www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-09-13 22:01:52 +03:00
Code Activity
Files
trunk
apache/modules/md/md_acme_acct.h
Stefan Eissing 51a214821c *) mod_md: adding v2.4.8 with the following changes 
- Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <https://github.com/icing/mod_md/issues/268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894610 13f79535-47bb-0310-9956-ffa450edef68
2021-10-29 09:04:38 +00:00

149 lines
5.6 KiB
C
Raw Permalink Blame History

/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef mod_md_md_acme_acct_h
#define mod_md_md_acme_acct_h
struct md_acme_req;
struct md_json_t;
struct md_pkey_t;
#include "md_store.h"
/**
* An ACME account at an ACME server.
*/
typedef struct md_acme_acct_t md_acme_acct_t;
typedef enum {
MD_ACME_ACCT_ST_UNKNOWN,
MD_ACME_ACCT_ST_VALID,
MD_ACME_ACCT_ST_DEACTIVATED,
MD_ACME_ACCT_ST_REVOKED,
} md_acme_acct_st;
struct md_acme_acct_t {
const char *id; /* short, unique id for the account */
const char *url; /* url of the account, once registered */
const char *ca_url; /* url of the ACME protocol endpoint */
md_acme_acct_st status; /* status of this account */
apr_array_header_t *contacts; /* list of contact uris, e.g. mailto:xxx */
const char *tos_required; /* terms of service asked for by CA */
const char *agreement; /* terms of service agreed to by user */
const char *orders; /* URL where certificate orders are found (ACMEv2) */
const char *eab_kid; /* external account binding keyid used or NULL */
const char *eab_hmac; /* external account binding hmac used or NULL */
struct md_json_t *registration; /* data from server registration */
};
#define MD_FN_ACCOUNT "account.json"
#define MD_FN_ACCT_KEY "account.pem"
/* ACME account private keys are always RSA and have that many bits. Since accounts
* are expected to live long, better err on the safe side. */
#define MD_ACME_ACCT_PKEY_BITS 3072
#define MD_ACME_ACCT_STAGED "staged"
/**
* Convert an ACME account form/to JSON.
*/
struct md_json_t *md_acme_acct_to_json(md_acme_acct_t *acct, apr_pool_t *p);
apr_status_t md_acme_acct_from_json(md_acme_acct_t **pacct, struct md_json_t *json, apr_pool_t *p);
/**
* Update the account from the ACME server.
* - Will update acme->acct structure from server on success
* - Will return error status when request failed or account is not known.
*/
apr_status_t md_acme_acct_update(md_acme_t *acme);
/**
* Update the account and persist changes in the store, if given (and not NULL).
*/
apr_status_t md_acme_acct_validate(md_acme_t *acme, md_store_t *store, apr_pool_t *p);
/**
* Agree to the given Terms-of-Service url for the current account.
*/
apr_status_t md_acme_agree(md_acme_t *acme, apr_pool_t *p, const char *tos);
/**
* Confirm with the server that the current account agrees to the Terms-of-Service
* given in the agreement url.
* If the known agreement is equal to this, nothing is done.
* If it differs, the account is re-validated in the hope that the server
* announces the Tos URL it wants. If this is equal to the agreement specified,
* the server is notified of this. If the server requires a ToS that the account
* thinks it has already given, it is resend.
*
* If an agreement is required, different from the current one, APR_INCOMPLETE is
* returned and the agreement url is returned in the parameter.
*/
apr_status_t md_acme_check_agreement(md_acme_t *acme, apr_pool_t *p,
const char *agreement, const char **prequired);
/**
* Get the ToS agreement for current account.
*/
const char *md_acme_get_agreement(md_acme_t *acme);
/**
* Find an existing account in the local store. On APR_SUCCESS, the acme
* instance will have a current, validated account to use.
*/
apr_status_t md_acme_find_acct_for_md(md_acme_t *acme, md_store_t *store, const md_t *md);
/**
* Find the account id for a given md.
*/
apr_status_t md_acme_acct_id_for_md(const char **pid, md_store_t *store,
md_store_group_t group, const md_t *md, apr_pool_t *p);
/**
* Create a new account at the ACME server for an MD. The
* new account is the one used by the acme instance afterwards, on success.
*/
apr_status_t md_acme_acct_register(md_acme_t *acme, md_store_t *store,
const md_t *md, apr_pool_t *p);
apr_status_t md_acme_acct_save(md_store_t *store, apr_pool_t *p, md_acme_t *acme,
const char **pid, struct md_acme_acct_t *acct,
struct md_pkey_t *acct_key);
/**
* Deactivate the current account at the ACME server.
*/
apr_status_t md_acme_acct_deactivate(md_acme_t *acme, apr_pool_t *p);
apr_status_t md_acme_acct_load(struct md_acme_acct_t **pacct, struct md_pkey_t **ppkey,
md_store_t *store, md_store_group_t group,
const char *name, apr_pool_t *p);
/*
* Return != 0 iff the account can be used for the ACME url.
*/
int md_acme_acct_matches_url(md_acme_acct_t *acct, const char *url);
/*
* Return != 0 iff the account can be used for the MD, including
* its CA url and EAB settings.
*/
int md_acme_acct_matches_md(md_acme_acct_t *acct, const md_t *md);
#endif /* md_acme_acct_h */
View Git Blame Copy Permalink