-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md:
+ - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
+ thanks to Timothe Litt (@tlhackque).
+ - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
+ check all matching virtual hosts for protocol support. Thanks to @mkauf.
+ - Corrected a check when OCSP stapling was configured for hosts
+ where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
+ - Softening the restrictions where mod_md configuration directives may appear. This should
+ allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
+ you wanted in the first place, is another matter.
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
+ Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
+
*) core: ap_method_mask_t type added for method bitmasks, changed
from apr_int64_t and used for the method_mask field in
ap_method_list_t, AP_METHOD_BIT, allowed field of request_rec,
* - if setup failed, continue to look for another supported challenge type
* - if there is no overlap in types, tell the user that she has to configure
* either more types (dns, tls-alpn-01), make ports available or refrain
- * from using wildcard domains when dns is not available. etc.
- * - if there was an overlap, but no setup was successful, report that. We
+ * from useing wildcard domains when dns is not available. etc.
+ * - if there was an overlap, but no setup was successfull, report that. We
* will retry this, maybe the failure is temporary (e.g. command to setup DNS
*/
rv = APR_ENOTIMPL;
if (!ad->md->contacts || apr_is_empty_array(md->contacts)) {
rv = APR_EINVAL;
md_result_printf(result, rv, "No contact information is available for MD %s. "
- "Configure one using the ServerAdmin directive.", md->name);
+ "Configure one using the MDContactEmail or ServerAdmin directive.", md->name);
md_result_log(result, MD_LOG_ERR);
goto leave;
}
rv = APR_EINVAL;
if (!authz->error_type) {
md_result_printf(ctx->result, rv,
- "domain authorization for %s failed, CA considers "
+ "domain authorization for %s failed, CA consideres "
"answer to challenge invalid, no error given",
authz->domain);
}
* Pre-Req: we have an account for the ACME server that has accepted the current license agreement
* For each domain in MD:
* - check if there already is a valid AUTHZ resource
- * - if not, create an AUTHZ resource with challenge data
+ * - if ot, create an AUTHZ resource with challenge data
*/
static apr_status_t ad_setup_order(md_proto_driver_t *d, md_result_t *result)
{
} md_cert_state_t;
/**
- * Create a holder of the certificate that will free its memory when the
+ * Create a holder of the certificate that will free its memmory when the
* pool is destroyed.
*/
md_cert_t *md_cert_make(apr_pool_t *p, void *x509);
void md_http_set_response_limit(md_http_t *http, apr_off_t resp_limit);
/**
- * Set the timeout for the complete request. This needs to take everything from
+ * Set the timeout for the complete reqest. This needs to take everything from
* DNS looksups, to conntects, to transfer of all data into account and should
* be sufficiently large.
* Set to 0 the have no timeout for this.
void md_http_set_on_response_cb(md_http_request_t *req, md_http_response_cb *cb, void *baton);
/**
- * Create a GET request.
+ * Create a GET reqest.
* @param preq the created request after success
* @param http the md_http instance
* @param url the url to GET
struct apr_table_t *headers);
/**
- * Create a HEAD request.
+ * Create a HEAD reqest.
* @param preq the created request after success
* @param http the md_http instance
* @param url the url to GET
struct apr_table_t *headers);
/**
- * Create a POST request with a bucket brigade as request body.
+ * Create a POST reqest with a bucket brigade as request body.
* @param preq the created request after success
* @param http the md_http instance
* @param url the url to GET
struct apr_bucket_brigade *body, int detect_len);
/**
- * Create a POST request with known request body data.
+ * Create a POST reqest with known request body data.
* @param preq the created request after success
* @param http the md_http instance
* @param url the url to GET
* To limit the number of parallel requests, nextreq should return APR_ENOENT when the limit
* is reached. It will be called again when the number of in_flight requests changes.
*
- * When all requests are done, nextreq will be called one more time. Should it not
+ * When all reqests are done, nextreq will be called one more time. Should it not
* return anything, this function returns.
