Releases: icing/mod_md
Releases · icing/mod_md
v2.4.10
- Fix memory leak in case of failures to load the private key.
Apache PR 65620 [ Filipe Casal [email protected] ]
mod_md v2.4.9
- MDExternalAccountBinding can be configured with a file that contains the
'kid' and 'hmac' values in JSON format. Since httpd config files are often
readable to non-admins, this allows to keep those values in a more protected
file. - OpenSSL 3.0 compatibility: fixed generation of Elliptic Curve private
keys to work with openssl 3.0.0. - Docker testing arrived. Run
make docker-testin your mod_md directory
to build and test the current sources in a Debian sid image. - The directive 'MDCertificateAuthority' now checks if its parameter is a http/https
url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test',
'Buypass' and 'Buypass-Test' for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged. - Fixed a bug that reset the error counter of a certificate renewal and
prevented the increasing delays in further attempts. Test case 741 added
to verify the correct behaviour.
mod_md v2.4.8
MDContactEmailcan now be specified inside a<MDomain dnsname>section.- Treating 401 HTTP status codes for orders like 403, since Sectigo
seems to prefer that for accessing oders from other accounts. - When retrieving certificate chains, try to read the response even
if the HTTP Content-Type is unrecognized. - Fixed the renewal process giving up every time on an already existing order
with some invalid domains. Now, if such are seen in a previous order, a new
order is created for a clean start over again. See #268. - Fixed a mixup in md-status handler when static certificate files and
renewal was configured at the same time. - New: experimental support for ACME External Account Binding (EAB).
Use the new directiveMDExternalAccountBindingto provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform across CAs.
First tests with a Sectigo Certificate Manager in demo mode are
successful. But ZeroSSL, for example, seems to regard EAB values as
a one-time-use-only thing, which makes them fail if you create a
seconde account or retry the creation of the first account with
the same EAB.
mod_md v2.4.7
- When MDMessageCmd for a 'challenge-setup::' fails (!= 0 exit),
the renewal process is aborted and an error is reported for the MDomain.
As discussed in #237, this provides scripts that distribute information
in a cluster to abort early with bothering an ACME server to validate
a dns name that will not work. The common retry logic will make another
attempt in the future, as with other failures. - Fixed a bug when adding private key specs to an already working MDomain, see #260.
- fix time-of-use vs time-of-check when ACME server returned an empty response.
[kokke [email protected]]
mod_md v2.4.6
- Fixed a bug in handling multiple parallel OCSP requests. These could run into
an assertion which terminated (and restarted) the child process where the task
was running. Eventually, all OCSP responses were collected, but not in the way
that things are supposed to work.
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=65567.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
Added a test case to trigger this and verify correct behaviour.
mod_md v2.4.5
- Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
Contributors
mkauf
Assets 3
mod_md v2.4.4
- Domain names in
<MDomain ...>can now appear in quoted form. Fixes #257 - Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable. See #255 - Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. - Removed the old mod_ssl interworking code. The module now requires a
Apache httpd 2.4.48 or newer. - Fixed a potential null pointer dereference if ACME/OCSP server returned
2xx responses without content type. Reported by chuangwen.
mod_md v2.4.2
- This release needs at least Apache httpd 2.4.48 or later.
- Fixed missing definitions when compiling against libressl. [Giovanni Bechis [email protected]]
- Making sure mod_md initializes after mod_watchdog, as otherwise jobs are not registered.
- Adjusted test cases to work with mod_tls for OCSP stapling.
- Implemented the new OCSP provisioning hooks in apache core.
- Extended test suite to run also against mod_tls. Run
SSL_MODULE=tls pytestto load an installedmod_tlsinto the server.
Usingmod_sslis the default. - MDCertificateFile and MDCertificateKeyFile can now be specified several
times to add multiple, static certificates to a MDomain. - pytest runs also from the top level directory.
mod_md v2.4.0
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus optional
key lengths elliptic curves can be configured. This means you can have multiple
certificates for a Managed Domain with different key types.
WithMDPrivateKeys secp384r1 rsa2048you get one ECDSA and one RSA certificate
and all modern client will use the shorter ECDSA, while older client will
get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this. - Support added for MDomains consisting of a wildcard. Configuring
MDomain *.host.net
will match all virtual hosts matching that pattern and obtain one certificate for it
(assuming you have 'dns-01' challenge support configured). Addresses #239. - Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt
which has disabled that version more than a year ago for new accounts. - Andreas Ulm (https://github.com/root360-AndreasUlm) implemented the
renewingcall
toMDMessageCmdthat can deny a certificate renewal attempt. This is useful in clustered
installations, as discussed in #233). - new event
challenge-setup:<type>:<domain>, triggered when the challenge data
for a domain has been created. This is invoked before the ACME server is told to
check for it. The type is one of the ACME challenge types. This is invoked for
every DNS name in a MDomain. - The max delay for retries has been raised to daily (this is like all retries jittered
somewhat to avoid repeats at fixed time of day). - Certain error codes reported by the ACME server that indicate a problem with the
configured data now immediately switch to daily retries. For example: if the ACME
server rejects a contact email or a domain name, frequent retries will most likely
not solve the problem. But daily retries still make sense as there might be an
error at the server and un-supervised certificate renewal is the goal. Refs #222. - Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA. - Retry delays now have a random +/-[0-50]% modification applied to let retries from several
servers spread out more, should they have been restarted at the same time of day. - Fixed several places where the 'badNonce' return code from an ACME server was not
handled correctly. The test server 'pebble' simulates this behaviour by default
and helps nicely in verifying this behaviour. Thanks, pebble! - Set the default
MDActivationDelayto 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem. - When handling ACME authorization resources, the module no longer requires the server
to return a "Location" header, as was necessary in ACMEv1. Fixes #216. - The test suite now also runs with the
Pebbleserver. Useconfigure
with--with-boulderor--with-pebbleselects the default
URLs for both test servers. - mod_md is enabled in freebsd's apache24 package since August 2020, thanks to
Mina Galić (@igalic). Nice! - Fixed a theoretical uninitialized read when testing for JSON error responses from the
ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
(Ported from maintenance-2.2.x branch) - ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly.
(Previously, the problem text would not be reported and retries could exist CA limits.) - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an
empty JSON object was sent - which apparently LE accepted, but others reject.
mod_md v2.3.7 (BETA)
- Support added for MDomains consisting of a wildcard. Configuring
MDomain *.host.net
will match all virtual hosts matching that pattern and obtain one certificate for it
(assuming you have 'dns-01' challenge support configured). Addresses #239. - Fixed a bug that prevented "renewed" notifications to be sent out when a renewal job
had already successfully notified about another event. See #235. - new event
challenge-setup:<type>:<domain>, triggered when the challenge data
for a domain has been created. This is invoked before the ACME server is told to
check for it. The type is one of the ACME challenge types. This is invoked for
every DNS name in a MDomain. - Using
configurewith--with-boulderor--with-pebbleselects the
default URLs for both test servers. - Removed the special environment variable passing for MDChallengeDns01 again as
this interferes with needed environment variables on platforms. - mod_md is enabled in freebsd's apache24 package since August 2020, thanks to
Mina Galić (@igalic). Nice!