Skip to content

mod_md v2.3.4

Pre-release
Pre-release
Compare
Choose a tag to compare
@icing icing released this 05 Jan 12:13
· 248 commits to master since this release
v2.3.4
bc4fd86
  • Test case and work around for domain names > 64 octets. Fixes #227.
    When the first DNS name of an MD is longer than 63 octets, the certificate
    request will not contain a CN field, but leave it up to the CA to choose one.
    Currently, Lets Encrypt looks for a shorter name in the SAN list given and
    fails the request if none is found. But it is really up to the CA (and what
    browsers/libs accept here) and may change over the years. That is why
    the decision is best made at the CA.
  • Reverted setting the environment variables for MDMessageCmd and MDNotifyCmd. This
    prevented the inheritance of existing environment variables as there seems to be
    no portable way to iterate those on all platforms. This led to a regression on
    Windows, see #198.
  • Fixed several places where the 'badNonce' return code from an ACME server was not
    handled correctly. The test server 'pebble' simulates this behaviour by default
    and helps nicely in verifying this behaviour. Thanks, pebble!
  • Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt
    which is disabled that version more than a year ago.
  • Fixed a bug introduced by the multiple private key feature that did not trigger
    the tls-alpn-01 challenge at the ACME server on the first attempt. (It picked it up
    on the subsequent ones, though, prolonging the test suite but not failing it.)
  • first successful test run against the pebble server. See README.md for details
    on how to set this up.
    Merges from 2.2.x maintenance branch:
  • Changed minimal curl version necessary to 7.29, as proposed by @xl32.
  • Retry delays now have a random +/-[0-50]% modification applied to let retries from several
    servers spread out more, should they have been restarted at the same time of day.
  • Fixed a theoretical uninitialized read when testing for JSON error responses from the
    ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
    (Ported from maintenance-2.2.x branch)
  • Adapted test suite to run against a current letsencrypt boulder version.
  • ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly.
    (Previously, the problem text would not be reported and retries could exist CA limits.)
  • Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an
    empty JSON object was sent - which apparently LE accepted, but others reject.
  • If a CA directory includes both V1 and V2 endpoints, mod_md now will use the V2 endpoint. Previously,
    it would prefer V1 in this unusual configuration. V2 is standard; V1 is deprecated.
  • Synchronized with Apache trunk changes, added test case for issue #218.
Assets 3
Loading