Skip to content

Releases: icing/mod_md

mod_md v2.3.6 (BETA)

20 Jan 10:56
Compare
Choose a tag to compare
mod_md v2.3.6 (BETA) Pre-release
Pre-release
  • Andreas Ulm (@root360-AndreasUlm>) implemented the renewing call
    to MDMessageCmd that can deny a certificate renewal attempt. This is useful in clustered
    installations, as discussed in #233).
  • Fixed tests to accommodate for the new message type.

mod_md v2.3.5 (BETA)

11 Jan 16:48
Compare
Choose a tag to compare
mod_md v2.3.5 (BETA) Pre-release
Pre-release
  • Certain error codes reported by the ACME server that indicate a problem with the
    configured data now immediately switch to daily retries. For example: if the ACME
    server rejects a contact email or a domain name, frequent retries will most likely
    not solve the problem. But daily retries still make sense as there might be an
    error at the server and un-supervised certificate renewal is the goal. Refs #222.
  • The max delay for retries has been raised to daily (this is like all retries jittered
    somewhat to avoid repeats at fixed time of day).
  • No longer debug logging the ocsp renewal success with an error indicator. Fixes #197.
  • When handling ACME authorization resources, the module no longer requires the server
    to return a "Location" header, as was necessary in ACMEv1. Fixes #216.
  • Removed the "authz" subcommand from the a2md executable. This was a left over of ACMEv1.
  • The module now reuses the internal curl instance in each MDs interaction
    with the ACME server. This means that open connections are reused.

mod_md v2.3.4

05 Jan 12:13
Compare
Choose a tag to compare
mod_md v2.3.4 Pre-release
Pre-release
  • Test case and work around for domain names > 64 octets. Fixes #227.
    When the first DNS name of an MD is longer than 63 octets, the certificate
    request will not contain a CN field, but leave it up to the CA to choose one.
    Currently, Lets Encrypt looks for a shorter name in the SAN list given and
    fails the request if none is found. But it is really up to the CA (and what
    browsers/libs accept here) and may change over the years. That is why
    the decision is best made at the CA.
  • Reverted setting the environment variables for MDMessageCmd and MDNotifyCmd. This
    prevented the inheritance of existing environment variables as there seems to be
    no portable way to iterate those on all platforms. This led to a regression on
    Windows, see #198.
  • Fixed several places where the 'badNonce' return code from an ACME server was not
    handled correctly. The test server 'pebble' simulates this behaviour by default
    and helps nicely in verifying this behaviour. Thanks, pebble!
  • Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt
    which is disabled that version more than a year ago.
  • Fixed a bug introduced by the multiple private key feature that did not trigger
    the tls-alpn-01 challenge at the ACME server on the first attempt. (It picked it up
    on the subsequent ones, though, prolonging the test suite but not failing it.)
  • first successful test run against the pebble server. See README.md for details
    on how to set this up.
    Merges from 2.2.x maintenance branch:
  • Changed minimal curl version necessary to 7.29, as proposed by @xl32.
  • Retry delays now have a random +/-[0-50]% modification applied to let retries from several
    servers spread out more, should they have been restarted at the same time of day.
  • Fixed a theoretical uninitialized read when testing for JSON error responses from the
    ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
    (Ported from maintenance-2.2.x branch)
  • Adapted test suite to run against a current letsencrypt boulder version.
  • ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly.
    (Previously, the problem text would not be reported and retries could exist CA limits.)
  • Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an
    empty JSON object was sent - which apparently LE accepted, but others reject.
  • If a CA directory includes both V1 and V2 endpoints, mod_md now will use the V2 endpoint. Previously,
    it would prefer V1 in this unusual configuration. V2 is standard; V1 is deprecated.
  • Synchronized with Apache trunk changes, added test case for issue #218.

mod_md v2.2.8

17 Dec 16:02
Compare
Choose a tag to compare
  • Disabling retries on "GET as POST" requests as that leads to undefined behaviour. See +232.
  • Trying to read certificates from a "test/plain" response as well, since some
    servers seem to use that (see #232).
  • Synchronized with Apache trunk. Spelling fixes and an added check when unsuccessfully
    reading JSON files.
  • Fixed a theoretical uninitialized read when testing for JSON error responses from the
    ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.

mod_md v2.3.3 (beta)

23 Mar 14:07
Compare
Choose a tag to compare
mod_md v2.3.3 (beta) Pre-release
Pre-release
  • MDMessageCmd and MDNotifyCmd now get common, important environment variables passed
    as well, such as PATH, SystemRoot etc - if they existed in the first place.

mod_md v2.3.2 (beta)

12 Mar 11:51
Compare
Choose a tag to compare
mod_md v2.3.2 (beta) Pre-release
Pre-release
  • Add key usage extensions to fallback certificates; correct other extensions.
  • Correct decoding of IP addresses in certificates.
  • Add contrib directory (not yet shipped).
  • Add SeLinux policy changes necessary for mod_md in contrib/selinux.
  • MDNotifyCmd and MDMessageCmd now get the environment variable MD_STORE containing
    the path to the storage directory.
    Also MD_VERSION is added to the environment, containing the version plus an optional
    -variation, e.g. -git indicator.
  • Added very preliminary (and rough) version of contrib/md_events script.
  • test suite: test of Messages less timing dependant

mod_md v2.3.1 (Beta)

07 Mar 11:53
Compare
Choose a tag to compare
mod_md v2.3.1 (Beta) Pre-release
Pre-release
  • The keyname in key and certificate files is now forced lower case.
  • Formatting in 'server-status' page has been improved when showing >1 certificates
  • Fallback certificates (when the domain has none yet) are now generated for all
    key types requested in MDPrivateKeys of that domain.
  • Update /.httpd/certificate-status to correctly handle multiple keys.

Many thanks to @tlhackque for these.

mod_md v2.3.0 (beta)

05 Mar 15:27
Compare
Choose a tag to compare
mod_md v2.3.0 (beta) Pre-release
Pre-release
  • MDPrivateKeys allows the specification of several key types and the module will
    obtain a certificate for each key. This allows the parallel use of RSA and ECDSA
    certificates for the same domain (requires an Apache 2.4.41 or newer).
  • Beside "RSA" plus optional key lengths, elliptic curves can be configured. Let's
    Encrypt seems to support P-256 and P-384 for now.
  • Tests run with multiple certificates. Certificates are listed in status reports. The
    "server-status" html table gives individual links. Expiry durations are aggregated.
    OCSP stapling picks up the new certificates nicely.
  • The JSON format for reporting certificates changed, not sure if it stays now as it
    is or if there should be come backward compat with 1 cert use.
  • MDPrivateKeys checks for duplicate key specifications. There can only be one RSA key
    and a curve name can also only appear once.
  • Test case for curve "x25519" is being skipped as this key does not work correctly - yet.

mod_md v2.2.7

10 Feb 15:24
Compare
Choose a tag to compare
  • Prefer MDContactEmail directive to ServerAdmin for registration. New directive
    thanks for Timothe Litt (@tlhackque).
  • Distribute a2md.xml and conditionally build it, if xmlto is available. Addition
    by Joe Orton (@notroj).

mod_md v2.2.6

09 Jan 13:30
Compare
Choose a tag to compare
  • Michal Karm Babacek (@Karm) added cmake support, especially valuable under Windows.
  • protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
    check all matching virtual hosts for protocol support. Thanks to @mkauf.