*/
apr_status_t md_http_multi_perform(md_http_t *http, md_http_next_req *nextreq, void *baton);
}
/**************************************************************************************************/
-/* syncing */
+/* synching */
apr_status_t md_reg_set_props(md_reg_t *reg, apr_pool_t *p, int can_http, int can_https)
{
}
/**
- * Finish syncing an MD with the store.
+ * Finish synching an MD with the store.
* 1. if there are changed properties (or if the MD is new), save it.
* 2. read any existing certificate and init the state of the memory MD
*/
* Cleanup any challenges that are no longer in use.
*
* @param reg the registry
- * @param p pool for permanent storage
+ * @param p pool for permament storage
* @param ptemp pool for temporary storage
* @param mds the list of configured MDs
*/
apr_status_t md_reg_freeze_domains(md_reg_t *reg, apr_array_header_t *mds);
/**
- * Return if the certificate of the MD should be renewed. This includes reaching
+ * Return if the certificate of the MD shoud be renewed. This includes reaching
* the renewal window of an otherwise valid certificate. It return also !0 iff
* no certificate has been obtained yet.
*/
};
/**
- * Run a test initialization of the renew protocol for the given MD. This verifies
+ * Run a test intialization of the renew protocol for the given MD. This verifies
* basic parameter settings and is expected to return a description of encountered
* problems in <pmessage> when != APR_SUCCESS.
* A message return is allocated fromt the given pool.
static const char *dup_trim(apr_pool_t *p, const char *s)
{
char *d = apr_pstrdup(p, s);
- apr_collapse_spaces(d, d);
+ if (d) apr_collapse_spaces(d, d);
return d;
}
/**
* Take stock of all MDs given for a short overview. The JSON returned
- * will carry integers for MD_KEY_COMPLETE, MD_KEY_RENEWING,
+ * will carry intergers for MD_KEY_COMPLETE, MD_KEY_RENEWING,
* MD_KEY_ERRORED, MD_KEY_READY and MD_KEY_TOTAL.
*/
void md_status_take_stock(struct md_json_t **pjson, apr_array_header_t *mds,
const char *status, const char *detail);
/**
- * Retrieve the latest log entry of a certain type.
+ * Retrieve the lastest log entry of a certain type.
*/
md_json_t *md_job_log_get_latest(md_job_t *job, const char *type);
int case_sensitive);
/**
- * Create a new array with all occurrences of <exclude> removed.
+ * Create a new array with all occurances of <exclude> removed.
*/
struct apr_array_header_t *md_array_str_remove(apr_pool_t *p, struct apr_array_header_t *src,
const char *exclude, int case_sensitive);
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.2.4"
+#define MOD_MD_VERSION "2.2.7-git"
/**
* @macro
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x020204
+#define MOD_MD_VERSION_NUM 0x020207
#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"
static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p)
{
+ const char *contact;
+
if (!md->sc) {
md->sc = base_sc;
}
if (!md->ca_agreement) {
md->ca_agreement = md_config_gets(md->sc, MD_CONFIG_CA_AGREEMENT);
}
- if (md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) {
+ contact = md_config_gets(md->sc, MD_CONFIG_CA_CONTACT);
+ if (contact && contact[0]) {
+ apr_array_clear(md->contacts);
+ APR_ARRAY_PUSH(md->contacts, const char *) =
+ md_util_schemify(p, contact, "mailto");
+ } else if( md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) {
apr_array_clear(md->contacts);
- APR_ARRAY_PUSH(md->contacts, const char *) =
+ APR_ARRAY_PUSH(md->contacts, const char *) =
md_util_schemify(p, md->sc->s->server_admin, "mailto");
}
if (md->renew_mode == MD_RENEW_DEFAULT) {
md_srv_conf_t *sc;
md_mod_conf_t *mc;
server_rec *s;
+ server_rec *res = NULL;
request_rec r;
int i;
- int skip_port_check = 0;
+ int check_port = 1;
sc = md_config_get(base_server);
mc = sc->mc;
if (md->ca_challenges && md->ca_challenges->nelts > 0) {
/* skip the port check if "tls-alpn-01" is pre-configured */
- skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+ check_port = !(md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0);
}
- if (!skip_port_check && !mc->can_https) return NULL;
+ if (check_port && !mc->can_https) return NULL;
/* find an ssl server matching domain from MD */
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->is_ssl || !sc->assigned) continue;
if (base_server == s && !mc->manage_base_server) continue;
- if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+ if (base_server != s && check_port && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
for (i = 0; i < sc->assigned->nelts; ++i) {
if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
r.server = s;
if (ap_matches_request_vhost(&r, domain, s->port)) {
- return s;
+ if (check_port) {
+ return s;
+ }
+ else {
+ /* there may be multiple matching servers because we ignore the port.
