From: Stefan Eissing <icing@apache.org>
Date: Tue, 8 Feb 2022 12:18:45 +0000 (+0000)
Subject:   * mod_md) do not interfere with requests to /.well-known/acme-challenge/
X-Git-Tag: 2.5.0-alpha2-ci-test-only~510
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbde30f8322de93c90c938186583916ba777f43f;p=thirdparty%2Fapache%2Fhttpd.git

  * mod_md) do not interfere with requests to /.well-known/acme-challenge/
    resources if challenge type 'http-01' is not configured for a domain.
    Fixes <https://github.com/icing/mod_md/issues/279>.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897863 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/changes-entries/md_ignore_http_challenges.txt b/changes-entries/md_ignore_http_challenges.txt
new file mode 100644
index 00000000000..e13b7a284c4
--- /dev/null
+++ b/changes-entries/md_ignore_http_challenges.txt
@@ -0,0 +1,4 @@
+  * mod_md) do not interfere with requests to /.well-known/acme-challenge/
+    resources if challenge type 'http-01' is not configured for a domain.
+    Fixes <https://github.com/icing/mod_md/issues/279>.
+    [Stefan Eissing]
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 9a13870f31a..34f43311e3d 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1359,6 +1359,15 @@ static int md_http_challenge_pr(request_rec *r)
             name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
             reg = sc && sc->mc? sc->mc->reg : NULL;
 
+            if (md && md->ca_challenges
+                && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) {
+                /* The MD this challenge is for does not allow http-01 challanges,
+                 * we have to decline. See #279 for a setup example where this
+                 * is necessary.
+                 */
+                return DECLINED;
+            }
+
             if (strlen(name) && !ap_strchr_c(name, '/') && reg) {
                 md_store_t *store = md_reg_store_get(reg);