*) mod_md:

- Domain names in `<MDomain ...>` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68
2025-08-16 16:17:23 +00:00 · 2021-07-20 12:44:31 +00:00
parent eb3b8d4526
commit 3fe911d3c9
7 changed files with 47 additions and 16 deletions
--- a/changes-entries/md_2_4_4_fixes.txt
+++ b/changes-entries/md_2_4_4_fixes.txt
@ -0,0 +1,8 @@
+  *) mod_md:
+     - Domain names in `<MDomain ...>` can now appear in quoted form.
+     - Fixed a failure in ACME challenge selection that aborted further searches
+       when the tls-alpn-01 method did not seem to be suitable.
+     - Changed the tls-alpn-01 setup to only become unsuitable when none of the
+       dns names showed support for a configured 'Protocols ... acme-tls/1'. This
+       allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
+     [Stefan Eissing]
--- a/modules/md/md_acme_authz.c
+++ b/modules/md/md_acme_authz.c
@ -308,10 +308,19 @@ static apr_status_t cha_tls_alpn_01_setup(md_acme_authz_cha_t *cha, md_acme_auth
    (void)mdomain;
    if (md_array_str_index(acme_tls_1_domains, authz->domain, 0, 0) < 0) {
        rv = APR_ENOTIMPL;
-        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, 
-                      "%s: protocol 'acme-tls/1' not enabled for this domain.", 
-                      authz->domain);
-        goto out;
+        if (acme_tls_1_domains->nelts) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p,
+                          "%s: protocol 'acme-tls/1' seems not enabled for this domain, "
+                          "but is enabled for other associated domains. "
+                          "Continuing with fingers crossed.", authz->domain);
+        }
+        else {
+            md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, p,
+                          "%s: protocol 'acme-tls/1' seems not enabled for this or "
+                          "any other associated domain. Not attempting challenge "
+                          "type tls-alpn-01.", authz->domain);
+            goto out;
+        }
    }
    if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, &notify_server))) {
        goto out;
@ -557,7 +566,7 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
                                   md_result_t *result)
 {
    apr_status_t rv;
-    int i;
+    int i, j;
    cha_find_ctx fctx;
    const char *challenge_setup;
    
@ -578,18 +587,26 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
     * - if there was an overlap, but no setup was successful, report that. We
     *   will retry this, maybe the failure is temporary (e.g. command to setup DNS
     */
+     md_result_printf(result, 0, "%s: selecting suitable authorization challenge "
+                      "type, this domain supports %s",
+                      authz->domain, apr_array_pstrcat(p, challenges, ' '));
    rv = APR_ENOTIMPL;
    challenge_setup = NULL;
-    for (i = 0; i < challenges->nelts && !fctx.accepted; ++i) {
+    for (i = 0; i < challenges->nelts; ++i) {
        fctx.type = APR_ARRAY_IDX(challenges, i, const char *);
+        fctx.accepted = NULL;
        md_json_itera(find_type, &fctx, authz->resource, MD_KEY_CHALLENGES, NULL);
+        md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, p,
+                      "%s: challenge type '%s' for %s: %s",
+                      authz->domain, fctx.type, mdomain,
+                      fctx.accepted? "maybe acceptable" : "not applicable");

        if (fctx.accepted) {
-            for (i = 0; i < (int)CHA_TYPES_LEN; ++i) {
-                if (!apr_strnatcasecmp(CHA_TYPES[i].name, fctx.accepted->type)) {
+            for (j = 0; j < (int)CHA_TYPES_LEN; ++j) {
+                if (!apr_strnatcasecmp(CHA_TYPES[j].name, fctx.accepted->type)) {
                    md_result_activity_printf(result, "Setting up challenge '%s' for domain %s", 
                                              fctx.accepted->type, authz->domain);
-                    rv = CHA_TYPES[i].setup(fctx.accepted, authz, acme, store, key_specs,
+                    rv = CHA_TYPES[j].setup(fctx.accepted, authz, acme, store, key_specs,
                                            acme_tls_1_domains, mdomain, env, result, p);
                    if (APR_SUCCESS == rv) {
                        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, 
--- a/modules/md/md_acme_drive.c
+++ b/modules/md/md_acme_drive.c
@ -591,7 +591,10 @@ static apr_status_t acme_driver_init(md_proto_driver_t *d, md_result_t *result)
            goto leave;
        }
    }
-    
+
+    md_result_printf(result, 0, "MDomain %s initialized with support for ACME challenges %s",
+              d->md->name, apr_array_pstrcat(d->p, ad->ca_challenges, ' '));
+
 leave:    
    md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, result->status, d->p, "%s: init driver", d->md->name);
    return result->status;
--- a/modules/md/md_acme_order.c
+++ b/modules/md/md_acme_order.c
@ -455,7 +455,10 @@ apr_status_t md_acme_order_start_challenges(md_acme_order_t *order, md_acme_t *a
                break;
                
            case MD_ACME_AUTHZ_S_PENDING:
-                rv = md_acme_authz_respond(authz, acme, store, challenge_types, 
+                md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p,
+                              "%s: authorization pending for %s",
+                              md->name, authz->domain);
+                rv = md_acme_authz_respond(authz, acme, store, challenge_types,
                                           md->pks,
                                           md->acme_tls_1_domains, md->name,
                                           env, p, &setup_token, result);
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@ -27,7 +27,7 @@
 * @macro
 * Version number of the md module as c string
 */
-#define MOD_MD_VERSION "2.4.3"
+#define MOD_MD_VERSION "2.4.4"

 /**
 * @macro
@ -35,7 +35,7 @@
 * release. This is a 24 bit number with 8 bits for major number, 8 bits
 * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
 */
-#define MOD_MD_VERSION_NUM 0x020403
+#define MOD_MD_VERSION_NUM 0x020404

 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"

--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@ -1276,7 +1276,7 @@ static int md_answer_challenge(conn_rec *c, const char *servername,
    sc = md_config_get(c->base_server);
    if (!sc || !sc->mc->reg) goto cleanup;

-    ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, c,
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
                  "Answer challenge[tls-alpn-01] for %s", servername);
    store = md_reg_store_get(sc->mc->reg);

--- a/modules/md/mod_md_config.c
+++ b/modules/md/mod_md_config.c
@ -358,11 +358,11 @@ static const char *md_config_sec_start(cmd_parms *cmd, void *mconfig, const char
        return MD_CMD_MD_SECTION " > section must specify a unique domain name";
    }

-    name = ap_getword_white(cmd->pool, &arg);
+    name = ap_getword_conf(cmd->pool, &arg);
    domains = apr_array_make(cmd->pool, 5, sizeof(const char *));
    add_domain_name(domains, name, cmd->pool);
    while (*arg != '\0') {
-        name = ap_getword_white(cmd->pool, &arg);
+        name = ap_getword_conf(cmd->pool, &arg);
        if (NULL != set_transitive(&transitive, name)) {
            add_domain_name(domains, name, cmd->pool);
        }