+ if possible, choose a server that supports the acme-tls/1 protocol */
+ if (ap_is_allowed_protocol(NULL, NULL, s, PROTO_ACME_TLS_1)) {
+ return s;
+ }
+ res = s;
+ }
}
}
}
}
- return NULL;
+ return res;
}
static apr_status_t auto_add_domains(md_t *md, server_rec *base_server, apr_pool_t *p)
s->server_hostname, s->port, md->name, sc->name,
domain, (int)sc->assigned->nelts);
- if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) {
+ if (sc->ca_contact && sc->ca_contact[0]) {
+ uri = md_util_schemify(p, sc->ca_contact, "mailto");
+ if (md_array_str_index(md->contacts, uri, 0, 0) < 0) {
+ APR_ARRAY_PUSH(md->contacts, const char *) = uri;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044)
+ "%s: added contact %s", md->name, uri);
+ }
+ } else if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) {
uri = md_util_schemify(p, s->server_admin, "mailto");
if (md_array_str_index(md->contacts, uri, 0, 0) < 0) {
- APR_ARRAY_PUSH(md->contacts, const char *) = uri;
+ APR_ARRAY_PUSH(md->contacts, const char *) = uri;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044)
"%s: added contact %s", md->name, uri);
}
md_srv_conf_t *sc;
ap_log_error( APLOG_MARK, APLOG_TRACE1, 0, base_server,
- "cecking duplicate ssl assignments");
+ "checking duplicate ssl assignments");
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->assigned) continue;
/* How to bootstrap this module:
* 1. find out if we know if http: and/or https: requests will arrive
- * 2. apply the now complete configuration settings to the MDs
+ * 2. apply the now complete configuration setttings to the MDs
* 3. Link MDs to the server_recs they are used in. Detect unused MDs.
* 4. Update the store with the MDs. Change domain names, create new MDs, etc.
* Basically all MD properties that are configured directly.
* store will find the old settings and "recover" the previous name.
* 5. Load any staged data from previous driving.
* 6. on a dry run, this is all we do
- * 7. Read back the MD properties that reflect the existence and aspect of
+ * 7. Read back the MD properties that reflect the existance and aspect of
* credentials that are in the store (or missing there).
* Expiry times, MD state, etc.
* 8. Determine the list of MDs that need driving/supervision.
