Skip to content

Releases: icing/mod_md

mod_md v2.4.13

22 Apr 08:42
Compare
Choose a tag to compare
  • A possible NULL pointer deref was fixed in the JSON code for
    persisting time periods (start+end). Fixes #282.
    Thanks to @marcstern for finding this.

mod_md v2.4.12

19 Apr 14:10
Compare
Choose a tag to compare
  • Implement full auto status ("key: value" type status output).
    Especially not only status summary counts for certificates and
    OCSP stapling but also lists. Auto status format is similar to
    what was used for mod_proxy_balancer.
    [Rainer Jung]

mod_md v2.4.11

14 Feb 11:27
Compare
Choose a tag to compare
  • Do not interfere with requests to /.well-known/acme-challenge/ resources
    if challenge type 'http-01' is not configured for a domain. Fixes #279.
  • The status description in MDomain's JSON, exposed in the
    md-status handler (if configured) did sometimes not carry the correct
    message when certificates needed renew.

v2.4.10

24 Nov 10:42
Compare
Choose a tag to compare
  • Fix memory leak in case of failures to load the private key.
    Apache PR 65620 [ Filipe Casal [email protected] ]

mod_md v2.4.9

05 Nov 15:07
Compare
Choose a tag to compare
  • MDExternalAccountBinding can be configured with a file that contains the
    'kid' and 'hmac' values in JSON format. Since httpd config files are often
    readable to non-admins, this allows to keep those values in a more protected
    file.
  • OpenSSL 3.0 compatibility: fixed generation of Elliptic Curve private
    keys to work with openssl 3.0.0.
  • Docker testing arrived. Run make docker-test in your mod_md directory
    to build and test the current sources in a Debian sid image.
  • The directive 'MDCertificateAuthority' now checks if its parameter is a http/https
    url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test',
    'Buypass' and 'Buypass-Test' for now and they are not case-sensitive.
    The default of LetsEncrypt is unchanged.
  • Fixed a bug that reset the error counter of a certificate renewal and
    prevented the increasing delays in further attempts. Test case 741 added
    to verify the correct behaviour.

mod_md v2.4.8

19 Oct 12:28
Compare
Choose a tag to compare
  • MDContactEmail can now be specified inside a <MDomain dnsname> section.
  • Treating 401 HTTP status codes for orders like 403, since Sectigo
    seems to prefer that for accessing oders from other accounts.
  • When retrieving certificate chains, try to read the response even
    if the HTTP Content-Type is unrecognized.
  • Fixed the renewal process giving up every time on an already existing order
    with some invalid domains. Now, if such are seen in a previous order, a new
    order is created for a clean start over again. See #268.
  • Fixed a mixup in md-status handler when static certificate files and
    renewal was configured at the same time.
  • New: experimental support for ACME External Account Binding (EAB).
    Use the new directive MDExternalAccountBinding to provide the
    server with the value for key identifier and hmac as provided by
    your CA.
    While working on some servers, EAB handling is not uniform across CAs.
    First tests with a Sectigo Certificate Manager in demo mode are
    successful. But ZeroSSL, for example, seems to regard EAB values as
    a one-time-use-only thing, which makes them fail if you create a
    seconde account or retry the creation of the first account with
    the same EAB.

mod_md v2.4.7

17 Sep 12:02
Compare
Choose a tag to compare
  • When MDMessageCmd for a 'challenge-setup::' fails (!= 0 exit),
    the renewal process is aborted and an error is reported for the MDomain.
    As discussed in #237, this provides scripts that distribute information
    in a cluster to abort early with bothering an ACME server to validate
    a dns name that will not work. The common retry logic will make another
    attempt in the future, as with other failures.
  • Fixed a bug when adding private key specs to an already working MDomain, see #260.
  • fix time-of-use vs time-of-check when ACME server returned an empty response.
    [kokke [email protected]]

mod_md v2.4.6

15 Sep 12:55
Compare
Choose a tag to compare
  • Fixed a bug in handling multiple parallel OCSP requests. These could run into
    an assertion which terminated (and restarted) the child process where the task
    was running. Eventually, all OCSP responses were collected, but not in the way
    that things are supposed to work.
    See also https://bz.apache.org/bugzilla/show_bug.cgi?id=65567.
    The bug was possibly triggered when more than one OCSP status needed updating
    at the same time. For example for several renewed certificates after a server
    reload.
    Added a test case to trigger this and verify correct behaviour.

mod_md v2.4.5

01 Sep 13:13
Compare
Choose a tag to compare
  • Certificate/keys pairs are verified as matching before a renewal is accepted
    as successful or a staged renewal is replacing the existing certificates.
    This avoid potential mess ups in the md store file system to render the active
    certificates non-working. [@mkauf]

mod_md v2.4.4

20 Jul 12:15
Compare
Choose a tag to compare
  • Domain names in <MDomain ...> can now appear in quoted form. Fixes #257
  • Fixed a failure in ACME challenge selection that aborted further searches
    when the tls-alpn-01 method did not seem to be suitable. See #255
  • Changed the tls-alpn-01 setup to only become unsuitable when none of the
    dns names showed support for a configured 'Protocols ... acme-tls/1'. This
    allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
  • Removed the old mod_ssl interworking code. The module now requires a
    Apache httpd 2.4.48 or newer.
  • Fixed a potential null pointer dereference if ACME/OCSP server returned
    2xx responses without content type. Reported by chuangwen.