forked from icing/mod_md
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
486 lines (428 loc) · 28.1 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
* Fix for #117, explicitly set file permissions to work around umask defaults.
v1.99.7
----------------------------------------------------------------------------------------------------
* Fix by @nono303 to fix the Windows build that was broken in the last release.
v1.99.6
----------------------------------------------------------------------------------------------------
* When the server is not started by root, the module no longer tries to chown() the
staging and challenges directories as User and Group directives are ignored. Fixes #115.
* When a md.json file in the store cannot be parsed, it is ignore and overwritten during
initial synch at server start.
* When migrating from ACMEv1 to ACMEv2 on the same host, the account private key of an
existing account is reused on registration. Let's Encrypt internally treats this as
the same account, although it is exposed using different urls. This helps keeping
the waste of large prime numbers at a manageable level and allows for more useful
statistics from ACME CAs.
v1.99.5
----------------------------------------------------------------------------------------------------
* Enhanced checks for wildcard domain names in certificate coverage.
* ACME authorizations and certificate requests only done for minimal set of domain names,
e.g. domain covered by a wildcard are left out. LE CA requires this.
* First successful wildcard certificate signup in test suite
* Old and long deprecated configuration directives "ManagedDomain(s)" removed.
* Challenge type 'tls-sni-01' removed as it has been disabled by Let's Encrypt.
* When the ACME server threw its challenges at us, we selected the first among the
configured/supported ones and ran that. When it failed, the whole authorization
failed until the retry kicked in. Now, on a failed challenge startup, we look for the
next possible challenge type and try that.
This allows for challenge types that are configured and maybe supported in general,
but do not work for all domains. E.g. when we add DNS challenge support, that type
may only work for a subset of the domains.
Instead of putting the burden on the user to configured the MDomains individually
correct, the DNS challenge setup can just return APR_ENOTIMPL and another challenge
type is used (if available).
* configure updated to better work with non-standard curl library locations.
v1.99.4
----------------------------------------------------------------------------------------------------
* tls-alpn-01 challenge method, when available, is now preferred.
* configure now checks the libcurl version to be at least 7.50, as does the Apache configure.
v1.99.3
----------------------------------------------------------------------------------------------------
* OpenSSL initialization disabled in the module. Leaving that to mod_ssl/APR.
* mod_ssl trunk patch is now empty, changes have been committed into Apache trunk.
* ACME order/challenge cleanup now runs immediately after a successful renewal and does
not wait for a server restart.
v1.99.2
----------------------------------------------------------------------------------------------------
* fixed bug where a new ACME account was created for each new ACME managed domain when the existing
accounts did not exist or were no longer valid/applicable.
v1.99.1
----------------------------------------------------------------------------------------------------
* adding test cases for migrating MDs from ACMEv1 to ACMEv2
* adding test case for checks that missing "acme-tls/1" protocol config is detected
* removing version number for local ACME account storage again (added in v1.99.0). An account
is only suitable for an ACME server if it matches the directory url exactly.
* export symbols in the module are restricted to reduce size a bit
v1.99.0
----------------------------------------------------------------------------------------------------
* EXPERIMENTAL, EARLY support for the ACMEv2 protocol. Not enabled by default, see README.md.
* mod_md checks for each domain if the 'Protocols' directive allows the 'acme-tls/1' protocol.
Only then is the challenge method 'tls-alpn-01' enabled for a MD.
* first successful tls-alpn-01 test
* test_700 auto tests now working as test_702 for ACMEv2
* test_600 roundtrip tests now working as test_602 for ACMEv2
* test_500 drive tests now working as test_502 for ACMEv2
* More test cases regarding ACMEv2 account handling.
* Removed "id" field from ACME accounts as redundant. Internal cleanup of account handling.
* Integrated recent changes from Apache subversion.
* Starting support for ACMEv2 protocol
* MDCertificateAgreement has new value 'accepted' instead of the Terms-of-Services URL. This
avoids confusion and reflects more what ACMEv2 protocol requires. For ACMEv1 servers, the
correct URL is retrieved from the server's meta data when 'accepted' is configured.
v1.1.17
----------------------------------------------------------------------------------------------------
* fixed several coding bugs in detection of ACME challenge changes, e.g. when the local
MDomains changed and challenges for others had already been set up. Fixes thanks to
Michael Kaufmann (@mkauf).
