From 105fca1a8a87c46c105cb9b38d13f998318c1db2 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Tue, 19 Oct 2021 14:27:17 +0200 Subject: [PATCH] v2.4.8 ---------------------------------------------------------------------------------------------------- * `MDContactEmail` can now be specified inside a `` section. * Treating 401 HTTP status codes for orders like 403, since Sectigo seems to prefer that for accessing oders from other accounts. * When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized (Sectigo workaround). * Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See #268. * Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. * New: experimental support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the server with the value for key identifier and hmac as provided by your CA. While working on some servers, EAB handling is not uniform across CAs. First tests with a Sectigo Certificate Manager in demo mode are successful. But ZeroSSL, for example, seems to regard EAB values as a one-time-use-only thing, which makes them fail if you create a seconde account or retry the creation of the first account with the same EAB. --- ChangeLog | 20 ++++++++++++-------- configure.ac | 2 +- src/md_version.h | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7648cae..eaefbc3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,21 +1,25 @@ +v2.4.8 +---------------------------------------------------------------------------------------------------- * `MDContactEmail` can now be specified inside a `` section. - * Added workaround for ACME servers that do not accept account retrieval - via a GET-AS-POST. This is commonly used to detect if a known account - is still usable. In case this fails, a "termsOfServiceAgreed" is set - on an account to verify its existence. - * First successful tests with a Sectigo demo setup. * Treating 401 HTTP status codes for orders like 403, since Sectigo seems to prefer that for accessing oders from other accounts. * When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized (Sectigo workaround). - * Ignore ACME accounts when the verification results in a 400 response. - This seems to happen on Sectigo for some not fully understood reason - when a account is re-used. Needs more test cases. * Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See #268. * Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. + * New: experimental support for ACME External Account Binding (EAB). + Use the new directive `MDExternalAccountBinding` to provide the + server with the value for key identifier and hmac as provided by + your CA. + While working on some servers, EAB handling is not uniform across CAs. + First tests with a Sectigo Certificate Manager in demo mode are + successful. But ZeroSSL, for example, seems to regard EAB values as + a one-time-use-only thing, which makes them fail if you create a + seconde account or retry the creation of the first account with + the same EAB. v2.4.7 ---------------------------------------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 1067a7e..9c56902 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # AC_PREREQ([2.69]) -AC_INIT([mod_md], [2.4.7], [stefan.eissing@greenbytes.de]) +AC_INIT([mod_md], [2.4.8], [stefan.eissing@greenbytes.de]) LT_PREREQ([2.2.6]) LT_INIT() diff --git a/src/md_version.h b/src/md_version.h index fae28d0..0b9dcb2 100644 --- a/src/md_version.h +++ b/src/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.4.7-git" +#define MOD_MD_VERSION "2.4.8-git" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020407 +#define MOD_MD_VERSION_NUM 0x020408 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"