuration of a specific role
Configuration Parameters None
Health Check Results
allow_localhost is set to true
The role permits implicit certificate issuance for localhost or localhost-like domains.
allowed_domains contains one or more entries
The role allows issuance for specific domains, which may unintentionally include localhost.
Both conditions (allow_localhost=true and non-empty allowed_domains) are true
A warning is issued, indicating a risk of unintended certificate issuance for localhost.
Recommended Actions
Set
allow_localhost=falsefor all roles.Update the
allowed_domainsfield to include only explicitly approved domains, avoiding vague or wildcard domain entries that could inadvertently include localhost-style hostnames.
Last updated
Was this helpful?