* added log messages when (supposed) ACME server's answer was not understood (by @mkauf)
* eliminated some compiler warnings about signedness and unused variables.
v1.1.16
----------------------------------------------------------------------------------------------------
* When you move the last domain name from an MD to another one, that now empty MD gets moved
to the store archive. The JSON file will still show the last domain, in case you want
to ressurect after a (human) configuration error. Fixes PR 62572
(see <https://bz.apache.org/bugzilla/show_bug.cgi?id=62572>).
v1.1.15
----------------------------------------------------------------------------------------------------
* Using libressl new integration of openssl API functions when available.
* making some timed wait in test_0700 more robust
v1.1.14
----------------------------------------------------------------------------------------------------
* Preventing other modules from messing with challenge repsonses. Fix by @mkauf. Thanks!
v1.1.13
----------------------------------------------------------------------------------------------------
* adding test cases for accessing a variety of paths for http-01 challenges to confirm
proper http responses (see #92). Reworked handler to fix edge cases discovered.
* adapted test cases for new ACME boulder versions that shifted ACMEv1 to another port
* adapted test case domain from the now forbidden example.org to not-forbidden.org
v1.1.12
----------------------------------------------------------------------------------------------------
* less confusing logging when MDNotifyCmd returns a failure exit code
* MDNotifyCmd can be configured with arguments to which the managed domain
names are appended on invocation
* added more test cases for MDNotifyCmd use
v1.1.11
----------------------------------------------------------------------------------------------------
* fixes a Null Dereference when specially crafted requests are sent to the server. Reported
by Daniel Caminada <daniel.caminada@ergon.ch>.
v1.1.10
----------------------------------------------------------------------------------------------------
* fixes error in renew window calculation that may lead to mod_md running
watchdog in a tight loop until actual renewal becomes necessary.
* /.well-known/acme-challenge requests that cannot be answered for hostnames
outside the configured MDs are free to be answered by other handlers. This allows
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
Suggested by Arkadiusz Miskiewicz <arekm@maven.pl>.
v1.1.9
----------------------------------------------------------------------------------------------------
* Removed bould check from configure. Not everone building the module needs it installed.
Fixes #76.
* Tests with boulder now need a later revision >= 2018-01-10 or you will see failures in the
0800 tests.
* Updated with log format fixes and copyright ASF insistence from apache httpd trunk
v1.1.8
----------------------------------------------------------------------------------------------------
* new configuration directive "MDBaseServer on|off" to allow/inhibit management of the base
server domains outside VirtualHosts. By default, this is "off", e.g. mod_md will not manage
certificates or perform https: redirections on the base server. This follows the
principle of least surprise.
* Fixed gcc warnings.
v1.1.7
----------------------------------------------------------------------------------------------------
* MDMustStaple was unable to create the necessary OpenSSL OBJ identifier on some platforms,
possibly because this fails if the OID is already configured in ```openssl.cnf```, see
[here](https://github.com/openssl/openssl/issues/2795).
* Two memory leaks in cert issuer and alt-names lookup eliminated by Yann Ylavic.
* Changing MDMustStaple triggers certificate renewal.
v1.1.6
----------------------------------------------------------------------------------------------------
* Fixing a bug when code in assert() checks is not executed.
v1.1.5
----------------------------------------------------------------------------------------------------
* Some attempts at code readability, increased logging level for fallback cert generation that
was swept under the DEBUG carpet before.
* More verbosity when *not* handing out certificates, e.g. mod_ssl asks, but mod_md has no
idea what it is talking about. Some people report misbehaviour here.
* Re-enabled support for md_get_credentials() function that was used in older mod_ssl
patch, so that people with old patched servers get a chance to upgrade.
v1.1.4
----------------------------------------------------------------------------------------------------
* When ACME fails to authenticate your domain, the exact server answer is logged
as error. This helps to find out the reason for the failed challenge, for example
when ACME reports a 'Timeout' if it could not reach your server. Implements #70.
v1.1.3
----------------------------------------------------------------------------------------------------
* Fixed wrong mem pool use for auto-added server names.
v1.1.2
----------------------------------------------------------------------------------------------------
* The first configuration check was skipping parts that are needed, especially for new
MDs, and crash if mod_ssl calls back "too early". Reverting that change.
v1.1.1
----------------------------------------------------------------------------------------------------
* Fixed backward compaitbility to '<ManagedDomain' configurations, used in pre v1.1.0 versions
to continue working. Test case added.
