Releases: icing/mod_md
Releases · icing/mod_md
mod_md v2.3.4
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA. - Reverted setting the environment variables for MDMessageCmd and MDNotifyCmd. This
prevented the inheritance of existing environment variables as there seems to be
no portable way to iterate those on all platforms. This led to a regression on
Windows, see #198. - Fixed several places where the 'badNonce' return code from an ACME server was not
handled correctly. The test server 'pebble' simulates this behaviour by default
and helps nicely in verifying this behaviour. Thanks, pebble! - Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt
which is disabled that version more than a year ago. - Fixed a bug introduced by the multiple private key feature that did not trigger
the tls-alpn-01 challenge at the ACME server on the first attempt. (It picked it up
on the subsequent ones, though, prolonging the test suite but not failing it.) - first successful test run against the pebble server. See README.md for details
on how to set this up.
Merges from 2.2.x maintenance branch: - Changed minimal curl version necessary to 7.29, as proposed by @xl32.
- Retry delays now have a random +/-[0-50]% modification applied to let retries from several
servers spread out more, should they have been restarted at the same time of day. - Fixed a theoretical uninitialized read when testing for JSON error responses from the
ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
(Ported from maintenance-2.2.x branch) - Adapted test suite to run against a current letsencrypt boulder version.
- ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly.
(Previously, the problem text would not be reported and retries could exist CA limits.) - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an
empty JSON object was sent - which apparently LE accepted, but others reject. - If a CA directory includes both V1 and V2 endpoints, mod_md now will use the V2 endpoint. Previously,
it would prefer V1 in this unusual configuration. V2 is standard; V1 is deprecated. - Synchronized with Apache trunk changes, added test case for issue #218.
mod_md v2.2.8
- Disabling retries on "GET as POST" requests as that leads to undefined behaviour. See +232.
- Trying to read certificates from a "test/plain" response as well, since some
servers seem to use that (see #232). - Synchronized with Apache trunk. Spelling fixes and an added check when unsuccessfully
reading JSON files. - Fixed a theoretical uninitialized read when testing for JSON error responses from the
ACME CA. Bugreported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
mod_md v2.3.3 (beta)
- MDMessageCmd and MDNotifyCmd now get common, important environment variables passed
as well, such as PATH, SystemRoot etc - if they existed in the first place.
mod_md v2.3.2 (beta)
- Add key usage extensions to fallback certificates; correct other extensions.
- Correct decoding of IP addresses in certificates.
- Add contrib directory (not yet shipped).
- Add SeLinux policy changes necessary for mod_md in contrib/selinux.
MDNotifyCmdandMDMessageCmdnow get the environment variableMD_STOREcontaining
the path to the storage directory.
AlsoMD_VERSIONis added to the environment, containing the version plus an optional
-variation, e.g.-gitindicator.- Added very preliminary (and rough) version of contrib/md_events script.
- test suite: test of Messages less timing dependant
mod_md v2.3.1 (Beta)
- The keyname in key and certificate files is now forced lower case.
- Formatting in 'server-status' page has been improved when showing >1 certificates
- Fallback certificates (when the domain has none yet) are now generated for all
key types requested in MDPrivateKeys of that domain. - Update /.httpd/certificate-status to correctly handle multiple keys.
Many thanks to @tlhackque for these.
mod_md v2.3.0 (beta)
- MDPrivateKeys allows the specification of several key types and the module will
obtain a certificate for each key. This allows the parallel use of RSA and ECDSA
certificates for the same domain (requires an Apache 2.4.41 or newer). - Beside "RSA" plus optional key lengths, elliptic curves can be configured. Let's
Encrypt seems to supportP-256andP-384for now. - Tests run with multiple certificates. Certificates are listed in status reports. The
"server-status" html table gives individual links. Expiry durations are aggregated.
OCSP stapling picks up the new certificates nicely. - The JSON format for reporting certificates changed, not sure if it stays now as it
is or if there should be come backward compat with 1 cert use. - MDPrivateKeys checks for duplicate key specifications. There can only be one RSA key
and a curve name can also only appear once. - Test case for curve "x25519" is being skipped as this key does not work correctly - yet.
mod_md v2.2.7
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks for Timothe Litt (@tlhackque). - Distribute a2md.xml and conditionally build it, if xmlto is available. Addition
by Joe Orton (@notroj).
mod_md v2.2.6
mod_md v2.2.5
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm). - @uhliarik added documentation for the
a2mdcommand. Usexmlto man ./a2md.xmlto generate it. - Softening the restrictions where mod_md configuration directives may appear. This should
allow for use inIfandMacrosections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.