From 3fe911d3c9b97857525a002c34611387c7c7ae64 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Tue, 20 Jul 2021 12:44:31 +0000 Subject: [PATCH] *) mod_md: - Domain names in `` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/md_2_4_4_fixes.txt | 8 +++++++ modules/md/md_acme_authz.c | 35 ++++++++++++++++++++++-------- modules/md/md_acme_drive.c | 5 ++++- modules/md/md_acme_order.c | 5 ++++- modules/md/md_version.h | 4 ++-- modules/md/mod_md.c | 2 +- modules/md/mod_md_config.c | 4 ++-- 7 files changed, 47 insertions(+), 16 deletions(-) create mode 100644 changes-entries/md_2_4_4_fixes.txt diff --git a/changes-entries/md_2_4_4_fixes.txt b/changes-entries/md_2_4_4_fixes.txt new file mode 100644 index 00000000000..7ae03c9af3a --- /dev/null +++ b/changes-entries/md_2_4_4_fixes.txt @@ -0,0 +1,8 @@ + *) mod_md: + - Domain names in `` can now appear in quoted form. + - Fixed a failure in ACME challenge selection that aborted further searches + when the tls-alpn-01 method did not seem to be suitable. + - Changed the tls-alpn-01 setup to only become unsuitable when none of the + dns names showed support for a configured 'Protocols ... acme-tls/1'. This + allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. + [Stefan Eissing] diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c index bfbd67c11cb..0988d459694 100644 --- a/modules/md/md_acme_authz.c +++ b/modules/md/md_acme_authz.c @@ -308,10 +308,19 @@ static apr_status_t cha_tls_alpn_01_setup(md_acme_authz_cha_t *cha, md_acme_auth (void)mdomain; if (md_array_str_index(acme_tls_1_domains, authz->domain, 0, 0) < 0) { rv = APR_ENOTIMPL; - md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, - "%s: protocol 'acme-tls/1' not enabled for this domain.", - authz->domain); - goto out; + if (acme_tls_1_domains->nelts) { + md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, + "%s: protocol 'acme-tls/1' seems not enabled for this domain, " + "but is enabled for other associated domains. " + "Continuing with fingers crossed.", authz->domain); + } + else { + md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, p, + "%s: protocol 'acme-tls/1' seems not enabled for this or " + "any other associated domain. Not attempting challenge " + "type tls-alpn-01.", authz->domain); + goto out; + } } if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server))) { goto out; @@ -557,7 +566,7 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s md_result_t *result) { apr_status_t rv; - int i; + int i, j; cha_find_ctx fctx; const char *challenge_setup; @@ -578,18 +587,26 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s * - if there was an overlap, but no setup was successful, report that. We * will retry this, maybe the failure is temporary (e.g. command to setup DNS */ + md_result_printf(result, 0, "%s: selecting suitable authorization challenge " + "type, this domain supports %s", + authz->domain, apr_array_pstrcat(p, challenges, ' ')); rv = APR_ENOTIMPL; challenge_setup = NULL; - for (i = 0; i < challenges->nelts && !fctx.accepted; ++i) { + for (i = 0; i < challenges->nelts; ++i) { fctx.type = APR_ARRAY_IDX(challenges, i, const char *); + fctx.accepted = NULL; md_json_itera(find_type, &fctx, authz->resource, MD_KEY_CHALLENGES, NULL); + md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, p, + "%s: challenge type '%s' for %s: %s", + authz->domain, fctx.type, mdomain, + fctx.accepted? "maybe acceptable" : "not applicable"); if (fctx.accepted) { - for (i = 0; i < (int)CHA_TYPES_LEN; ++i) { - if (!apr_strnatcasecmp(CHA_TYPES[i].name, fctx.accepted->type)) { + for (j = 0; j < (int)CHA_TYPES_LEN; ++j) { + if (!apr_strnatcasecmp(CHA_TYPES[j].name, fctx.accepted->type)) { md_result_activity_printf(result, "Setting up challenge '%s' for domain %s", fctx.accepted->type, authz->domain); - rv = CHA_TYPES[i].setup(fctx.accepted, authz, acme, store, key_specs, + rv = CHA_TYPES[j].setup(fctx.accepted, authz, acme, store, key_specs, acme_tls_1_domains, mdomain, env, result, p); if (APR_SUCCESS == rv) { md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c index 4bdaf6bf652..4956a06aab8 100644 --- a/modules/md/md_acme_drive.c +++ b/modules/md/md_acme_drive.c @@ -591,7 +591,10 @@ static apr_status_t acme_driver_init(md_proto_driver_t *d, md_result_t *result) goto leave; } } - + + md_result_printf(result, 0, "MDomain %s initialized with support for ACME challenges %s", + d->md->name, apr_array_pstrcat(d->p, ad->ca_challenges, ' ')); + leave: md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, result->status, d->p, "%s: init driver", d->md->name); return result->status; diff --git a/modules/md/md_acme_order.c b/modules/md/md_acme_order.c index 5dde962afad..ee1166be1da 100644 --- a/modules/md/md_acme_order.c +++ b/modules/md/md_acme_order.c @@ -455,7 +455,10 @@ apr_status_t md_acme_order_start_challenges(md_acme_order_t *order, md_acme_t *a break; case MD_ACME_AUTHZ_S_PENDING: - rv = md_acme_authz_respond(authz, acme, store, challenge_types, + md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, + "%s: authorization pending for %s", + md->name, authz->domain); + rv = md_acme_authz_respond(authz, acme, store, challenge_types, md->pks, md->acme_tls_1_domains, md->name, env, p, &setup_token, result); diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 5cef365c3df..53377b840d0 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.4.3" +#define MOD_MD_VERSION "2.4.4" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020403 +#define MOD_MD_VERSION_NUM 0x020404 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 180cfd2c68b..9c42b7a9e4b 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -1276,7 +1276,7 @@ static int md_answer_challenge(conn_rec *c, const char *servername, sc = md_config_get(c->base_server); if (!sc || !sc->mc->reg) goto cleanup; - ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, c, + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "Answer challenge[tls-alpn-01] for %s", servername); store = md_reg_store_get(sc->mc->reg); diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c index 63b2e7ab811..bfc64adbbd6 100644 --- a/modules/md/mod_md_config.c +++ b/modules/md/mod_md_config.c @@ -358,11 +358,11 @@ static const char *md_config_sec_start(cmd_parms *cmd, void *mconfig, const char return MD_CMD_MD_SECTION " > section must specify a unique domain name"; } - name = ap_getword_white(cmd->pool, &arg); + name = ap_getword_conf(cmd->pool, &arg); domains = apr_array_make(cmd->pool, 5, sizeof(const char *)); add_domain_name(domains, name, cmd->pool); while (*arg != '\0') { - name = ap_getword_white(cmd->pool, &arg); + name = ap_getword_conf(cmd->pool, &arg); if (NULL != set_transitive(&transitive, name)) { add_domain_name(domains, name, cmd->pool); } -- 2.47.3