* mod_md) do not interfere with requests to /.well-known/acme-challenge/

    resources if challenge type 'http-01' is not configured for a domain.
    Fixes <https://github.com/icing/mod_md/issues/279>.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897863 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/md_ignore_http_challenges.txt b/changes-entries/md_ignore_http_challenges.txt
new file mode 100644 (file)
index 0000000..e13b7a2
--- /dev/null
+++ b/changes-entries/md_ignore_http_challenges.txt
@@ -0,0 +1,4 @@
+  * mod_md) do not interfere with requests to /.well-known/acme-challenge/
+    resources if challenge type 'http-01' is not configured for a domain.
+    Fixes <https://github.com/icing/mod_md/issues/279>.
+    [Stefan Eissing]

diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 9a13870f31a36264f084b14f30793d77f6a34874..34f43311e3d061ac4f07044eee1f7c3b55f1bda7 100644 (file)
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1359,6 +1359,15 @@ static int md_http_challenge_pr(request_rec *r)
             name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
             reg = sc && sc->mc? sc->mc->reg : NULL;
 
+            if (md && md->ca_challenges
+                && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) {
+                /* The MD this challenge is for does not allow http-01 challanges,
+                 * we have to decline. See #279 for a setup example where this
+                 * is necessary.
+                 */
+                return DECLINED;
+            }
+
             if (strlen(name) && !ap_strchr_c(name, '/') && reg) {
                 md_store_t *store = md_reg_store_get(reg);