v2.4.8

---------------------------------------------------------------------------------------------------- * `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section. * Treating 401 HTTP status codes for orders like 403, since Sectigo seems to prefer that for accessing oders from other accounts. * When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized (Sectigo workaround). * Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See #268. * Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. * New: experimental support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the server with the value for key identifier and hmac as provided by your CA. While working on some servers, EAB handling is not uniform across CAs. First tests with a Sectigo Certificate Manager in demo mode are successful. But ZeroSSL, for example, seems to regard EAB values as a one-time-use-only thing, which makes them fail if you create a seconde account or retry the creation of the first account with the same EAB.
icing · Oct 19, 2021 · 105fca1 · 105fca1
1 parent 9f91ee3
commit 105fca1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,21 +1,25 @@
+v2.4.8
+----------------------------------------------------------------------------------------------------
  * `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section.
- * Added workaround for ACME servers that do not accept account retrieval
-   via a GET-AS-POST. This is commonly used to detect if a known account
-   is still usable. In case this fails, a "termsOfServiceAgreed" is set
-   on an account to verify its existence.
- * First successful tests with a Sectigo demo setup.
  * Treating 401 HTTP status codes for orders like 403, since Sectigo
    seems to prefer that for accessing oders from other accounts.
  * When retrieving certificate chains, try to read the repsonse even
    if the HTTP Content-Type is unrecognized (Sectigo workaround).
- * Ignore ACME accounts when the verification results in a 400 response.
-   This seems to happen on Sectigo for some not fully understood reason
-   when a account is re-used. Needs more test cases.
  * Fixed the renewal process giving up every time on an already existing order
    with some invalid domains. Now, if such are seen in a previous order, a new
    order is created for a clean start over again. See #268.
  * Fixed a mixup in md-status handler when static certificate files and
    renewal was configured at the same time.
+ * New: experimental support for ACME External Account Binding (EAB).
+   Use the new directive `MDExternalAccountBinding` to provide the
+   server with the value for key identifier and hmac as provided by
+   your CA.
+   While working on some servers, EAB handling is not uniform across CAs.
+   First tests with a Sectigo Certificate Manager in demo mode are
+   successful. But ZeroSSL, for example, seems to regard EAB values as
+   a one-time-use-only thing, which makes them fail if you create a
+   seconde account or retry the creation of the first account with
+   the same EAB.
 
 v2.4.7
 ----------------------------------------------------------------------------------------------------

diff --git a/configure.ac b/configure.ac
@@ -14,7 +14,7 @@
 #
 
 AC_PREREQ([2.69])
-AC_INIT([mod_md], [2.4.7], [[email protected]])
+AC_INIT([mod_md], [2.4.8], [[email protected]])
 
 LT_PREREQ([2.2.6])
 LT_INIT()

diff --git a/src/md_version.h b/src/md_version.h
@@ -27,15 +27,15 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.4.7-git"
+#define MOD_MD_VERSION "2.4.8-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020407
+#define MOD_MD_VERSION_NUM 0x020408
 
 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"