From: Stefan Eissing <icing@apache.org>
Date: Fri, 17 Sep 2021 12:41:45 +0000 (+0000)
Subject: Merge of /httpd/httpd/trunk:r1893399
X-Git-Tag: candidate-2.4.50-rc1~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dcc0bb4fe429f086707378adaae2545101c80bc;p=thirdparty%2Fapache%2Fhttpd.git

Merge of /httpd/httpd/trunk:r1893399

  *) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
     fails (!= 0 exit), the renewal process is aborted and an error is
     reported for the MDomain. This provides scripts that distribute
     information in a cluster to abort early with bothering an ACME
     server to validate a dns name that will not work. The common
     retry logic will make another attempt in the future, as with
     other failures.
     Fixed a bug when adding private key specs to an already working
     MDomain, see <https://github.com/icing/mod_md/issues/260>.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893400 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/changes-entries/md_pkeys_challenge_setup.txt b/changes-entries/md_pkeys_challenge_setup.txt
new file mode 100644
index 00000000000..b722a3a4e9a
--- /dev/null
+++ b/changes-entries/md_pkeys_challenge_setup.txt
@@ -0,0 +1,10 @@
+  *) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
+     fails (!= 0 exit), the renewal process is aborted and an error is
+     reported for the MDomain. This provides scripts that distribute
+     information in a cluster to abort early with bothering an ACME
+     server to validate a dns name that will not work. The common
+     retry logic will make another attempt in the future, as with
+     other failures.
+     Fixed a bug when adding private key specs to an already working
+     MDomain, see <https://github.com/icing/mod_md/issues/260>.
+     [Stefan Eissing]
diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c
index 0988d459694..d5632fa6b61 100644
--- a/modules/md/md_acme_authz.c
+++ b/modules/md/md_acme_authz.c
@@ -275,7 +275,13 @@ static apr_status_t cha_http_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t
         /* Raise event that challenge data has been set up before we tell the
            ACME server. Clusters might want to distribute it. */
         event = apr_psprintf(p, "challenge-setup:%s:%s", MD_AUTHZ_TYPE_HTTP01, authz->domain);
-        md_result_holler(result, event, p);
+        rv = md_result_raise(result, event, p);
+        if (APR_SUCCESS != rv) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p,
+                          "%s: event '%s' failed. aborting challenge setup",
+                          authz->domain, event);
+            goto out;
+        }
         /* challenge is setup or was changed from previous data, tell ACME server
          * so it may (re)try verification */        
         authz_req_ctx_init(&ctx, acme, NULL, authz, p);
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index e52c2fce846..65aa56a462d 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.4.6"
+#define MOD_MD_VERSION "2.4.7"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020406
+#define MOD_MD_VERSION_NUM 0x020407
 
 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"
 
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 9c42b7a9e4b..8b379eb1751 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1154,6 +1154,12 @@ static apr_status_t get_certificates(server_rec *s, apr_pool_t *p, int fallback,
                 APR_ARRAY_PUSH(key_files, const char*) = keyfile;
                 APR_ARRAY_PUSH(chain_files, const char*) = chainfile;
             }
+            else if (APR_STATUS_IS_ENOENT(rv)) {
+                /* certificate for this pkey is not available, others might
+                 * if pkeys have been added for a runnign mdomain.
+                 * see issue #260 */
+                rv = APR_SUCCESS;
+            }
             else if (!APR_STATUS_IS_ENOENT(rv)) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110)
                              "retrieving credentials for MD %s (%s)",
@@ -1202,6 +1208,9 @@ leave:
         *pkey_files = key_files;
         *pcert_files = chain_files;
     }
+    else if (APR_SUCCESS == rv) {
+        rv = APR_ENOENT;
+    }
     return rv;
 }
 
diff --git a/modules/md/mod_md_drive.c b/modules/md/mod_md_drive.c
index 942256f3cfd..14c43d55019 100644
--- a/modules/md/mod_md_drive.c
+++ b/modules/md/mod_md_drive.c
@@ -137,6 +137,7 @@ static void process_drive_job(md_renew_ctx_t *dctx, md_job_t *job, apr_pool_t *p
             }
             
             if (!job->notified_renewed) {
+                md_job_save(job, result, ptemp);
                 md_job_notify(job, "renewed", result);
             }
         }