forked from icing/mod_md
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
1119 lines (1003 loc) · 66 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
v2.4.26
----------------------------------------------------------------------------------------------------
* Using OCSP stapling information to trigger certificate renewals. Proposed
by Fraser Tweedale.
* Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
* OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
* Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
v2.4.25
----------------------------------------------------------------------------------------------------
* Fix the reported "until" validity of a certificate in the status handler.
[Rainer Jung]
* Fix possible NULL deref when logging the error that an authentication
resource could not be retrieved from the ACME server. Refs #324
v2.4.24
----------------------------------------------------------------------------------------------------
* Fixed passing of the server environment variables to programs started via
MDMessageCmd and MDChallengeDns01 on *nix system. See #319.
v2.4.23
----------------------------------------------------------------------------------------------------
* New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
* New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
v2.4.22
----------------------------------------------------------------------------------------------------
* For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
This should resolve #301.
v2.4.21
----------------------------------------------------------------------------------------------------
* MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
* Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
v2.4.20
----------------------------------------------------------------------------------------------------
* Enabling ED25519 support and certificate transparancy information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
v2.4.19
----------------------------------------------------------------------------------------------------
* restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that. Fixes #293.
v2.4.18
----------------------------------------------------------------------------------------------------
* New directive `MDStoreLocks` that can be used on cluster setups with
a shared file system for `MDStoreDir` to order activation of renewed
certificates when several cluster nodes are restarted at the same time.
Store locks are not enabled by default.
v2.4.17
----------------------------------------------------------------------------------------------------
* A bug was fixed that caused very large MDomains with the combined DNS
names exceeding ~7k to fail, as request bodies would contain partially
wrong data from uninitialized memory. This would have appeared as
failure in signing-up/renewing such configurations.
This was reported by Ronald Crane (Zippenhop LLC).
v2.4.16
----------------------------------------------------------------------------------------------------
* The `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when 2 consecutive attempts
to get a certificate failed. See REAME for details.
* New directive `MDRetryDelay` to set the delay of retries. See README
for details.
* New directive `MDRetryFailover` to set the number of errored attempts
before an alternate CA is selected for certificate renewals. See README
for details.
v2.4.15
----------------------------------------------------------------------------------------------------
* Fixed a bug leading to failed transfers for OCSP stapling information
when more than 6 certificates needed updates in the same run.
v2.4.14
----------------------------------------------------------------------------------------------------
* Added support for tailscale (https://tailscale.com) certificates to have
trusted access to your internal domain names. See README.md for more
information on how to set this up.
* Fix for a memory leak in handling of JSON arrays. This leak was mainly
triggered by the additions to the `server-status` handler and lead to
increased process sizes with each request of a status page.
v2.4.13
----------------------------------------------------------------------------------------------------
* A possible NULL pointer deref was fixed in the JSON code for
persisting time periods (start+end). Fixes #282.
Thanks to @marcstern for finding this.
v2.4.12
----------------------------------------------------------------------------------------------------
* Implement full auto status ("key: value" type status output).
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]
v2.4.11
----------------------------------------------------------------------------------------------------
* Do not interfere with requests to /.well-known/acme-challenge/ resources
if challenge type 'http-01' is not configured for a domain. Fixes #279.
* The status description in MDomain's JSON, exposed in the
md-status handler (if configured) did sometimes not carry the correct
message when certificates needed renew.
v2.4.10
----------------------------------------------------------------------------------------------------
* Fix memory leak in case of failures to load the private key.
Apache PR 65620 [ Filipe Casal <[email protected]> ]
v2.4.9
----------------------------------------------------------------------------------------------------
* MDExternalAccountBinding can be configured with a file that contains the
'kid' and 'hmac' values in JSON format. Since httpd config files are often
readable to non-admins, this allows to keep those values in a more protected
file.
* OpenSSL 3.0 compatibility: fixed generation of Elliptic Curve private
keys to work with openssl 3.0.0.
* Docker testing arrived. Run `make docker-test` in your mod_md directory
to build and test the current sources in a Debian sid image.
* The directive 'MDCertificateAuthority' now checks if its parameter is a http/https
url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test',
'Buypass' and 'Buypass-Test' for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
* Fixed a bug that reset the error counter of a certificate renewal and
prevented the increasing delays in further attempts. Test case 741 added
to verify the correct behaviour.
v2.4.8
----------------------------------------------------------------------------------------------------
* `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section.
* Treating 401 HTTP status codes for orders like 403, since Sectigo
seems to prefer that for accessing oders from other accounts.
* When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized (Sectigo workaround).
* Fixed the renewal process giving up every time on an already existing order
with some invalid domains. Now, if such are seen in a previous order, a new
order is created for a clean start over again. See #268.
* Fixed a mixup in md-status handler when static certificate files and
renewal was configured at the same time.
* New: experimental support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform across CAs.
First tests with a Sectigo Certificate Manager in demo mode are
successful. But ZeroSSL, for example, seems to regard EAB values as
a one-time-use-only thing, which makes them fail if you create a
seconde account or retry the creation of the first account with
the same EAB.
v2.4.7
----------------------------------------------------------------------------------------------------
* When MDMessageCmd for a 'challenge-setup:<type>:<dnsname>' fails (!= 0 exit),
the renewal process is aborted and an error is reported for the MDomain.
