-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mod_md authoritative for disabled challenge types #279
Comments
A valid point. So far, it was only checked if the domain was handled. I added a test and fixed the behaviour so that requests to |
asfgit
pushed a commit
to apache/httpd
that referenced
this issue
Feb 8, 2022
…nge/ resources if challenge type 'http-01' is not configured for a domain. Fixes <icing/mod_md#279>. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897863 13f79535-47bb-0310-9956-ffa450edef68
asfgit
pushed a commit
to apache/httpd
that referenced
this issue
Feb 8, 2022
…nge/ resources if challenge type 'http-01' is not configured for a domain. Fixes <icing/mod_md#279>. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1897865 13f79535-47bb-0310-9956-ffa450edef68
Updated our environment with your patch and can confirm that it works perfectly. Thank you so much! |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Mar 15, 2022
Changes with Apache 2.4.53 *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds (cve.mitre.org) Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (cve.mitre.org) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Anonymous working with Trend Micro Zero Day Initiative *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody (cve.mitre.org) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. *) core: Make sure and check that LimitXMLRequestBody fits in system memory. *) core: Simpler connection close logic if discarding the request body fails. *) mod_http2: preserve the port number given in a HTTP/1.1 request that was Upgraded to HTTP/2. *) mod_proxy: Allow for larger worker name. *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When an attempt to load a dbm driver fails, log clearly which driver triggered the error (not "default"), and what the error was. *) mod_proxy: Use the maxium of front end and backend timeouts instead of the minimum when tunneling requests (websockets, CONNECT requests). Backend timeouts can be configured more selectively (per worker if needed) as front end timeouts and typically the backend timeouts reflect the application requirements better. *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers when an efficient TLS implementation is available. *) core, mod_info: Add compiled and loaded PCRE versions to version number display. *) mod_md: do not interfere with requests to /.well-known/acme-challenge/ resources if challenge type 'http-01' is not configured for a domain. Fixes <icing/mod_md#279>. *) mod_dav: Fix regression when gathering properties which could lead to huge memory consumption proportional to the number of resources. *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation. This depends on locating pcre2-config. *) Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. *) mod_md: the status description in MDomain's JSON, exposed in the md-status handler (if configured) did sometimes not carry the correct message when certificates needed renew. *) mpm_event: Fix a possible listener deadlock on heavy load when restarting and/or reaching MaxConnectionsPerChild.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're exclusively using
MDCAChallenges dns-01
on our edge servers (Apache httpd 2.4.52). Simultaneously, they are acting as a reverse proxy for an email server system which itself is also trying to issue certificates usinghttp-01
(non-mod_md) to be used for its TLS-enabled services (SMTPS, IMAPS,...). In our case these certificates overlap with wildcard certificates that have previously been issued on the edge servers through mod_md, which may or may not complicate things.Sadly, mod_md is eagerly capturing requests it isn't configured to handle (disabled http-01 challenge type). This causes mod_md to trigger a 404 response via
instead of having these requests be processed by the proxied remote server which does serve the files.
Going over the documentation, I couldn't find a way to make this scenario work. Ideally, mod_md shouldn't capture/respond to requests it isn't configured to handle.
The text was updated successfully, but these errors were encountered: