[GH-ISSUE #1024] Default host certificate leaks implementation information in organization subject #859

New issue

Closed

opened 2026-02-26 06:34:43 +03:00 by kerem · 7 comments

kerem commented 2026-02-26 06:34:43 +03:00

Owner

Copy link

Originally created by @qriff on GitHub (Apr 17, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1024

Describe the bug
The generated default self signed host certificate leaks implementation name "Nginx Proxy Manager" in the "Organizational" (O) subject field.

To Reproduce
Steps to reproduce the behavior:

1. Browse to default https host
2. Review certificate details

Expected behavior
Field should be generic (not reference implementation), like localhost or empty, or definable.

In \docker\rootfs\etc\services.d\nginx\run
`

Generate dummy self-signed certificate.

if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ]
then
echo "Generating dummy SSL certificate..."
openssl req
-new
-newkey rsa:2048
-days 3650
-nodes
-x509
-subj '/O=Nginx Proxy Manager/OU=Dummy Certificate/CN=localhost'
-keyout /data/nginx/dummykey.pem
-out /data/nginx/dummycert.pem
echo "Complete"
fi
`

Originally created by @qriff on GitHub (Apr 17, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1024 **Describe the bug** The generated default self signed host certificate leaks implementation name "Nginx Proxy Manager" in the "Organizational" (O) subject field. **To Reproduce** Steps to reproduce the behavior: 1. Browse to default https host 2. Review certificate details **Expected behavior** Field should be generic (not reference implementation), like localhost or empty, or definable. In \docker\rootfs\etc\services.d\nginx\run ` # Generate dummy self-signed certificate. if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ] then echo "Generating dummy SSL certificate..." openssl req \ -new \ -newkey rsa:2048 \ -days 3650 \ -nodes \ -x509 \ -subj '/O=Nginx Proxy Manager/OU=Dummy Certificate/CN=localhost' \ -keyout /data/nginx/dummykey.pem \ -out /data/nginx/dummycert.pem echo "Complete" fi `

kerem 2026-02-26 06:34:43 +03:00

• closed this issue
• added the
  stale
  bug
  labels

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@l4rm4nd commented on GitHub (Apr 17, 2021):

I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate.

Just replace /data/nginx/dummykey.pem and /data/nginx/dummycert.pem with your own SSL cert.

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem

<!-- gh-comment-id:821867721 --> @l4rm4nd commented on GitHub (Apr 17, 2021): I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate. Just replace ``/data/nginx/dummykey.pem`` and ``/data/nginx/dummycert.pem`` with your own SSL cert. ```` openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem ````

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@bmbvenom commented on GitHub (Aug 22, 2021):

I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate.

Just replace /data/nginx/dummykey.pem and /data/nginx/dummycert.pem with your own SSL cert.

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem

I don't disagree with you, it is easy enough to replace with a new dummy cert. However, considering that ssllabs.com (and I can only assume similar tools) picks up this dummy cert in their "No SNI" scan I agree with @qriff that this could expose potential attack vectors and it should be fixed. As such I've submitted PR #1338

<!-- gh-comment-id:903216808 --> @bmbvenom commented on GitHub (Aug 22, 2021): > > > I mean it is called a dummy certificate for a reason. You can easily replace it with your own certificate. > > Just replace `/data/nginx/dummykey.pem` and `/data/nginx/dummycert.pem` with your own SSL cert. > > ``` > openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/O=localhost/OU=localhost/CN=localhost' -keyout /data/nginx/dummykey.pem -out /data/nginx/dummycert.pem > ``` I don't disagree with you, it is easy enough to replace with a new dummy cert. However, considering that ssllabs.com (and I can only assume similar tools) picks up this dummy cert in their "No SNI" scan I agree with @qriff that this could expose potential attack vectors and it should be fixed. As such I've submitted PR #1338

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Aug 22, 2021):

Agreed :)

<!-- gh-comment-id:903342287 --> @jc21 commented on GitHub (Aug 22, 2021): Agreed :)

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@jstrat31 commented on GitHub (Aug 8, 2023):

Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP.
Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot.

Thanks!!

<!-- gh-comment-id:1670370302 --> @jstrat31 commented on GitHub (Aug 8, 2023): Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP. Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot. Thanks!!

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@l4rm4nd commented on GitHub (Aug 10, 2023):

Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP. Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot.

Thanks!!

Use internal risk management and lower the severity to informational.

Pentesters will just report anything they find and apply a risk rating. It's your job too, to also assess the risk. As outlined, there is no risk by using a self-signed certificate for the NPM network service reachable by IP. It's a reverse proxy, which proxies hostnames / subdomains. Therefore, accessing the IP directly is not the key aspect of the product and neglectable.

In the end, it's still a proper SSL certificate. It's just self-signed and therefore not in the regular root trust stores of end devices and browsers, which will lead to warning messages. As for any internal PKI, you can just put the cert into all trust stores of your clients and it will be trusted. Applying a medium risk rating due to self-signed certificates is kinda harsh. May talk to the pentesters and challenge them. Ask for a recommendation on how to resolve properly. They will likely just lower the risk.

Cheers from a pentester

<!-- gh-comment-id:1672877889 --> @l4rm4nd commented on GitHub (Aug 10, 2023): > Hello all, Sorry to bring those old issue backup, but we're currently failing our pen test for this very thing. pen testers scan ip only and get the dummy localhost certs, which causes us to get a medium finding. Took me longer than it should have to realize its the dummycerts form Nginx Proxy Manager. sslchecker.com also flags it when entering our IP. Is there anyway to have NPM just not advertise these certs? I've tried deleting them, but they still show when connecting, and when I delete them, they're recreated on next reboot. > > Thanks!! Use internal risk management and lower the severity to informational. Pentesters will just report anything they find and apply a risk rating. It's your job too, to also assess the risk. As outlined, there is no risk by using a self-signed certificate for the NPM network service reachable by IP. It's a reverse proxy, which proxies hostnames / subdomains. Therefore, accessing the IP directly is not the key aspect of the product and neglectable. In the end, it's still a proper SSL certificate. It's just self-signed and therefore not in the regular root trust stores of end devices and browsers, which will lead to warning messages. As for any internal PKI, you can just put the cert into all trust stores of your clients and it will be trusted. Applying a medium risk rating due to self-signed certificates is kinda harsh. May talk to the pentesters and challenge them. Ask for a recommendation on how to resolve properly. They will likely just lower the risk. Cheers from a pentester

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 13, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:1993072631 --> @github-actions[bot] commented on GitHub (Mar 13, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:34:43 +03:00

Author

Owner

Copy link

@qriff commented on GitHub (Mar 14, 2024):

Seems fixed in merge for #1338

<!-- gh-comment-id:1996625250 --> @qriff commented on GitHub (Mar 14, 2024): Seems fixed in merge for #1338

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#859

No description provided.