/*4*/
if (APR_SUCCESS != (rv = md_reg_sync_start(mc->reg, mc->mds, ptemp))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073)
- "syncing %d mds to registry", mc->mds->nelts);
+ "synching %d mds to registry", mc->mds->nelts);
goto leave;
}
/*5*/
}
if (APR_SUCCESS != (rv = md_reg_sync_finish(mc->reg, md, p, ptemp))) {
ap_log_error( APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10172)
- "md[%s]: error syncing to store", md->name);
+ "md[%s]: error synching to store", md->name);
goto leave;
}
}
&def_renew_window, /* renew window */
&def_warn_window, /* warn window */
NULL, /* ca url */
+ NULL, /* ca contact (email) */
"ACME", /* ca protocol */
NULL, /* ca agreemnent */
NULL, /* ca challenges array */
sc->renew_window = NULL;
sc->warn_window = NULL;
sc->ca_url = NULL;
+ sc->ca_contact = NULL;
sc->ca_proto = NULL;
sc->ca_agreement = NULL;
sc->ca_challenges = NULL;
to->warn_window = from->warn_window;
to->renew_window = from->renew_window;
to->ca_url = from->ca_url;
+ to->ca_contact = from->ca_contact;
to->ca_proto = from->ca_proto;
to->ca_agreement = from->ca_agreement;
to->ca_challenges = from->ca_challenges;
nsc->warn_window = add->warn_window? add->warn_window : base->warn_window;
nsc->ca_url = add->ca_url? add->ca_url : base->ca_url;
+ nsc->ca_contact = add->ca_contact? add->ca_contact : base->ca_contact;
nsc->ca_proto = add->ca_proto? add->ca_proto : base->ca_proto;
nsc->ca_agreement = add->ca_agreement? add->ca_agreement : base->ca_agreement;
nsc->ca_challenges = (add->ca_challenges? apr_array_copy(pool, add->ca_challenges)
return NULL;
}
+#define MD_LOC_GLOBAL (0x01)
+#define MD_LOC_MD (0x02)
+#define MD_LOC_ELSE (0x04)
+#define MD_LOC_ALL (0x07)
+#define MD_LOC_NOT_MD (0x102)
+
+static const char *md_conf_check_location(cmd_parms *cmd, int flags)
+{
+ if (MD_LOC_GLOBAL == flags) {
+ return ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ }
+ if (MD_LOC_NOT_MD == flags && inside_md_section(cmd)) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name, " is not allowed inside an '",
+ MD_CMD_MD_SECTION, "' context", NULL);
+ }
+ if (MD_LOC_MD == flags) {
+ return md_section_check(cmd);
+ }
+ else if ((MD_LOC_MD & flags) && inside_md_section(cmd)) {
+ return NULL;
+ }
+ return ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_LOCATION);
+}
+
static const char *set_on_off(int *pvalue, const char *s, apr_pool_t *p)
{
if (!apr_strnatcasecmp("off", s)) {
int transitive = -1;
(void)mconfig;
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
int i, transitive = -1;
(void)dc;
- err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
sc->ca_url = value;
return NULL;
}
+static const char *md_config_set_contact(cmd_parms *cmd, void *dc, const char *value)
+{
+ md_srv_conf_t *sc = md_config_get(cmd->server);
+ const char *err;
+
+ (void)dc;
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
+ return err;
+ }
+ sc->ca_contact = value;
+ return NULL;
+}
+
static const char *md_config_set_ca_proto(cmd_parms *cmd, void *dc, const char *value)
{
md_srv_conf_t *config = md_config_get(cmd->server);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->ca_proto = value;
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->ca_agreement = value;
return apr_pstrcat(cmd->pool, "unknown MDDriveMode ", value, NULL);
}
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->renew_mode = renew_mode;
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->must_staple, value, cmd->pool);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->stapling, value, cmd->pool);
const char *err;
(void)dc;
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->staple_others, value, cmd->pool);
static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value)
{
md_srv_conf_t *config = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD);
(void)dc;
if (err) return err;
md_srv_conf_t *config = md_config_get(cmd->server);
const char *err;
- (void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
-
+ (void)dc;
if (!apr_strnatcasecmp("off", value)) {
config->require_https = MD_REQUIRE_OFF;
}
const char *err;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&config->renew_window, cmd->pool, value, MD_TIME_LIFE_NORM);
const char *err;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&config->warn_window, cmd->pool, value, MD_TIME_LIFE_NORM);
static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *value)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
md_util_abs_http_uri_check(cmd->pool, value, &err);
static const char *md_config_set_store_dir(cmd_parms *cmd, void *arg, const char *value)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->base_dir = value;
