md_acme_authz.c

Checkout Tools
  • last updated 16 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

  1. … 50 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges

have been fixed. [Michael Kaufmann, Stefan Eissing]

  1. … 4 more files in changeset.
* modules/md/md_acme_authz.c (md_acme_authz_update): Fix typo in log

message.

On the trunk:

mod_md: removing comments that documented that greenbytes has untransferable copyright to the sources. The rights, of course, remain unaffected, but maybe some people can sleep better.

  1. … 36 more files in changeset.
On the trunk:

mod_md v1.1.7 changes

  1. … 10 more files in changeset.
On the trunk:

mod_md: fixed mem pool usage for auto-added server names. Added

error logging of exact ACME response when challenges failed.

  1. … 3 more files in changeset.
"It is better to light a candle than curse the darkness."

  1. … 17 more files in changeset.
spelling fixes from Josh Soref via github
  1. … 12 more files in changeset.
On the trunk:

mod_md: v0.9.7

- Use of the new module flag

- Removed obsolete function from interface to mod_ssl.

- Fallback certificates has version set and no longer claims to be a CA. (re issue #32)

- MDRequireHttps now happens before any Redirect.

  1. … 23 more files in changeset.
On the trunk:

mod_md: v0.9.5:

- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if

new certificates are requested with the OCSP Must Staple extension.

- Known limitation: when the server is configured to ditch and restart child processes, for example

after a certain number of connections/requests, the mod_md watchdog instance might migrate

to a new child process. Since not all its state is persisted, some messsages might appear a

second time in the logs.

- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'

is used - which negates that a https: port exists. Also, a warning is logged if no

VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in

its address list.

- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently

or temporarily.

- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also

a changed mod_ssl patch (v5) to take effect.

- compatibility with libressl

  1. … 14 more files in changeset.
On the trunk:

mod_md: v0.9.2: new directive 'MDHttpProxy' to define a proxy for outgoing connection,

some minor bugfixes, twiddle the build system to avoid non-pic code generation.

  1. … 19 more files in changeset.
On the trunk:

mod_md: v0.8.1 from github, new feats in CHANGES

  1. … 26 more files in changeset.