mod_md_config.c

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
* mod_md: fix compiler warnings

  1. … 7 more files in changeset.
*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
Fix use of StateDir directive after r1852982:

* server/core.c (reset_config): Rename from reset_config_defines;

tie core_state_dir to pconf lifetime in this cleanup.

(core_pre_config): Adjust accordingly.

* modules/md/mod_md_config.c (md_config_post_config): Pick up base_dir

from statedir in post-config phase so StateDir can influence it.

* modules/dav/fs/mod_dav_fs.c (dav_fs_create_server_config): Don't

init lockdb_path here. (dav_fs_post_config): New function; set

lockdb_path based on configured statedir.

  1. … 2 more files in changeset.
* modules/md/mod_md_config.c (md_mod_conf_get): Use state-dir-relative

default base_dir.

* integrating latest changes from microgrit

* MDNotifyCmd can now specify arguments to the command

  1. … 3 more files in changeset.
On the trunk:

mod_md: removing comments that documented that greenbytes has untransferable copyright to the sources. The rights, of course, remain unaffected, but maybe some people can sleep better.

  1. … 36 more files in changeset.
On the trunk:

mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit

management of the base server domains outside VirtualHosts. By default, this is "off",

e.g. mod_md will not manage certificates or perform https: redirections on the

base server.

  1. … 4 more files in changeset.
"It is better to light a candle than curse the darkness."

  1. … 17 more files in changeset.
On the trunk:

mod_md: fixed backward compatibility to old <ManagedDomain configuration.

Add higher level WARNING log when initial request to ACME server fails, mentioning

some advice.

  1. … 3 more files in changeset.
On the trunk:

mod_md: name change in configuration directives. The Apache team decided that the current

names would confuse you, the users, and asked for a change. The old names are still working

in this version, so you can safely upgrade.

They will give warnings in the log and will disappear in the immediate future.

* ManagedDomain is now MDomain

* <ManagedDomain> is now <MDomainSet>

  1. … 5 more files in changeset.
spelling fixes from Josh Soref via github
  1. … 12 more files in changeset.
Fix false positive compiler warning

"'percent' may be used uninitialized in this function".

On the trunk:

*) mod_md: v1.0.1, ServerName/Alias names from pure-http: virtual hosts are no longer

auto-added to a Managed Domain. Error counts of jobs are presisted. When the server

restarts (gracefully) any errored staging areas are purged to reset the signup/renewal

process.

  1. … 4 more files in changeset.
Follow up to r1740928: including NOT_IN_PROXY in NOT_IN_DIR_LOC_FILE is both

incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and

restoring NOT_IN_DIR_LOC_FILE to its previous value.

Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in

any directory context", while the definition itself does not include all the

existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).

This is a bit of a misnomer, at least, so instead of (ab)using it by adding the

missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to

really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +

NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.

This is by itself a major MMN bump (modules not compiled with this commit and

having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same

way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the

below change, 2.4.x should work as before:

- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {

+ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {

if (cmd->path != NULL) {

return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,

- " cannot occur within directory context", NULL);

+ " cannot occur within <Directory/Location/Files/Proxy> "

+ "section", NULL);

}

...

}

  1. … 7 more files in changeset.
On the trunk:

mod_md: v1.0.0, new config directive 'MDNotifyCmd' to hook in a program when Managed

Domains have obtained/renewed their certificates successfully.

  1. … 8 more files in changeset.
On the trunk:

mod_md: v0.9.7

- Use of the new module flag

- Removed obsolete function from interface to mod_ssl.

- Fallback certificates has version set and no longer claims to be a CA. (re issue #32)

- MDRequireHttps now happens before any Redirect.

  1. … 23 more files in changeset.
On the trunk:

mod_md: v0.9.6: a "MDRequireHttps permament" configured domain automatically sends out HSTS (rfc 6797) headers in https: responses.

  1. … 6 more files in changeset.
On the trunk:

mod_md: v0.9.5:

- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if

new certificates are requested with the OCSP Must Staple extension.

- Known limitation: when the server is configured to ditch and restart child processes, for example

after a certain number of connections/requests, the mod_md watchdog instance might migrate

to a new child process. Since not all its state is persisted, some messsages might appear a

second time in the logs.

- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'

is used - which negates that a https: port exists. Also, a warning is logged if no

VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in

its address list.

- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently

or temporarily.

- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also

a changed mod_ssl patch (v5) to take effect.

- compatibility with libressl

  1. … 14 more files in changeset.
On the trunk:

mod_md: v0.9.2: new directive 'MDHttpProxy' to define a proxy for outgoing connection,

some minor bugfixes, twiddle the build system to avoid non-pic code generation.

  1. … 19 more files in changeset.
On the trunk:

*) mod_md: v0.9.1:

- various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If

someone already used percent configurations, it is advised to change these to a new value,

reload and change back to the wanted ones.

- various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.

- mod_md version removed from top level md_store.json file. The store has its own format version

to facilitate upgrades.

  1. … 10 more files in changeset.
On the trunk:

mod_md: v0.8.1 from github, new feats in CHANGES

  1. … 26 more files in changeset.
On the trunk:

mod_md v0.7.0:

- LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure

MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory

- When existing, complete certificates are renewed, the activation of the new ones is

delayed by 24 hours (or until the existing ones expire, whatever is earler) to accomodate

for clients with weird clocks, refs #1.

- Fixed store sync when MDCAChallenges was removed again from an MD.

- Fixed crash when MD matched the base server, fixes #23

- Fixed watchgod resetting staging when server processes disappeared (e.g. reached

max requests or other limits).

  1. … 14 more files in changeset.
On the trunk:

mod_md: some internal refactoring of config/sectio handling

  1. … 6 more files in changeset.
Defined constants for md config directives.

fix for <ManagedDomain sections with inner <If or other sections