As discussed in #237, this provides scripts that distribute information
in a cluster to abort early with bothering an ACME server to validate
a dns name that will not work. The common retry logic will make another
attempt in the future, as with other failures.
* Fixed a bug when adding private key specs to an already working MDomain, see #260.
* fix time-of-use vs time-of-check when ACME server returned an empty response.
[kokke <[email protected]>]
v2.4.6
----------------------------------------------------------------------------------------------------
* Fixed a bug in handling multiple parallel OCSP requests. These could run into
an assertion which terminated (and restarted) the child process where the task
was running. Eventually, all OCSP responses were collected, but not in the way
that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
Added a test case to trigger this and verify correct behaviour.
v2.4.5
----------------------------------------------------------------------------------------------------
* Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
v2.4.4
----------------------------------------------------------------------------------------------------
* Domain names in `<MDomain ...>` can now appear in quoted form. Fixes #257
* Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable. See #255
* Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
v2.4.3
----------------------------------------------------------------------------------------------------
* Removed the old mod_ssl interworking code. The module now requires a
Apache httpd 2.4.48 or newer.
* Fixed a potential null pointer dereference if ACME/OCSP server returned
2xx responses without content type. Reported by chuangwen.
v2.4.2
----------------------------------------------------------------------------------------------------
* This release needs at least Apache httpd 2.4.48 or later.
* Fixed missing definitions when compiling against libressl. [Giovanni Bechis <[email protected]>]
* Making sure mod_md initializes after mod_watchdog, as otherwise jobs are not registered.
* Adjusted test cases to work with mod_tls for OCSP stapling.
* Implemented the new OCSP provisioning hooks in apache core.
* Extended test suite to run also against mod_tls. Run
```SSL_MODULE=tls pytest``` to load an installed `mod_tls` into the server.
Using `mod_ssl` is the default.
* MDCertificateFile and MDCertificateKeyFile can now be specified several
times to add multiple, static certificates to a MDomain.
* pytest runs also from the top level directory.
v2.4.0
----------------------------------------------------------------------------------------------------
* MDPrivateKeys allows the specification of several types. Beside "RSA" plus optional
key lengths elliptic curves can be configured. This means you can have multiple
certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA certificate
and all modern client will use the shorter ECDSA, while older client will
get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
* Support added for MDomains consisting of a wildcard. Configuring ```MDomain *.host.net```
will match all virtual hosts matching that pattern and obtain one certificate for it
(assuming you have 'dns-01' challenge support configured). Addresses #239.
* Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt
which has disabled that version more than a year ago for new accounts.
* Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the ```renewing``` call
to ```MDMessageCmd``` that can deny a certificate renewal attempt. This is useful in clustered
installations, as discussed in #233).
* new event ```challenge-setup:<type>:<domain>```, triggered when the challenge data
for a domain has been created. This is invoked before the ACME server is told to
check for it. The type is one of the ACME challenge types. This is invoked for
every DNS name in a MDomain.
* The max delay for retries has been raised to daily (this is like all retries jittered
somewhat to avoid repeats at fixed time of day).
* Certain error codes reported by the ACME server that indicate a problem with the
configured data now immediately switch to daily retries. For example: if the ACME
server rejects a contact email or a domain name, frequent retries will most likely
not solve the problem. But daily retries still make sense as there might be an
error at the server and un-supervised certificate renewal is the goal. Refs #222.
* Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
* Retry delays now have a random +/-[0-50]% modification applied to let retries from several
servers spread out more, should they have been restarted at the same time of day.
* Fixed several places where the 'badNonce' return code from an ACME server was not
handled correctly. The test server 'pebble' simulates this behaviour by default
and helps nicely in verifying this behaviour. Thanks, pebble!
* Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
* When handling ACME authorization resources, the module no longer requires the server
to return a "Location" header, as was necessary in ACMEv1. Fixes #216.
* The test suite now also runs with the `Pebble` server. Use ```configure```
with ```--with-boulder``` or ```--with-pebble``` selects the default
URLs for both test servers.
* mod_md is enabled in freebsd's apache24 package since August 2020, thanks to
Mina Galić (@igalic). Nice!
* Fixed a theoretical uninitialized read when testing for JSON error responses from the
ACME CA. Bugreported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
(Ported from maintenance-2.2.x branch)
* ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly.
(Previously, the problem text would not be reported and retries could exist CA limits.)
* Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an
empty JSON object was sent - which apparently LE accepted, but others reject.
v2.2.8
----------------------------------------------------------------------------------------------------
* Disabling retries on "GET as POST" requests as that leads to undefined behaviour. See +232.
* Trying to read certificates from a "test/plain" response as well, since some
servers seem to use that (see #232).
* Synchronized with Apache trunk. Spelling fixes and an added check when unsuccessfully
reading JSON files.
* Fixed a theoretical uninitialized read when testing for JSON error responses from the
ACME CA. Bugreported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
>>>>>>> maintenance-2.2.x
v2.2.7
----------------------------------------------------------------------------------------------------
* Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks for Timothe Litt (@tlhackque).
* Distribute a2md.xml and conditionally build it, if xmlto is available. Addition
by Joe Orton (@notroj).
v2.2.6
----------------------------------------------------------------------------------------------------
* Michal Karm Babacek (@Karm) added `cmake` support, especially valuable under Windows.
* protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
v2.2.5
----------------------------------------------------------------------------------------------------
* Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
* @uhliarik added documentation for the `a2md` command. Use `xmlto man ./a2md.xml` to generate it.
* Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
v2.2.4
----------------------------------------------------------------------------------------------------
* Fixed a compile time issue with OpenSSL 1.0.2 in the new OCSP code.
* Skip port checks for domain server_rec selection when "tls-alpn-01" is configured
explicitly (related to #133). [@mkauf]
* Added a sample scripts/md_message.sh on how to use `MDMessageCmd`.
v2.2.3
----------------------------------------------------------------------------------------------------
* Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
* Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
* Added a script - inspired by curl <https://github.com/curl> - that collects contributors
from the git commits and PRs. Adding a "Thanks" section with their names in the README.md.
v2.2.2
----------------------------------------------------------------------------------------------------
* Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
* Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server (however it worked when accessed via the hosting CDN,
as almost all live usages do). Thanks to @mkauf for finding and fixing.
v2.2.1
----------------------------------------------------------------------------------------------------
* Fixes a compiler warning. False flag, but initialization to make it happy does not hurt.
Thanks to @sundayoyeniyi for finding this. Refs #154.
v2.2.0
----------------------------------------------------------------------------------------------------
* No longer beta status.
* Synched with Apache trunk and planned for 2.4.x backport when all works well there.
* Re-importing of log tags assigned in Apache project.
* Some documentation clarifications.
v2.1.10
----------------------------------------------------------------------------------------------------
* if 'MDBaseServer' in enabled and there is no specific VirtualHost for a domain, the
base server config is considered the relevant one for deciding ACME support. This
is most relevant for the 'tls-alpn-01' challenge, see issue #150).
* MDMessageCmd is now invoked with 'installed' when the certificate is actually becoming
active at server startup/reload. Different to all other messages, this one is invoked
while the server is still root and has according privileges. (Hint: you may use this
to copy a certificate+key to another application's preferred location/format.)
v2.1.9
----------------------------------------------------------------------------------------------------
* server-status no longer leaves the "activity" column empty when a renewal is ongoing.
* server-status activity: report a renewal as "pending" when it is due but no job has been
started yet.
* removed the "valid after" time as this was confusing. The new certificate is already
valid, only it is recommeneded to wait with the actication a bit. Admins are probably
better aware what the clock skew requirements of their site are.
v2.1.8
----------------------------------------------------------------------------------------------------
* Some notifications cleanups:
- notifications about errors no longer change the status of the ongoing renewal.
- notifications about a successful renewal are re-attempted on failure, just like
other failures cause a retry with a backing-off delay.
- warnings about expiring certificates are only sent, if there is no renewal
already done (but maybe not activated yet) for a domain
- failure to notify about expiring certficates also cause retry and are cleared
when/if finally successful.
v2.1.7
----------------------------------------------------------------------------------------------------
* Changed server-status section headings to make more clear what is listed there.
* no longer listing the logs in the top-level md-status handler (where all managed
domains are listed). Getting the status of a particular domain has the log).
* fixing some signedness warnings in clang 11.
* Fixes bug in time period calculation for removing old OCSP response files.
v2.1.6
----------------------------------------------------------------------------------------------------
* Fixed issue #145 where a server restart was not done when recommended and checking
becamed called in a tight loop, eventually calling message commands again and again.
Test case added for this.
* 'make test' will now trigger the build if not done before. removed some obsolete
test special targets.
* starting to integrate with travis for build and test coverage
* documented how MDCAChallenges now overrides any port sanity checks.
v2.1.5
----------------------------------------------------------------------------------------------------
* fixed a crash when the server-status page was retrieved in text form (e.g. server-status?auto
url) and a MDomain had been renewed. Test case added. Fixes #141.
* Test suite: rework on how httpd config is set up to allow for MDomain tests that use
the base server and listen only on one port.
v2.1.4
----------------------------------------------------------------------------------------------------
* added test case for #142 and fixed a bug in JSON array handling introduced in 2.1.3
v2.1.3
----------------------------------------------------------------------------------------------------
* added more trace2 level logging in server-status collection to help issue #141
* fixed the status handling to return job information from staging also when the certificate
is not there yet.
* fixed a bug in JSON handling that decremented refcounters wrongly when setting another
JSON object at a key where none was allowed. Added test case.
* OCSP Stapling information in "server-status" is now sorted alphabetically.
* add a CA column to Managed Domains table
* urls are now displayed as links with the hostname or known name as text.
* similary to ocsp status, certificate status 'ok' is now 'good'. Will turn to 'expired'
should the certificate validity pass the current clock.
v2.1.2
----------------------------------------------------------------------------------------------------
* Refactoring the initialization to distinguish between VirtualHost definitions that have
SSLEngine on and those who do not. The advantages are:
- No MDPortMap definition is necessary to detect where SSL certificates are needed.
- mod_md will only collect ServerName/ServerAlias from VirtualHosts that use SSL.
- One can have a 'catch-all' VirtualHost on port 80 using all domains without them
bleeding back into the MD definitions.
* Initialization no longer traverses the complete md store, reads configured MD JSON
files only once and writes them only when changed. When a new MD is added or
an existing one renamed (the first domain member changes), will the store be searched
for old definitions and certificates. This search only looks at MDs outside the current
set and should remain efficient with many MDs configured.
