Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 36 million developers.Sign up
- MDs with static certificate (MDCertificateFile) are not auto-renewed. But they are watched
for expiration and trigger a configured MDMessageCmd.
- ACME challenge method 'tls-alpn-01' is now checked for each domain in an MD individually
and no longer needs to be available for all domains.
- Renewal jobs now have their own log attached with timestamps when renewal was started,
ran into errors, finished. The job JSON files are copied from staging into the domain
directory for possible later review.
- job logs now list all activities during renewal.
MDMessageCmdadded as alternative to MDNotifyCmd. This command is called with an
addition "reason" parameter that specifies what happened to the manged domain.
MDNotifyCmdis now called for each domain that has been successfully renewed. Not for
all Managed Domains after all have been processed. This gives notifications earlier.
Notification errors are now also collected under MD status and notifications are retried
with backoff delays.
- New directive
MDServerStatusto control if Managed Domains are listed in Apache's
server-statushandler or not. Default yes.
- New directive
MDCertificateStatusto control if JSON certificate information on a domain
should be made available on https:///.httpd/certificate-status or not. Default yes.
- fixed a bug that checked ACMEv2 authorizations against the server several times unnecessarily.
- Updated README.md with new directives and howto.
- New directives "MDCertificateFile" and "MDCertificateKeyFile" that allow defining
Managed Domains for certificates coming from somewhere else.
- "MDRenewMode" is the new name of "MDDriveMode" (which is still available for
backward compatibility). This should make it easier to understand what it does.
- Removing some fields form the store MD JSON, now that we can inspect the pubcert itself
all the time. Less store updates.
- Dropped support for the pre-v1.x function that mod_ssl used in ancient patches.
- public cert chain now gets cached in memory before server drops privileges, so we always
have access to it. Allowed to drop some pre-computed values such as the SHA256 fingerprint.
- Adding "" as a shortcut to "". It just reads that much better.
- More "how to"s in README.md
MDPortMapdirective now also accepts
httpsas external ports.
mean that http requests from the internet arrive on local port 8888.
- Started "how to"s in README.md
- MDRequireHttps handler now runs after mod_ssl, so that it can report SSL errors before.
- All GET requests against an ACMEv2 endpoint (except directory and nonce retrievals), are
now made as POST with an empty, JWS signed body. See
for the necessity of this API change at LetsEncrypt.
- Fixed an integer overrun for renewal window configuration on 32bit systems that caused
renewal windows to drop to 0, e.g. renewal when expired. This only happened when
MDRenewWindow was explicitly configured.
- JSON format of /.httpd/certificate-status slightly altered. See README.md for details.
- ACME errors and problems in challenge selection that point to configuration mistakes
are now visible in the md-status handler.
- Testsuite cleanup and use of new md-status handler to verify progress.
- IMPORTANT: upgrade behaviour changed. MDs that have not
explicitly all get the new ACMEv2 default endpoint of Let's Encrypt. See README.md chapter
about upgrading for the background of this.
- Added chapter about the upcoming end-of-life changes for ACMEv1 at LetsEncrypt.
- Extracting certificate transparency SCT (the signature from CT logs) from a staged
certificate and displaying these on /.httpd/certificate-status. A monitoring client
may use this to verify the signatures against the CT logs, even though the log may not
yet show the certificate (maximum merge delay seems to be at 24 hours on most logs).
- Fixing configuration startup (e.g. dry run) to sync with the store again. This let's
us find renamed MDs and use its correct paths. With wrong paths, mod_ssl gets unhappy
and logs errors (see #125).
- Adding an experimental "check" column to server-status with links to known certificate
- Certificate validity now appears as "valid-from"/"valid-until" pair.
- Adding SHA256 fingerprint to certificate-status for renewed certificate.
- md-status handler fixed to work on nested path locations as well.
- New handler "md-status" that can be configured to return the state of all MDs in JSON format.
- Append the name or domain of an MD to the "md-status" url path and get the JSON of just
- Updating the documentation by pulling the wiki into README.md and making the necessary
additions and edits.
- If a MDomain is removed, all its challenge store information is purged as well. Test
case for that added. Fixes #93
- The ACMEv2 endpoint of Let's Encrypt is now the default for new MDs. Existing MDs will keep
their values unless one explicitly configures a 'MDCertificateAuthority'.
- Non-HTML format of mod_status now lists number of ok/renew/error/ready MDomains.
- Status lists private key specification, if different from default RSA(2048).
- Status shows list of MDs sorted alphabetically.
- Status now shows message from a failed renewal with information and error code on where/why
- At startup, an initial ACME parameter check is performed. More details are given when
ACME challenge methods are unavailable as to the cause. server-status list these per MD.
- Adding challenge type 'tls-alpn-01' to ACMEv1 as well.
- server-status columns compressed. Expiry/Valid timestamp given as dates only for better
readability. Full time as tooltip.
- Renewal jobs properties are persisted after each run. This preserves status and schedules
when switching child processes by mod_watchdog. It also allows server-status to provide
more information about ongoing activities.
- Cleanup of post config work to make the dry-run phase faster and avoid double loadings
of MD data from the file system.
- Splitting out certificate driving in separate source. Logging errors/warnings about
MDomains that can not be renewed once at post config.
- Rework of MD's contribution to httpd 'server-status' page. Better formatting, reordering, using
absolute GMT timestamps.
- MD status now initialized fully in global list. Fixes new status handler to assess
things even when running in non-privileged setup where access to file system is no