*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed its fallback certificate, before it got the first real certificate from Lets Encrypt. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864428 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2019-08-05 11:29:58 +00:00
parent 09b2410688
commit 61fdda63d3
2 changed files with 18 additions and 11 deletions
--- a/5
+++ b/5
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.1

+  *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
+     for a domain managed by mod_md caused a startup error. This happened when mod_md installed 
+     its fallback certificate, before it got the first real certificate from Lets Encrypt.
+     [Stefan Eissing]
+
  *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
     RegexDefaultOptions -DOTALL [Yann Ylavic]

--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1820,20 +1820,22 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
    n = pks->cert_files->nelts;
    ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);

-    if (n < pks->cert_files->nelts) {
-        /* this overrides any old chain configuration */
-        sc->server->cert_chain = NULL;
-    }
-    
-    if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) {
+    if (apr_is_empty_array(pks->cert_files)) {
+        /* does someone propose a certiciate to fall back on here? */
        ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
-        
+        if (n < pks->cert_files->nelts) {
            pks->service_unavailable = 1;
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
                         "Init: %s will respond with '503 Service Unavailable' for now. There "
                         "are no SSL certificates configured and no other module contributed any.",
                         ssl_util_vhostid(p, s));
        }
+    }
+    
+    if (n < pks->cert_files->nelts) {
+        /* additionally installed certs overrides any old chain configuration */
+        sc->server->cert_chain = NULL;
+    }
    
    if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {
        return rv;