Example: if you have 100 MDs and rename 1, mod_md will see the 99 directories that stayed
and load the one unmatched to check for a rename.
v2.1.1
----------------------------------------------------------------------------------------------------
* Fixed a bug where the "acme-tls/1" protocol setting was not recognized on the base server
(with "MDBaseServer on").
* ACME errors returned during account creation are now added to the job log.
* A missing ServerAdmin is now properly logged at the renewal job.
v2.1.0
----------------------------------------------------------------------------------------------------
* fixed a crash in "server-status" handler when stapling was enabled but not status information
could be found.
* toning down some INFO level logging to DEBUG or lower.
* new directive 'MDCertificateMonitor' to allow configuration of the check HTML links rendered
in the server-status page.
* server-status timestamps now in a better readable format. Some columns have been merged.
* Much more verbose data logging when OCSP responses could not be parsed.
* Fixed a bug with suppressing "Expect" header sending.
* MDMessageCmd is now also invoked for stapling with reasons 'ocsp-renewed' and 'ocsp-errored'.
* Fixed a bug where notifications about an expiring certificate were sent out too often.
* "md-status" handler now also adds OCSP stapling logs to the JSON output.
* Patch files for Apache trunk and 2.4.x branch are now empty. mod_md will work with
unpatched copies of those.
* Converted pytest suite from python2 to python3. "make test" now calls "python3 -m pytest".
* "server-status" page now carries a new table of all OCSP stapling certificates managed
by mod_md stapling. Shifted ocsp related information in JSON "md-status" around a bit.
* New directive "MDStaplingRenewWindow" to configure when OCSP response should be renewed.
* OCSP response cleanup implemented and test case added.
* bringing over APLOGNO() number assignments from apache subversion tree.
* fixed a compile error on warn level about redefintion of AP_ENABLE_EXCEPTION_HOOK. Fixes #132.
* New directive "MDStaplingKeepResponse" for controlling how long OCSP responses are
kept in the store and older ones get removed at start up.
* Errors reports by an ACME CA may include "subproblems", where several causes may be reported.
These are now part of the md-status reporting and also logged. Test cases added.
* OCSP status and validity now part of md-status resource.
* The number of log entries for a single job is now limited to 128. New entries will
cause the oldest ones to be removed.
* OCSP Stapling renewal jobs are now also persisted in the store.
* Fixed a user-after-free when updating accounts from the server.
* CA reported problems when authorization challenges fail are now visible in the renewal log.
* backoff timing for failed ocsp retrieval attempts. specific ocsp update will be
delayed accordingly.
* ocsp responses up for renewal are checked periodically for updates in the store.
* ocsp responses are now saved in and retrieved from store. Concurrent access in place, timed
invalidation handling still missing.
* first own ocsp test successful.
* first ocsp responses are retrieved, but the cache does not work cross-process yet.
* New directives "MDStapling on|off"
* Overall, connect and stall timeouts set in http client requests.
* Prepping http client for multi request handling in parallel.
* Adaptions for new mod_ssl interface via hooks, as available in apache trunk.
* Fixing NULL dereferences when unable to lead certificate chains from staging.
* Updating a newly created account in a2md right away to make sure it responds.
v2.0.6
----------------------------------------------------------------------------------------------------
* MDs with static certificate (MDCertificateFile) are not auto-renewed. But they are watched
for expiration and trigger a configured MDMessageCmd.
* ACME challenge method 'tls-alpn-01' is now checked for each domain in an MD individually
and no longer needs to be available for all domains.
v2.0.5
----------------------------------------------------------------------------------------------------
* Renewal jobs now have their own log attached with timestamps when renewal was started,
ran into errors, finished. The job JSON files are copied from staging into the domain
directory for possible later review.
* job logs now list all activities during renewal.
* new `MDMessageCmd` added as alternative to MDNotifyCmd. This command is called with an
addition "reason" parameter that specifies what happened to the manged domain.
* `MDNotifyCmd` is now called for each domain that has been successfully renewed. Not for
all Managed Domains after all have been processed. This gives notifications earlier.
Notification errors are now also collected under MD status and notifications are retried
with backoff delays.
* New directive `MDServerStatus` to control if Managed Domains are listed in Apache's
`server-status` handler or not. Default yes.
* New directive `MDCertificateStatus` to control if JSON certificate information on a domain
should be made available on https://<domain>/.httpd/certificate-status or not. Default yes.
* fixed a bug that checked ACMEv2 authorizations against the server several times unnecessarily.
v2.0.4
----------------------------------------------------------------------------------------------------
* Updated README.md with new directives and howto.
* New directives "MDCertificateFile" and "MDCertificateKeyFile" that allow defining
Managed Domains for certificates coming from somewhere else.
* "MDRenewMode" is the new name of "MDDriveMode" (which is still available for
backward compatibility). This should make it easier to understand what it does.
* Removing some fields form the store MD JSON, now that we can inspect the pubcert itself
all the time. Less store updates.
* Dropped support for the pre-v1.x function that mod_ssl used in ancient patches.
* public cert chain now gets cached in memory before server drops privileges, so we always
have access to it. Allowed to drop some pre-computed values such as the SHA256 fingerprint.
* Adding "<MDomain name>" as a shortcut to "<MDomainSet name>". It just reads that much better.
