Avoid showing Let's Encrypt private key when turning off the "pages_auto_ssl" feature
As part of https://gitlab.com/gitlab-org/gitlab-ce/issues/28996, we altered the Pages domain edit page (in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26438) to only show the "Key" field if Let's Encrypt isn't turned on.
When this feature is disabled (i.e. Feature.enabled?(:pages_auto_ssl) == false
), both the "Certificate" and "Key" field are always shown. This opens up the possibility for a user to access the private key of a certificate obtained through Let's Encrypt:
- Enable the
pages_auto_ssl
feature - Turn on Let's Encrypt for a Pages domain
- Wait until the Let's Encrypt certificate fetching process completes successfully
- Disable the
pages_auto_ssl
feature
At this point in time, the user can navigate back to the Pages domain's edit page and view the private key of the Let's Encrypt certificate, since the pages_auto_ssl
feature is off.
I don't think this is a security issue per se, but it's probably best practice to not expose the Let's Encrypt private key.