Skip to content
  • MDs with static certificate (MDCertificateFile) are not auto-renewed. But they are watched
    for expiration and trigger a configured MDMessageCmd.
  • ACME challenge method 'tls-alpn-01' is now checked for each domain in an MD individually
    and no longer needs to be available for all domains.
Assets 3

@icing icing released this Jun 19, 2019 · 3 commits to master since this release

  • Renewal jobs now have their own log attached with timestamps when renewal was started,
    ran into errors, finished. The job JSON files are copied from staging into the domain
    directory for possible later review.
  • job logs now list all activities during renewal.
  • new MDMessageCmd added as alternative to MDNotifyCmd. This command is called with an
    addition "reason" parameter that specifies what happened to the manged domain.
  • MDNotifyCmd is now called for each domain that has been successfully renewed. Not for
    all Managed Domains after all have been processed. This gives notifications earlier.
    Notification errors are now also collected under MD status and notifications are retried
    with backoff delays.
  • New directive MDServerStatus to control if Managed Domains are listed in Apache's
    server-status handler or not. Default yes.
  • New directive MDCertificateStatus to control if JSON certificate information on a domain
    should be made available on https:///.httpd/certificate-status or not. Default yes.
  • fixed a bug that checked ACMEv2 authorizations against the server several times unnecessarily.
Assets 3

@icing icing released this Jun 13, 2019 · 21 commits to master since this release

  • Updated with new directives and howto.
  • New directives "MDCertificateFile" and "MDCertificateKeyFile" that allow defining
    Managed Domains for certificates coming from somewhere else.
  • "MDRenewMode" is the new name of "MDDriveMode" (which is still available for
    backward compatibility). This should make it easier to understand what it does.
  • Removing some fields form the store MD JSON, now that we can inspect the pubcert itself
    all the time. Less store updates.
  • Dropped support for the pre-v1.x function that mod_ssl used in ancient patches.
  • public cert chain now gets cached in memory before server drops privileges, so we always
    have access to it. Allowed to drop some pre-computed values such as the SHA256 fingerprint.
  • Adding "" as a shortcut to "". It just reads that much better.
  • More "how to"s in
  • MDPortMap directive now also accepts http and https as external ports. http:8888 would
    mean that http requests from the internet arrive on local port 8888.
  • Started "how to"s in
  • MDRequireHttps handler now runs after mod_ssl, so that it can report SSL errors before.
  • All GET requests against an ACMEv2 endpoint (except directory and nonce retrievals), are
    now made as POST with an empty, JWS signed body. See
    for the necessity of this API change at LetsEncrypt.
Assets 3

@icing icing released this Jun 6, 2019 · 41 commits to master since this release

  • Fixed an integer overrun for renewal window configuration on 32bit systems that caused
    renewal windows to drop to 0, e.g. renewal when expired. This only happened when
    MDRenewWindow was explicitly configured.
  • JSON format of /.httpd/certificate-status slightly altered. See for details.
  • ACME errors and problems in challenge selection that point to configuration mistakes
    are now visible in the md-status handler.
  • Testsuite cleanup and use of new md-status handler to verify progress.
  • IMPORTANT: upgrade behaviour changed. MDs that have not MDCertificateAuthority configured
    explicitly all get the new ACMEv2 default endpoint of Let's Encrypt. See chapter
    about upgrading for the background of this.
  • Added chapter about the upcoming end-of-life changes for ACMEv1 at LetsEncrypt.
  • Extracting certificate transparency SCT (the signature from CT logs) from a staged
    certificate and displaying these on /.httpd/certificate-status. A monitoring client
    may use this to verify the signatures against the CT logs, even though the log may not
    yet show the certificate (maximum merge delay seems to be at 24 hours on most logs).
Assets 3

@icing icing released this Jun 3, 2019 · 52 commits to master since this release

  • Fixing configuration startup (e.g. dry run) to sync with the store again. This let's
    us find renamed MDs and use its correct paths. With wrong paths, mod_ssl gets unhappy
    and logs errors (see #125).
  • Adding an experimental "check" column to server-status with links to known certificate
    checker sites.
  • Certificate validity now appears as "valid-from"/"valid-until" pair.
  • Adding SHA256 fingerprint to certificate-status for renewed certificate.
  • md-status handler fixed to work on nested path locations as well.
Assets 3

@icing icing released this May 28, 2019 · 67 commits to master since this release

  • New handler "md-status" that can be configured to return the state of all MDs in JSON format.
  • Append the name or domain of an MD to the "md-status" url path and get the JSON of just
    that MD.
Assets 3

@icing icing released this May 24, 2019 · 72 commits to master since this release

  • Updating the documentation by pulling the wiki into and making the necessary
    additions and edits.
  • If a MDomain is removed, all its challenge store information is purged as well. Test
    case for that added. Fixes #93
  • The ACMEv2 endpoint of Let's Encrypt is now the default for new MDs. Existing MDs will keep
    their values unless one explicitly configures a 'MDCertificateAuthority'.
  • Non-HTML format of mod_status now lists number of ok/renew/error/ready MDomains.
Assets 3

@icing icing released this May 21, 2019 · 82 commits to master since this release

  • Status lists private key specification, if different from default RSA(2048).
  • Status shows list of MDs sorted alphabetically.
  • Status now shows message from a failed renewal with information and error code on where/why
    it failed.
  • At startup, an initial ACME parameter check is performed. More details are given when
    ACME challenge methods are unavailable as to the cause. server-status list these per MD.
  • Adding challenge type 'tls-alpn-01' to ACMEv1 as well.
  • server-status columns compressed. Expiry/Valid timestamp given as dates only for better
    readability. Full time as tooltip.
  • Renewal jobs properties are persisted after each run. This preserves status and schedules
    when switching child processes by mod_watchdog. It also allows server-status to provide
    more information about ongoing activities.
  • Cleanup of post config work to make the dry-run phase faster and avoid double loadings
    of MD data from the file system.
  • Splitting out certificate driving in separate source. Logging errors/warnings about
    MDomains that can not be renewed once at post config.
Assets 3

@icing icing released this May 15, 2019 · 96 commits to master since this release

  • Rework of MD's contribution to httpd 'server-status' page. Better formatting, reordering, using
    absolute GMT timestamps.
Assets 3

@icing icing released this May 14, 2019 · 107 commits to master since this release

  • MD status now initialized fully in global list. Fixes new status handler to assess
    things even when running in non-privileged setup where access to file system is no
    longer allowed.
Assets 3
You can’t perform that action at this time.