* More "how to"s in README.md
* `MDPortMap` directive now also accepts `http` and `https` as external ports. `http:8888` would
mean that http requests from the internet arrive on local port 8888.
* Started "how to"s in README.md
* MDRequireHttps handler now runs after mod_ssl, so that it can report SSL errors before.
* All GET requests against an ACMEv2 endpoint (except directory and nonce retrievals), are
now made as POST with an empty, JWS signed body. See
<https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380>
for the necessity of this API change at LetsEncrypt.
v2.0.3
----------------------------------------------------------------------------------------------------
* Fixed an integer overrun for renewal window configuration on 32bit systems that caused
renewal windows to drop to 0, e.g. renewal when expired. This only happened when
MDRenewWindow was explicitly configured.
* JSON format of /.httpd/certificate-status slightly altered. See README.md for details.
* ACME errors and problems in challenge selection that point to configuration mistakes
are now visible in the md-status handler.
* Testsuite cleanup amd use of new md-status handler to verify progress.
* IMPORTANT: upgrade behaviour changed. MDs that have not `MDCertificateAuthority` configured
explicitly all get the new ACMEv2 default endpoint of Let's Encrypt. See README.md chapter
about upgrading for the background of this.
* Added chapter about the upcoming end-of-life changes for ACMEv1 at LetsEncrypt.
* Extracting certificate transparency SCT (the signature from CT logs) from a staged
certificate and displaying these on /.httpd/certificate-status. A monitoring client
may use this to verify the signatures against the CT logs, even though the log may not
yet show the certificate (maximum merge delay seems to be at 24 hours on most logs).
v2.0.2
----------------------------------------------------------------------------------------------------
* Fixing configuration startup (e.g. dry run) to sync with the store again. This let's
us find renamed MDs and use its correct paths. With wrong paths, mod_ssl gets unhappy
and logs errors (see #125).
* Adding an experimental "check" column to server-status with links to known certificate
checker sites.
* Certificate validity now appears as "valid-from"/"valid-until" pair.
* Adding SHA256 fingerprint to certificate-status for renewed certificate.
* md-status handler fixed to work on nested path locations as well.
v2.0.1
----------------------------------------------------------------------------------------------------
* New handler "md-status" that can be configured to return the state of all MDs in JSON format.
* Append the name or domain of an MD to the "md-status" url path and get the JSON of just
that MD.
v2.0.0
----------------------------------------------------------------------------------------------------
* Updating the documentation by pulling the wiki into README.md and making the necessary
additions and edits.
* If a MDomain is removed, all its challenge store information is purged as well. Test
case for that added. Fixes #93
* The ACMEv2 endpoint of Let's Encrypt is now the default for new MDs. Existing MDs will keep
their values unless one explicitly configures a 'MDCertificateAuthority'.
* Non-HTML format of mod_status now lists number of ok/renew/error/ready MDomains.
v1.99.12
----------------------------------------------------------------------------------------------------
* Status lists private key specification, if different from default RSA(2048).
* Status shows list of MDs sorted alphabetically.
* Status now shows message from a failed renewal with information and error code on where/why
it failed.
* At startup, an initial ACME parameter check is performed. More details are given when
ACME challenge methods are unavailable as to the cause. server-status list these per MD.
* Adding challenge type 'tls-alpn-01' to ACMEv1 as well.
* server-status columns compressed. Expiry/Valid timestamp given as dates only for better
readability. Full time as tooltip.
* Renewal jobs properties are persisted after each run. This preserves status and schedules
when switching child processes by mod_watchdog. It also allows server-status to provide
more information about ongoing activities.
* Cleanup of post config work to make the dry-run phase faster and avoid double loadings
of MD data from the file system.
* Splitting out certificate driving in separate source. Logging errors/warnings about
MDomains that can not be renewed once at post config.
v1.99.11
----------------------------------------------------------------------------------------------------
* Rework of MD's contribution to httpd 'server-status' page. Better formatting, reordering, using
absolute GMT timestamps.
v1.99.10
----------------------------------------------------------------------------------------------------
* MD status now initialized fully in global list. Fixes new status handler to assess
things even when running in non-privileged setup where access to file system is no
longer allowed.
v1.99.9
----------------------------------------------------------------------------------------------------
* A domain that is managed by md now exposes a status resource at /.httpd/certificate-status
in JSON format. This lists serial number, valid-from, expires and the cert itself in base64url
encoding. Not highly relevant since the connection exposed the certificate already.
When a domain certificate has been renewed however, the same properties of the renewed
cert are available under the field "staging". When the server is restarted and the cert
is activated, these disappear again. This makes it easy to scan domains for pending
certificate renewals and also gives information of upcoming certificates right away.
* Added MD section to Apache's "server-status" page listing all managed domains and their
settings, renewal status and error count.
v1.99.8
----------------------------------------------------------------------------------------------------
* Merge of changes up to 1.1.19
* Fix for #117, explicitly set file permissions to work around umask defaults.
v1.99.7
----------------------------------------------------------------------------------------------------
* Fix by @nono303 to fix the Windows build that was broken in the last release.
v1.99.6
----------------------------------------------------------------------------------------------------
* When the server is not started by root, the module no longer tries to chown() the
staging and challenges directories as User and Group directives are ignored. Fixes #115.
* When a md.json file in the store cannot be parsed, it is ignore and overwritten during
initial synch at server start.