const char *v1, const char *v2)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
(void)arg;
- if (!err) {
+ if (!(err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
err = set_port_map(sc->mc, v1);
}
if (!err && v2) {
int i;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
pcha = &config->ca_challenges;
apr_int64_t bits;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
if (argc <= 0) {
static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->notify_cmd = arg;
static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->message_cmd = arg;
static const char *md_config_set_dns01_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
apr_table_set(sc->mc->env, MD_KEY_CMD_DNS01, arg);
const char *err;
(void)mconfig;
- if (NULL != (err = md_section_check(cmd))) return err;
+ if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err;
assert(sc->current);
sc->current->cert_file = arg;
return NULL;
const char *err;
(void)mconfig;
- if (NULL != (err = md_section_check(cmd))) return err;
+ if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err;
assert(sc->current);
sc->current->pkey_file = arg;
return NULL;
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&sc->mc->server_status_enabled, value, cmd->pool);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&sc->mc->certificate_status_enabled, value, cmd->pool);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&sc->mc->ocsp_keep_window, cmd->pool, value, MD_TIME_OCSP_KEEP_NORM);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&sc->mc->ocsp_renew_window, cmd->pool, value, MD_TIME_LIFE_NORM);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
sc->mc->cert_check_name = name;
static const char *md_config_set_activation_delay(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
apr_interval_time_t delay;
(void)mconfig;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
if (md_duration_parse(&delay, arg, "d") != APR_SUCCESS) {
"A list of challenge types to be used."),
AP_INIT_TAKE1("MDCertificateProtocol", md_config_set_ca_proto, NULL, RSRC_CONF,
"Protocol used to obtain/renew certificates"),
+ AP_INIT_TAKE1("MDContactEmail", md_config_set_contact, NULL, RSRC_CONF,
+ "Email address used for account registration"),
AP_INIT_TAKE1("MDDriveMode", md_config_set_renew_mode, NULL, RSRC_CONF,
"deprecated, older name for MDRenewMode"),
AP_INIT_TAKE1("MDRenewMode", md_config_set_renew_mode, NULL, RSRC_CONF,
"the directory for file system storage of managed domain data."),
AP_INIT_TAKE1("MDRenewWindow", md_config_set_renew_window, NULL, RSRC_CONF,
"Time length for renewal before certificate expires (defaults to days)."),
- AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF,
+ AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF|OR_AUTHCFG,
"Redirect non-secure requests to the https: equivalent."),
AP_INIT_RAW_ARGS("MDNotifyCmd", md_config_set_notify_cmd, NULL, RSRC_CONF,
"Set the command to run when signup/renew of domain is complete."),
switch (var) {
case MD_CONFIG_CA_URL:
return sc->ca_url? sc->ca_url : defconf.ca_url;
+ case MD_CONFIG_CA_CONTACT:
+ return sc->ca_contact? sc->ca_contact : defconf.ca_contact;
case MD_CONFIG_CA_PROTO:
return sc->ca_proto? sc->ca_proto : defconf.ca_proto;
case MD_CONFIG_BASE_DIR:
typedef enum {
MD_CONFIG_CA_URL,
+ MD_CONFIG_CA_CONTACT,
MD_CONFIG_CA_PROTO,
MD_CONFIG_BASE_DIR,
MD_CONFIG_CA_AGREEMENT,
md_timeslice_t *warn_window; /* time before expiration that warning are sent out */
const char *ca_url; /* url of CA certificate service */
+ const char *ca_contact; /* contact email registered to account */
const char *ca_proto; /* protocol used vs CA (e.g. ACME) */
const char *ca_agreement; /* accepted agreement uri between CA and user */
struct apr_array_header_t *ca_challenges; /* challenge types configured */
sc = md_config_get(s);
if (!staple_here(sc)) goto declined;
- md = ((sc->assigned || sc->assigned->nelts == 1)?
+ md = ((sc->assigned && sc->assigned->nelts == 1)?
APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);
rv = md_ocsp_prime(sc->mc->ocsp, md_cert_wrap(p, cert),
md_cert_wrap(p, issuer), md);
sc = md_config_get(s);
if (!staple_here(sc)) goto declined;
- md = ((sc->assigned || sc->assigned->nelts == 1)?
+ md = ((sc->assigned && sc->assigned->nelts == 1)?
APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "get stapling for: %s",
md? md->name : s->server_hostname);
#if APR_HAVE_UNISTD_H
#include <unistd.h>
#endif
-#ifdef WIN32
-#include "mpm_winnt.h"
-#endif
#if AP_NEED_SET_MUTEX_PERMS
#include "unixd.h"
#endif
projects / thirdparty / apache / httpd.git / commitdiff