* added httpd version checks to test cases that make use of 2.5.0 mod_ssl features. Tests now
run clean against a 2.4.30 installation.
v1.1.0
----------------------------------------------------------------------------------------------------
* IMPORTANT: name change in configuration directives. The Apache team decided that the current
names would confuse you, the users, and asked for a change. The old names are still working
in this version, so you can safely upgrade.
They will give warnings in the log and will disappear in the immediate future.
* ManagedDomain is now MDomain
* <ManagedDomain> is now <MDomainSet>
v1.0.7
----------------------------------------------------------------------------------------------------
* removed old EXPERIMENTAL code for defaulting to Lets Encrypt staging area.
* acme now follows "up" link headers to retrieve issuer certificate chain. This
will lead to shorter chains as the "up" links will stop at the cert that browsers
trust instead of always going to the topmost root.
See https://github.com/letsencrypt/boulder/issues/3259
* Fixed a missing argument in a debug log statement.
v1.0.6
----------------------------------------------------------------------------------------------------
* fix in configure: checking for the correct arc4random_buf now.
v1.0.5
----------------------------------------------------------------------------------------------------
* restricting post_config dry run to be more silent and performing
only necessary work for mod_ssl to be also happy with the configuration.
v1.0.3
----------------------------------------------------------------------------------------------------
* fixed various bugs in persisting job properties, so that status is persisted across
child process changes and staging is reset on reloads.
* changed MDCertificateAgreement url checks. As long as the CA reports that the account
has an agreement, no further checking is done. Existing accounts need no changes when
a new agreement comes out. This is as Let's Encrypt rolls.
v1.0.2
----------------------------------------------------------------------------------------------------
* staging reset on reload also triggered when MDCertificateAgreement was initially missing.
v1.0.1
----------------------------------------------------------------------------------------------------
* ServerName/Alias names from pure-http: virtual hosts are no longer auto-added to a Managed Domain.
Fixes issue #57.
* Error counts of jobs are presisted now. When the server restarts (gracefully) any errored
staging areas are purged to reset the signup/renewal process. Fixes issue #55
v1.0.0
----------------------------------------------------------------------------------------------------
* New directive 'MDNotifyCmd' that will run when Managed Domains have been signed up/renewed. The
names of the MDs is given as arguments to the command.
v0.9.9
----------------------------------------------------------------------------------------------------
* Protocol driving now *applies* correct server properties for http/https challenge selection,
with new test cases (fixes issue #52).
v0.9.8
----------------------------------------------------------------------------------------------------
* Protocol driving now uses correct server properties for http/https challenge selection
(refs issue #52).
v0.9.7
----------------------------------------------------------------------------------------------------
* When building against 2.4.x, one probably needs to configure without ```--enable-werror```,
since there were some warnings fixed in Apache httpd trunk.
* Removed obsolete function from interface to mod_ssl. Module now requires at least mod_ssl
patch v4 in place.
* Fallback certificates has version set and no longer claims to be a CA. (re issue #32)
* ```MDRequireHttps``` now happens before any ```Redirect```.
* added some compiler warning flags and adding casts/eliminating some unused params accordingly
v0.9.6
----------------------------------------------------------------------------------------------------
* For Managed Domains with 'MDRequireHttps permanent' a HSTS (rfc6797) header is added
in the response with value 'max-age=15768000', if not already there.
v0.9.5
----------------------------------------------------------------------------------------------------
* New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if
new certificates are requested with the OCSP Must Staple extension.
* Known limitation: when the server is configured to ditch and restart child processes, for example
after a certain number of connections/requests, the mod_md watchdog instance might migrate
to a new child process. Since not all its state is persisted, some messages might appear a
second time in the logs.
* --with-openssl configure option provided by [caminada](https://github.com/caminada) to
specify an uncommon location of the lib.
* --with-jansson configure option provided by [caminada](https://github.com/caminada) to
specify an uncommon location of the lib.
* Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'
is used - which negates that a https: port exists. Also, a warning is logged if no
VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in
its address list.
v0.9.4
----------------------------------------------------------------------------------------------------
* New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently
or temporarily.
* Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also
a changed mod_ssl patch (v5) to take effect.
v0.9.3
----------------------------------------------------------------------------------------------------
* Some sanity checks for MDHttpProxy parameter.
* Rewrote logic to re-schedule MD jobs and announce renewal completion and server restarts. Related
to issue #42
* Additional tweaks for libressl support, thanks to @Sp1l
* Implemented alternative for OpenSSL ASN1_TIME_diff() helper which is not available in
libressl.
v0.9.2
----------------------------------------------------------------------------------------------------
* Fixes for conversions in gcc, fixed duration parsing when apr_strtoi64() defaults to 0 on
not seeing any digit.