* When migrating from ACMEv1 to ACMEv2 on the same host, the account private key of an
existing account is reused on registration. Let's Encrypt internally treats this as
the same account, although it is exposed using different urls. This helps keeping
the waste of large prime numbers at a manageable level and allows for more useful
statistics from ACME CAs.
v1.99.5
----------------------------------------------------------------------------------------------------
* Enhanced checks for wildcard domain names in certificate coverage.
* ACME authorizations and certificate requests only done for minimal set of domain names,
e.g. domain covered by a wildcard are left out. LE CA requires this.
* First successful wildcard certificate signup in test suite
* Old and long deprecated configuration directives "ManagedDomain(s)" removed.
* Challenge type 'tls-sni-01' removed as it has been disabled by Let's Encrypt.
* When the ACME server threw its challenges at us, we selected the first among the
configured/supported ones and ran that. When it failed, the whole authorization
failed until the retry kicked in. Now, on a failed challenge startup, we look for the
next possible challenge type and try that.
This allows for challenge types that are configured and maybe supported in general,
but do not work for all domains. E.g. when we add DNS challenge support, that type
may only work for a subset of the domains.
Instead of putting the burden on the user to configured the MDomains individually
correct, the DNS challenge setup can just return APR_ENOTIMPL and another challenge
type is used (if available).
* configure updated to better work with non-standard curl library locations.
v1.99.4
----------------------------------------------------------------------------------------------------
* tls-alpn-01 challenge method, when available, is now preferred.
* configure now checks the libcurl version to be at least 7.50, as does the Apache configure.
v1.99.3
----------------------------------------------------------------------------------------------------
* OpenSSL initialization disabled in the module. Leaving that to mod_ssl/APR.
* mod_ssl trunk patch is now empty, changes have been committed into Apache trunk.
* ACME order/challenge cleanup now runs immediately after a successful renewal and does
not wait for a server restart.
v1.99.2
----------------------------------------------------------------------------------------------------
* fixed bug where a new ACME account was created for each new ACME managed domain when the existing
accounts did not exist or were no longer valid/applicable.
v1.99.1
----------------------------------------------------------------------------------------------------
* adding test cases for migrating MDs from ACMEv1 to ACMEv2
* adding test case for checks that missing "acme-tls/1" protocol config is detected
* removing version number for local ACME account storage again (added in v1.99.0). An account
is only suitable for an ACME server if it matches the directory url exactly.
* export symbols in the module are restricted to reduce size a bit
v1.99.0
----------------------------------------------------------------------------------------------------
* EXPERIMENTAL, EARLY support for the ACMEv2 protocol. Not enabled by default, see README.md.
* mod_md checks for each domain if the 'Protocols' directive allows the 'acme-tls/1' protocol.
Only then is the challenge method 'tls-alpn-01' enabled for a MD.
* first successful tls-alpn-01 test
* test_700 auto tests now working as test_702 for ACMEv2
* test_600 roundtrip tests now working as test_602 for ACMEv2
* test_500 drive tests now working as test_502 for ACMEv2
* More test cases regarding ACMEv2 account handling.
* Removed "id" field from ACME accounts as redundant. Internal cleanup of account handling.
* Integrated recent changes from Apache subversion.
* Starting support for ACMEv2 protocol
* MDCertificateAgreement has new value 'accepted' instead of the Terms-of-Services URL. This
avoids confusion and reflects more what ACMEv2 protocol requires. For ACMEv1 servers, the
correct URL is retrieved from the server's meta data when 'accepted' is configured.
v1.1.17
----------------------------------------------------------------------------------------------------
* fixed several coding bugs in detection of ACME challenge changes, e.g. when the local
MDomains changed and challenges for others had already been set up. Fixes thanks to
Michael Kaufmann (@mkauf).
* added log messages when (supposed) ACME server's answer was not understood (by @mkauf)
* eliminated some compiler warnings about signedness and unused variables.
v1.1.16
----------------------------------------------------------------------------------------------------
* When you move the last domain name from an MD to another one, that now empty MD gets moved
to the store archive. The JSON file will still show the last domain, in case you want
to ressurect after a (human) configuration error. Fixes PR 62572
(see <https://bz.apache.org/bugzilla/show_bug.cgi?id=62572>).
v1.1.15
----------------------------------------------------------------------------------------------------
* Using libressl new integration of openssl API functions when available.
* making some timed wait in test_0700 more robust
v1.1.14
----------------------------------------------------------------------------------------------------
* Preventing other modules from messing with challenge repsonses. Fix by @mkauf. Thanks!
v1.1.13
----------------------------------------------------------------------------------------------------
* adding test cases for accessing a variety of paths for http-01 challenges to confirm
proper http responses (see #92). Reworked handler to fix edge cases discovered.
* adapted test cases for new ACME boulder versions that shifted ACMEv1 to another port
* adapted test case domain from the now forbidden example.org to not-forbidden.org
v1.1.12
----------------------------------------------------------------------------------------------------
* less confusing logging when MDNotifyCmd returns a failure exit code
* MDNotifyCmd can be configured with arguments to which the managed domain
names are appended on invocation
* added more test cases for MDNotifyCmd use
v1.1.11
----------------------------------------------------------------------------------------------------
* fixes a Null Dereference when specially crafted requests are sent to the server. Reported
by Daniel Caminada <[email protected]>.
v1.1.10
----------------------------------------------------------------------------------------------------
* fixes error in renew window calculation that may lead to mod_md running
watchdog in a tight loop until actual renewal becomes necessary.
