Improve protocol check for pre-configured "tls-alpn-01" challenge

For "tls-alpn-01" challenges, mod_md checks whether there is a server that supports the "acme-tls/1" protocol. If the challenge "tls-alpn-01" is pre-configured with MDCAChallenges, the ports of the servers are ignored (see issue icing#133). If there are multiple servers matching a domain name, don't just look at the first server but search one that supports the "acme-tls/1" protocol. This is a follow-up to icing#159 and icing#133
mkauf · Jan 8, 2020 · 46b608b · 46b608b
1 parent bcb85b5
commit 46b608b
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/src/mod_md.c b/src/mod_md.c
@@ -436,37 +436,48 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_
     md_srv_conf_t *sc;
     md_mod_conf_t *mc;
     server_rec *s;
+    server_rec *res = NULL;
     request_rec r;
     int i;
-    int skip_port_check = 0;
+    int check_port = 1;
 
     sc = md_config_get(base_server);
     mc = sc->mc;
     memset(&r, 0, sizeof(r));
 
     if (md->ca_challenges && md->ca_challenges->nelts > 0) {
         /* skip the port check if "tls-alpn-01" is pre-configured */
-        skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+        check_port = !(md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0);
     }
 
-    if (!skip_port_check && !mc->can_https) return NULL;
+    if (check_port && !mc->can_https) return NULL;
 
     /* find an ssl server matching domain from MD */
     for (s = base_server; s; s = s->next) {
         sc = md_config_get(s);
         if (!sc || !sc->is_ssl || !sc->assigned) continue;
         if (base_server == s && !mc->manage_base_server) continue;
-        if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+        if (base_server != s && check_port && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
         for (i = 0; i < sc->assigned->nelts; ++i) {
             if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
                 r.server = s;
                 if (ap_matches_request_vhost(&r, domain, s->port)) {
-                    return s;
+                    if (check_port) {
+                        return s;
+                    }
+                    else {
+                        /* there may be multiple matching servers because we ignore the port.
+                           return a server that supports the acme-tls/1 protocol (if possible) */
+                        if (ap_is_allowed_protocol(NULL, NULL, s, PROTO_ACME_TLS_1)) {
+                            return s;
+                        }
+                        res = s;
+                    }
                 }
             }
         }
     }
-    return NULL;
+    return res;
 }
 
 static apr_status_t auto_add_domains(md_t *md, server_rec *base_server, apr_pool_t *p)