* New config directive 'MDHttpProxy <url>' to specify a HTTP(S) proxy for outgoing connections.
Supported in a2md with the '--proxy <url>' command line option.
* Synched mod_ssl patch with Apache subversion again and made v4 of the patch. Only changes
were in log messages, so no need to repatch existing installations.
v0.9.1
----------------------------------------------------------------------------------------------------
* various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If
someone already used percent configurations, it is advised to change these to a new value,
reload and change back to the wanted ones.
* various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.
* mod_md version removed from top level md_store.json file. The store has its own format version
to facilitate upgrades.
v0.9.0
----------------------------------------------------------------------------------------------------
* Improved interface to mod_ssl for fallback handling. Backward compatible to previous mod_ssl
patch, but fallbacks will not work.
* Provide a temporary, self-signed certificate with a speaking command and domain name if we
have no other cert for a Managed Domain, yet. Refs github issue #32
* Continue to provide expired or not-completely matching, existing certificate for a Managed
Domain until the renewal was successful. This is helpful when one adds a DNS name to
a MD, so the previous domains can be served while a new cert is requested.
v0.8.2
----------------------------------------------------------------------------------------------------
* All files necessary to run tests are not in the release package.
* Making "http-01" the preferred challenge type again, as people "tls-sni-01" requires at least
one working certificate vhost right now - which not everyone has.
* moved part of the MD sanity checks from post_config to check_config phase, allowing for error
detection in check-only runs.
v0.8.1
----------------------------------------------------------------------------------------------------
* New directive ```MDPrivateKeys``` to specify the type and parameter to private key generation.
Currently only 'RSA' is supported as type with an option number of bits >= 2048 as parameter.
Simple test cases for config handling added.
* Private RSA keys are now generated with 2048 bits by default. Use ```MDPrivateKeys``` for
higher security.
v0.8.0
----------------------------------------------------------------------------------------------------
* IMPORTANT: store format change. The following changes will be made to an existing md store on
first start with a new version (be it by mod_md in the server or a run by a new 'a2md'):
* pkey.pem will be renamed to privkey.pem
* cert.pem and chain.pem will be concatenated to pubcert.pem. The former files will remain,
but no longer be used. They will disappear on next renewal.
ADVICE: If the current store data is vital to you, please make a backup first!
v0.7.1
----------------------------------------------------------------------------------------------------
* Fixed test case clearing of store to keep key alive, enabling true random store key again.
* Removed pun "Something, like certbot" from the User-Agent request header. Refs issue #34
* Cleaned up reporting of missing/mismatched MDCertificateAgreement in the logs. This will
no longer trigger early retries.
* badNonce encounters are no longer reported as errors. Retries are attempted now silently.
Refs issue #35
* new default MDRenewWindow. Instead of 14 days, the default is now a third before the end of
the certificates lifetime. For the usual 90 days of Let's Encrypt certificates, this makes
an effective renewal window of 30 days - as recommended by LE. Refs issue #30
* Enabled conversion warnings if supported by compiler, eliminated several signed/unsigned
warnings.
v0.7.0
----------------------------------------------------------------------------------------------------
* LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure
```
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
```
* When existing, complete certificates are renewed, the activation of the new ones is
delayed by 24 hours (or until the existing ones expire, whatever is earlier) to accommodate
for clients with weird clocks, refs #1.
* Fixed store sync when MDCAChallenges was removed again from an MD.
* Fixed crash when MD matched the base server, fixes #23
* Fixed watchgod resetting staging when server processes disappeared (e.g. reached
max requests or other limits).
v0.6.1
----------------------------------------------------------------------------------------------------
* global or inside ManagedDomain, 'MDMembers auto|manual' defines if ServerName and ServerAlias
names of a VirtualHost are automatically added to the members of a Managed Domain or not.
Default is 'auto'.
* staging information, e.g. temp files during ACME protocol runs, gets automatically reset
when the managed domain changes.
* when synching new configurations into the store, the list of domain names is now kept
exactly the same. This allows removal of a member that fails challenges. Before, only
additions have been stored. Test cases adjusted.
* Fixed 'uninitialized var use' when logging too new store version, reported in #25
v0.6.0
----------------------------------------------------------------------------------------------------
* Restructuring of the source tree to something very similar as it will appear in the
Apache subversion repository. Will make synching of changes easier.
