- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes#377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925979 13f79535-47bb-0310-9956-ffa450edef68
- New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
- For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
- MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910996 13f79535-47bb-0310-9956-ffa450edef68
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903677 13f79535-47bb-0310-9956-ffa450edef68
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900852 13f79535-47bb-0310-9956-ffa450edef68
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894610 13f79535-47bb-0310-9956-ffa450edef68
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893399 13f79535-47bb-0310-9956-ffa450edef68
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
- MDCertificateFile and MDCertificateKeyFile can now be specified several
times to add multiple, static certificates to a MDomain.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887923 13f79535-47bb-0310-9956-ffa450edef68
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes#227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes#216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exist CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887337 13f79535-47bb-0310-9956-ffa450edef68
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887085 13f79535-47bb-0310-9956-ffa450edef68
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874132 13f79535-47bb-0310-9956-ffa450edef68
the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1870020 13f79535-47bb-0310-9956-ffa450edef68
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868506 13f79535-47bb-0310-9956-ffa450edef68
mpm_common defines it later anyway:
In file included from mod_md.c:25:
In file included from /Users/covener/SRC/httpd-trunk/include/mpm_common.h:40:
In file included from /Users/covener/SRC/httpd-trunk/include/ap_config.h:184:
/Users/covener/SRC/httpd-trunk/include/ap_config_auto.h:11:9: error: 'AP_ENABLE_EXCEPTION_HOOK' macro redefined [-Werror,-Wmacro-redefined]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864153 13f79535-47bb-0310-9956-ffa450edef68
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862075 13f79535-47bb-0310-9956-ffa450edef68
- supports the ACMEv2 protocol
- supports the new challenge method 'tls-alpn-01'
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- ACMEv2 is the new default and will be used on the next certificate renewal,
unless another MDCertificateAuthority is configured
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- a domain exposes its status at https://<domain>/.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and
'errored'. New 'MDWarnWindow' directive to configure when expiration warnings
shall be issued.
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862013 13f79535-47bb-0310-9956-ffa450edef68
mod_md: eliminating compiler warnings re signedness and unused. Adding a APLOG_WARNING
when the only available ACME challenge is "tls-sni-01" since Let's Encrypt will
disable that completely beginning of 2019.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1843543 13f79535-47bb-0310-9956-ffa450edef68
outside the configured MDs are free to be answered by other handlers. This allows
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
[Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>]
Fixes PR62189.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827175 13f79535-47bb-0310-9956-ffa450edef68
mod_md: removing comments that documented that greenbytes has untransferable copyright to the sources. The rights, of course, remain unaffected, but maybe some people can sleep better.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1821374 13f79535-47bb-0310-9956-ffa450edef68
mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit
management of the base server domains outside VirtualHosts. By default, this is "off",
e.g. mod_md will not manage certificates or perform https: redirections on the
base server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1820310 13f79535-47bb-0310-9956-ffa450edef68
mod_md: fixed mem pool usage for auto-added server names. Added
error logging of exact ACME response when challenges failed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818849 13f79535-47bb-0310-9956-ffa450edef68
mod_md: reverses most of v1.0.5 optimization of post_config init, so that
mod_ssl can ask for certiticates without crashing.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818792 13f79535-47bb-0310-9956-ffa450edef68
mod_md: v1.0.5, restricting post_config dry run to be more silent and performing
only necessary work for mod_ssl to be also happy with the configuration.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1816552 13f79535-47bb-0310-9956-ffa450edef68