* /.well-known/acme-challenge requests that cannot be answered for hostnames
outside the configured MDs are free to be answered by other handlers. This allows
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
Suggested by Arkadiusz Miskiewicz <[email protected]>.
v1.1.9
----------------------------------------------------------------------------------------------------
* Removed bould check from configure. Not everone building the module needs it installed.
Fixes #76.
* Tests with boulder now need a later revision >= 2018-01-10 or you will see failures in the
0800 tests.
* Updated with log format fixes and copyright ASF insistence from apache httpd trunk
v1.1.8
----------------------------------------------------------------------------------------------------
* new configuration directive "MDBaseServer on|off" to allow/inhibit management of the base
server domains outside VirtualHosts. By default, this is "off", e.g. mod_md will not manage
certificates or perform https: redirections on the base server. This follows the
principle of least surprise.
* Fixed gcc warnings.
v1.1.7
----------------------------------------------------------------------------------------------------
* MDMustStaple was unable to create the necessary OpenSSL OBJ identifier on some platforms,
possibly because this fails if the OID is already configured in ```openssl.cnf```, see
[here](https://github.com/openssl/openssl/issues/2795).
* Two memory leaks in cert issuer and alt-names lookup eliminated by Yann Ylavic.
* Changing MDMustStaple triggers certificate renewal.
v1.1.6
----------------------------------------------------------------------------------------------------
* Fixing a bug when code in assert() checks is not executed.
v1.1.5
----------------------------------------------------------------------------------------------------
* Some attempts at code readability, increased logging level for fallback cert generation that
was swept under the DEBUG carpet before.
* More verbosity when *not* handing out certificates, e.g. mod_ssl asks, but mod_md has no
idea what it is talking about. Some people report misbehaviour here.
* Re-enabled support for md_get_credentials() function that was used in older mod_ssl
patch, so that people with old patched servers get a chance to upgrade.
v1.1.4
----------------------------------------------------------------------------------------------------
* When ACME fails to authenticate your domain, the exact server answer is logged
as error. This helps to find out the reason for the failed challenge, for example
when ACME reports a 'Timeout' if it could not reach your server. Implements #70.
v1.1.3
----------------------------------------------------------------------------------------------------
* Fixed wrong mem pool use for auto-added server names.
v1.1.2
----------------------------------------------------------------------------------------------------
* The first configuration check was skipping parts that are needed, especially for new
MDs, and crash if mod_ssl calls back "too early". Reverting that change.
v1.1.1
----------------------------------------------------------------------------------------------------
* Fixed backward compaitbility to '<ManagedDomain' configurations, used in pre v1.1.0 versions
to continue working. Test case added.
* added httpd version checks to test cases that make use of 2.5.0 mod_ssl features. Tests now
run clean against a 2.4.30 installation.
v1.1.0
----------------------------------------------------------------------------------------------------
* IMPORTANT: name change in configuration directives. The Apache team decided that the current
names would confuse you, the users, and asked for a change. The old names are still working
in this version, so you can safely upgrade.
They will give warnings in the log and will disappear in the immediate future.
* ManagedDomain is now MDomain
* <ManagedDomain> is now <MDomainSet>
v1.0.7
----------------------------------------------------------------------------------------------------
* removed old EXPERIMENTAL code for defaulting to Lets Encrypt staging area.
* acme now follows "up" link headers to retrieve issuer certificate chain. This
will lead to shorter chains as the "up" links will stop at the cert that browsers
trust instead of always going to the topmost root.
See https://github.com/letsencrypt/boulder/issues/3259
* Fixed a missing argument in a debug log statement.
v1.0.6
----------------------------------------------------------------------------------------------------
* fix in configure: checking for the correct arc4random_buf now.
v1.0.5
----------------------------------------------------------------------------------------------------
* restricting post_config dry run to be more silent and performing
only necessary work for mod_ssl to be also happy with the configuration.
v1.0.3
----------------------------------------------------------------------------------------------------
* fixed various bugs in persisting job properties, so that status is persisted across
child process changes and staging is reset on reloads.
* changed MDCertificateAgreement url checks. As long as the CA reports that the account
has an agreement, no further checking is done. Existing accounts need no changes when
a new agreement comes out. This is as Let's Encrypt rolls.
v1.0.2
----------------------------------------------------------------------------------------------------
* staging reset on reload also triggered when MDCertificateAgreement was initially missing.
v1.0.1
----------------------------------------------------------------------------------------------------
* ServerName/Alias names from pure-http: virtual hosts are no longer auto-added to a Managed Domain.
Fixes issue #57.
* Error counts of jobs are presisted now. When the server restarts (gracefully) any errored
staging areas are purged to reset the signup/renewal process. Fixes issue #55
v1.0.0
----------------------------------------------------------------------------------------------------
* New directive 'MDNotifyCmd' that will run when Managed Domains have been signed up/renewed. The
names of the MDs is given as arguments to the command.
v0.9.9
----------------------------------------------------------------------------------------------------
* Protocol driving now *applies* correct server properties for http/https challenge selection,
with new test cases (fixes issue #52).
v0.9.8
----------------------------------------------------------------------------------------------------
* Protocol driving now uses correct server properties for http/https challenge selection
(refs issue #52).
v0.9.7
----------------------------------------------------------------------------------------------------
* When building against 2.4.x, one probably needs to configure without ```--enable-werror```,
since there were some warnings fixed in Apache httpd trunk.
