From: Stefan Eissing <icing@apache.org>
Date: Mon, 13 Apr 2026 09:05:23 +0000 (+0000)
Subject:   *) mod_md: update to version 2.6.10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=88e3893ddae60091ae1d988262ee3fbe3d4069bc;p=thirdparty%2Fapache%2Fhttpd.git

  *) mod_md: update to version 2.6.10
     - Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring
       job.json files that claim to have completely finished a certificate
       renewal, but have not produced the necessary result files.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933015 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/changes-entries/md_v2.6.10.txt b/changes-entries/md_v2.6.10.txt
new file mode 100644
index 0000000000..d9e6a02109
--- /dev/null
+++ b/changes-entries/md_v2.6.10.txt
@@ -0,0 +1,4 @@
+  *) mod_md: update to version 2.6.10
+     - Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring
+       job.json files that claim to have completely finished a certificate
+       renewal, but have not produced the necessary result files.
diff --git a/modules/md/md_status.c b/modules/md/md_status.c
index 3572168081..da89b832ca 100644
--- a/modules/md/md_status.c
+++ b/modules/md/md_status.c
@@ -97,6 +97,31 @@ leave:
     return rv;
 }
 
+static int md_job_json_seems_valid(md_json_t *json, md_store_t *store,
+                                   md_store_group_t group, const char *name,
+                                   apr_pool_t *p)
+{
+
+    if (!json) return FALSE;
+    if ((group == MD_SG_STAGING) &&
+        md_json_getb(json, MD_KEY_FINISHED, NULL) &&
+        md_json_getb(json, MD_KEY_NOTIFIED_RENEWED, NULL)) {
+        md_t *md;
+        /* A finished job in the staging area needs to have produced results */
+        if(!md_exists(store, group, name, p)) return FALSE;
+
+        if (APR_SUCCESS == md_load(store, MD_SG_DOMAINS, name, &md, p)) {
+            int i;
+            for (i = 0; i < md_cert_count(md); ++i) {
+                md_pkey_spec_t *spec = md_pkeys_spec_get(md->pks, i);
+                if(md_pubcert_load(store, group, name, spec, NULL, p) != APR_SUCCESS)
+                    return FALSE;
+            }
+        }
+    }
+    return TRUE;
+}
+
 static apr_status_t job_loadj(md_json_t **pjson, md_store_group_t group, const char *name,
                               struct md_reg_t *reg, int with_log, apr_pool_t *p)
 {
@@ -104,7 +129,13 @@ static apr_status_t job_loadj(md_json_t **pjson, md_store_group_t group, const c
 
     md_store_t *store = md_reg_store_get(reg);
     rv = md_store_load_json(store, group, name, MD_FN_JOB, pjson, p);
-    if (APR_SUCCESS == rv && !with_log) md_json_del(*pjson, MD_KEY_LOG, NULL);
+    if (APR_SUCCESS == rv) {
+        if (!md_job_json_seems_valid(*pjson, store, group, name, p)) {
+          *pjson = NULL;
+          return APR_ENOENT;
+        }
+        if(!with_log) md_json_del(*pjson, MD_KEY_LOG, NULL);
+    }
     return rv;
 }
 
@@ -384,7 +415,8 @@ apr_status_t md_job_load(md_job_t *job)
     apr_status_t rv;
     
     rv = md_store_load_json(job->store, job->group, job->mdomain, MD_FN_JOB, &jprops, job->p);
-    if (APR_SUCCESS == rv) {
+    if ((APR_SUCCESS == rv) &&
+        md_job_json_seems_valid(jprops, job->store, job->group, job->mdomain, job->p)) {
         md_job_from_json(job, jprops, job->p);
     }
     return rv;
diff --git a/modules/md/md_store.c b/modules/md/md_store.c
index 1ba42946e5..5ed0848f99 100644
--- a/modules/md/md_store.c
+++ b/modules/md/md_store.c
@@ -176,6 +176,12 @@ typedef struct {
     md_store_group_t group;
 } md_group_ctx;
 
+int md_exists(md_store_t *store, md_store_group_t group,
+              const char *name, apr_pool_t *p)
+{
+    return (md_store_load_json(store, group, name, MD_FN_MD, NULL, p) == APR_SUCCESS);
+}
+
 apr_status_t md_load(md_store_t *store, md_store_group_t group, 
                      const char *name, md_t **pmd, apr_pool_t *p)
 {
diff --git a/modules/md/md_store.h b/modules/md/md_store.h
index 73c840fc57..76dd2c3e6e 100644
--- a/modules/md/md_store.h
+++ b/modules/md/md_store.h
@@ -225,7 +225,9 @@ void md_store_unlock_global(md_store_t *store, apr_pool_t *p);
 /**************************************************************************************************/
 /* Storage handling utils */
 
-apr_status_t md_load(md_store_t *store, md_store_group_t group, 
+int md_exists(md_store_t *store, md_store_group_t group,
+              const char *name, apr_pool_t *p);
+apr_status_t md_load(md_store_t *store, md_store_group_t group,
                      const char *name, md_t **pmd, apr_pool_t *p);
 apr_status_t md_save(struct md_store_t *store, apr_pool_t *p, md_store_group_t group, 
                      md_t *md, int create);
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index 7a05c09ab9..ace0946095 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.6.9"
+#define MOD_MD_VERSION "2.6.10"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020609
+#define MOD_MD_VERSION_NUM 0x02060a
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"