From 1ff4f0808f572e34562726985428da53fcd3338c Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Sat, 6 Jun 2026 16:53:18 +0000 Subject: [PATCH] Fix a missing for MDProfileMandatory. Fix a few typos. Slightly improve hyperlinks with other directives. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935076 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_md.xml | 40 ++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index df8a0d60cc..a78614d640 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -446,13 +446,13 @@ MDomain example2.org auto

If you configure more than one URL, each one is tried in a round-robin fashion after a number of failures. You can configure how quickly or - delayed that happens via the MDRetryDelay and - MDRetryFailover directives. The default setting + delayed that happens via the MDRetryDelay and + MDRetryFailover directives. The default setting makes a failover after about half a day of trying.

All other settings apply to each of these URLs. It is therefore not possible to have two with different - MDExternalAccountBindings, for example. + MDExternalAccountBindings, for example.

For testing, CAs commonly offer a second service URL. The 'test' service does not give certificates valid in a browser, @@ -724,7 +724,7 @@ MDPrivateKeys secp256r1 rsa3072

- If the validity of the certificate falls below duration, mod_md + If the validity of the certificate falls below duration, mod_md will get a new signed certificate.

Normally, certificates are valid for around 90 days and mod_md will renew @@ -1103,8 +1103,8 @@ MDMessageCmd /etc/apache/md-message window left. With the default, this mean 9 days for certificates from Let's Encrypt.

- It also applies to Managed Domains with static certificate files ( - see MDCertificateFile). + It also applies to Managed Domains with static certificate files (see + MDCertificateFile).

@@ -1394,7 +1394,7 @@ MDMessageCmd /etc/apache/md-message

The number of consecutive errors on renewing a certificate before another CA is selected. This only applies to configurations that - have more than one MDCertificateAuthority + have more than one MDCertificateAuthority specified.

@@ -1412,11 +1412,12 @@ MDMessageCmd /etc/apache/md-message

Enable this to use a lock file on server startup when - MDStoreDir is synchronized with the server + MDStoreDir is synchronized with the server configuration and renewed certificates are activated.

Locking is intended for setups in a cluster that have a shared - file system for MDStoreDir. It will protect the activation of + file system for MDStoreDir. + It will protect the activation of renewed certificates when cluster nodes are restarted/reloaded at the same time. Under the condition that the shared file system does support file locking. @@ -1445,9 +1446,11 @@ MDMessageCmd /etc/apache/md-message Available in version 2.4.58 and later

- Set the way MDChallengeDns01 command is invoked, e.g the number and - types of arguments. See MDChallengeDns01 + Set the way MDChallengeDns01 + command is invoked, e.g the number and types of arguments. + See MDChallengeDns01 for the differences. +

This setting is global and cannot be varied per domain.

@@ -1464,8 +1467,10 @@ MDMessageCmd /etc/apache/md-message Available in version 2.4.58 and later

- The mode `all` is the behavior as in all previous versions. Both ServerName - and ServerAlias are inspected to find the MDomain matching a VirtualHost. + The mode `all` is the behavior as in all previous versions. Both + ServerName + and ServerAlias are inspected + to find the MDomain matching a VirtualHost. This automatically detects coverage, even when you only have added one of the names to an MDomain.

@@ -1519,18 +1524,18 @@ MDMessageCmd /etc/apache/md-message

This about a non-standard ACME extension by Let's Encrypt.

- Lets Encrypt supports Certificate Profiles in their CA. This, + Let's Encrypt supports Certificate Profiles in their CA. This, among some other details, let's you select the lifetime of the certificates you get. The "classic" profile is the default and will keep the 90 days, the "tlsserver" profile is also 90 days with a max of 25 Subject Alternative Names. The "shortlived" profile will issue certificates with only 6 days of validity.

- If you do not change your mod_md configuration, you will + If you do not change your mod_md configuration, you will continue to get the 90 days certificates. Should you believe that a shorter lifetime is beneficial for you (and take the risk that the renewal time is way shorter), -+ you can configure the profile to use via 'MDProfile shortlived'. + you can configure the profile to use via 'MDProfile shortlived'.

The profile names are defined by the CA. If a profile you configure is not available, no profile will be used and @@ -1551,6 +1556,7 @@ MDMessageCmd /etc/apache/md-message server config + Available in version 2.4.64 and later

Controls if a MDProfile @@ -1577,7 +1583,7 @@ MDMessageCmd /etc/apache/md-message

En-/Disable certificate renewals triggered via the ACME ARI extension (rfc9773). These renewals happen *in addition* to - the mechanism controlled by MDRenewWindow. + the mechanism controlled by MDRenewWindow.

ACME ARI allows an ACME CA to somewhat shape incoming renewal traffic. More importantly though, it can inform clients of -- 2.47.3