* Removed obsolete function from interface to mod_ssl. Module now requires at least mod_ssl
patch v4 in place.
* Fallback certificates has version set and no longer claims to be a CA. (re issue #32)
* ```MDRequireHttps``` now happens before any ```Redirect```.
* added some compiler warning flags and adding casts/eliminating some unused params accordingly
v0.9.6
----------------------------------------------------------------------------------------------------
* For Managed Domains with 'MDRequireHttps permanent' a HSTS (rfc6797) header is added
in the response with value 'max-age=15768000', if not already there.
v0.9.5
----------------------------------------------------------------------------------------------------
* New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if
new certificates are requested with the OCSP Must Staple extension.
* Known limitation: when the server is configured to ditch and restart child processes, for example
after a certain number of connections/requests, the mod_md watchdog instance might migrate
to a new child process. Since not all its state is persisted, some messages might appear a
second time in the logs.
* --with-openssl configure option provided by [caminada](https://github.com/caminada) to
specify an uncommon location of the lib.
* --with-jansson configure option provided by [caminada](https://github.com/caminada) to
specify an uncommon location of the lib.
* Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'
is used - which negates that a https: port exists. Also, a warning is logged if no
VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in
its address list.
v0.9.4
----------------------------------------------------------------------------------------------------
* New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently
or temporarily.
* Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also
a changed mod_ssl patch (v5) to take effect.
v0.9.3
----------------------------------------------------------------------------------------------------
* Some sanity checks for MDHttpProxy parameter.
* Rewrote logic to re-schedule MD jobs and announce renewal completion and server restarts. Related
to issue #42
* Additional tweaks for libressl support, thanks to @Sp1l
* Implemented alternative for OpenSSL ASN1_TIME_diff() helper which is not available in
libressl.
v0.9.2
----------------------------------------------------------------------------------------------------
* Fixes for conversions in gcc, fixed duration parsing when apr_strtoi64() defaults to 0 on
not seeing any digit.
* New config directive 'MDHttpProxy <url>' to specify a HTTP(S) proxy for outgoing connections.
Supported in a2md with the '--proxy <url>' command line option.
* Synched mod_ssl patch with Apache subversion again and made v4 of the patch. Only changes
were in log messages, so no need to repatch existing installations.
v0.9.1
----------------------------------------------------------------------------------------------------
* various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If
someone already used percent configurations, it is advised to change these to a new value,
reload and change back to the wanted ones.
* various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.
* mod_md version removed from top level md_store.json file. The store has its own format version
to facilitate upgrades.
v0.9.0
----------------------------------------------------------------------------------------------------
* Improved interface to mod_ssl for fallback handling. Backward compatible to previous mod_ssl
patch, but fallbacks will not work.
* Provide a temporary, self-signed certificate with a speaking command and domain name if we
have no other cert for a Managed Domain, yet. Refs github issue #32
* Continue to provide expired or not-completely matching, existing certificate for a Managed
Domain until the renewal was successful. This is helpful when one adds a DNS name to
a MD, so the previous domains can be served while a new cert is requested.
v0.8.2
----------------------------------------------------------------------------------------------------
* All files necessary to run tests are not in the release package.
* Making "http-01" the preferred challenge type again, as people "tls-sni-01" requires at least
one working certificate vhost right now - which not everyone has.
* moved part of the MD sanity checks from post_config to check_config phase, allowing for error
detection in check-only runs.
v0.8.1
----------------------------------------------------------------------------------------------------
* New directive ```MDPrivateKeys``` to specify the type and parameter to private key generation.
Currently only 'RSA' is supported as type with an option number of bits >= 2048 as parameter.
Simple test cases for config handling added.
* Private RSA keys are now generated with 2048 bits by default. Use ```MDPrivateKeys``` for
higher security.
v0.8.0
----------------------------------------------------------------------------------------------------
* IMPORTANT: store format change. The following changes will be made to an existing md store on
first start with a new version (be it by mod_md in the server or a run by a new 'a2md'):
* pkey.pem will be renamed to privkey.pem
* cert.pem and chain.pem will be concatenated to pubcert.pem. The former files will remain,
but no longer be used. They will disappear on next renewal.
ADVICE: If the current store data is vital to you, please make a backup first!
v0.7.1
----------------------------------------------------------------------------------------------------
* Fixed test case clearing of store to keep key alive, enabling true random store key again.
* Removed pun "Something, like certbot" from the User-Agent request header. Refs issue #34
* Cleaned up reporting of missing/mismatched MDCertificateAgreement in the logs. This will
no longer trigger early retries.
* badNonce encounters are no longer reported as errors. Retries are attempted now silently.
Refs issue #35
* new default MDRenewWindow. Instead of 14 days, the default is now a third before the end of
the certificates lifetime. For the usual 90 days of Let's Encrypt certificates, this makes
an effective renewal window of 30 days - as recommended by LE. Refs issue #30
* Enabled conversion warnings if supported by compiler, eliminated several signed/unsigned
warnings.