* Test of special handling of store archive handling for Windows system. See issue #24.
v0.5.0
----------------------------------------------------------------------------------------------------
* Documentation on wiki for several use cases, explaining file store layout and security
* User-Agent now sent to CA.
Driving from httpd: Apache/rev mod_md/rev (Something, like certbot)
Driving from a2md: apachemd/rev mod_md/rev (Something, like certbot)
* Logging adjusted for more readable INFO level on relevant changes
* NOTICE level log when new certificate have been obtained and restart is recommended
* removed code for service restart, should now compile under Win32
v0.4.0
----------------------------------------------------------------------------------------------------
* Various test runs on live server with ACME staging and real service. First green lock
obtained by mod_md!
* Various fixes to permission issues on ubuntu setup server (root/www-data users)
* Fixed defaults for port mapping
* New 'MDDriveMode always' to acquire certificates for Managed Domains not used in any
VirtualHost on the server. Fixed test cases for auto drive mode. Refactored some copy+paste
code in tests.
* Test cases stop the httpd server less, making better timings and reliability
* adding test and fixes for new config directive 'MDCAChallenges' when no configured challenge
type is supported by the ACME server.
v0.3.0
----------------------------------------------------------------------------------------------------
* Adding test case coverage for own base64url coder.
* ACME challenge type "tls-sni-01" supported. Needs new mod_ssl patch
(patches/mod_ssl_md-trunk-v2.diff).
* Merged check based unit test infrastructure by the awesome
[Jacob Champion](https://github.com/jchampio) and linked them to standard 'make test'
* Using ${prefix}/bin/curl if available. Fixed test cases that failed when curl has SNI
support.
* added test that resources are served with "503 Service Unavailable" while TLS credentials
are still incomplete.
* disabled a pkey encryption check since it did not work as is un *NIX, fixed gcc warning
* refcount in md_json_seta adjusted, conversion function expected to always auto-give-away
their references.
* fixed refcount bug in md_json_seta() (supposedly, be optimistic for once!)
* tls-sni-01 challenge cert and key generated, needs to be activated in mod_ssl
v0.2.0
----------------------------------------------------------------------------------------------------
* new directive 'MDPortMap nn:mm' to announce on which local port an ACME CA might reach
the server. This is necessary if you have redirected port 80 and/or 443 on your firefall
to another port on the server that runs mod_md. Example:
MDPortMap 80:5002 443:5001
is a mapping needed for testing with a local boulder instance. If your server uses 80+443
your need not mess with this.
* Fixed reporting error when os does not support *nix permission bits in file system
* MDRenewWindow parsing fixed and setting/update in store added, testcases
* Challenge data is being removed from store when staging is done
* configure option '--with-boulder=<url>' to specify the URL of the boulder test host (defaults
to localhost:4000)
* Changed default ACME CA url to letsencrypt.org staging environment when in MD_EXPERIMENTAL
mode, adapted test outcomes to this setting
* a2md drive command now with same checks on renewal as mod_md. New option --force to
force a renewal that look unnecessary.
* renew window taken into account when scheduling md watchdog
* new directive MDRenewWindow which specifies the number of days (per default) that certificates
should be renewed before they expire. Can be set globally or directly on a MD.
* when run as normal user, mod_md can restart httpd after successful staging of new credentials
* protocol driving split into staging and loading phase. a2md does both, httpd watchdog runs
staging and on restart the staged changes are loaded.
* security: store generates on init a master pass phrase. All private keys outside of the "domains"
storage group are only stored encrypted.
* filesystem store now with relaxed permissions on challenges
v0.1.0
----------------------------------------------------------------------------------------------------
* new directive "MDDriveMode auto|manual". In "auto" mode (more precisely, if auto mode is enabled
for any managed domain), mod_md will require mod_watchdog to be present and regularly check
those domains and attempt to retrieve credentials if some are missing
* drive mode "auto" lacks still various features, function- and security-wise. tbd.
v0.0.2 - v0.0.9
----------------------------------------------------------------------------------------------------
* various development steps not recorded here
v0.0.1
----------------------------------------------------------------------------------------------------
* new command 'acme validate' to check that account is still known to server and key works
* fixed all current test failures
* DNS names are checked for valid characters and non-TLD
* urls are checked to be absolute for the CA
* 'make test' now has dependency on all sources being built
* test cases now use the binary in ./src/a2md instead of the installed one