From 42344a9fb2893f3cfe82d766c27fbe88f68256bd Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Tue, 3 Jun 2025 08:22:43 +0000 Subject: [PATCH] update mod_md documentation now in line with trunk git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926086 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_md.xml | 90 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 86 insertions(+), 4 deletions(-) diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index d4adac2114e..09bae08a3bb 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -37,7 +37,7 @@ ACME protocol (RFC 8555). Certificates will be renewed by the module ahead of their expiration to account for disruption in internet services. There are ways to monitor the status of all - certififcates managed this way and configurations that will run your own + certificates managed this way and configurations that will run your own notification commands on renewal, expiration and errors.

Second, mod_md offers an alternate OCSP Stapling implementation. This works with @@ -495,7 +495,7 @@ MDomain example2.org auto For testing, CAs commonly offer a second service URL. The 'test' service does not give certificates valid in a browser, but are more relaxed in regard to rate limits. - This allows for verfication of your own setup before switching + This allows for verification of your own setup before switching to the production service URL.

LE Test Setup @@ -1299,7 +1299,7 @@ MDMessageCmd /etc/apache/md-message MDCertificateCheck - Set name and URL pattern for a certificate monitoring sitSet name and URL pattern for a certificate monitoring sitee + Set name and URL pattern for a certificate monitoring site. MDCertificateCheck name url server config @@ -1369,7 +1369,7 @@ MDMessageCmd /etc/apache/md-message

You can configure those globally or for a specific MDomain. Since these values allow anyone to register under the same account, it is - adivsable to give the configuration file restricted permissions, + advisable to give the configuration file restricted permissions, e.g. root only.

@@ -1512,4 +1512,86 @@ MDMessageCmd /etc/apache/md-message + + MDCheckInterval + Determines how often certificates are checked + MDCheckInterval duration + MDCheckInterval 12h + + server config + + Available in version 2.4.60 and later + +

+ The time between certificate checks. By default, the validity + and need for renewals is checked twice a day. This interval is + not followed precisely. Instead the module randomly applies + a +/-50% jitter to it. With the default of 12 hours, this + means the actual time between runs varies between 6 and 18 + hours, jittered anew every run. This helps to mitigate + traffic peaks at ACME servers. +

+ The minimum duration you may configure is 1 second. It is + not recommended to use such short times in production. +

+ + + + + MDProfile + Use a specific ACME profile from the CA + MDProfile name + + server config + + Available in version 2.4.64 and later + +

+ This about a non-standard ACME extension by Let's Encrypt. +

+ Lets Encrypt announced they will add Certificate Profiles + support in their CA during 2025, beginning with their staging + servers. This, among some other details, let's you select the + lifetime of the certificates you get. The "default" profile + will keep the 90 days and a "tlsserver" profile will issue + certificates with only 6 days of validity. +

+ If you do not change your mod_md configuration, you will + continue to get the 90 days certificates. Should you believe + that a shorter lifetime is beneficial for you (and take the + risk that the renewal time is way shorter), + you can configure the profile to use via 'MDProfile tlsserver'. +

+ The profile names are defined by the CA. If a profile you + configure is not available, no profile will be used and + the certificate will be issue according to what the CA + considers default. +

+ See MDProfileMandatory + on how to disable defaults for profiles. +

+ + + + + MDProfileMandatory + Control if an MDProfile is mandatory. + MDProfileMandatory on|off + MDProfileMandatory off + + server config + + +

+ Controls if a MDProfile + you configure is mandatory or not. When mandatory and the CA + does not offer a configured profile, the certificate + renewal will fail. +

+ When not mandatory and a profile is not offered by the CA, + renewals will be performed without specifying a profile and + the CA will issue a certificates according to its defaults. +

+ + -- 2.47.2