</usage>
</directivesynopsis>
+ <directivesynopsis>
+ <name>MDBaseServer</name>
+ <description>Control if base server may be managed or only virtual hosts.</description>
+ <syntax>MDBaseServer on|off</syntax>
+ <default>MDBaseServer off</default>
+ <contextlist>
+ <context>server config</context>
+ </contextlist>
+ <usage>
+ <p>
+ Controls if the base server, the one outside all VirtualHosts should be managed by
+ <module>mod_md</module> or not. Default is to not do this, for the very reason that
+ it may have confusing side-effects. It is recommended that you have virtual hosts
+ for all managed domains and do not rely on the global, fallback server configuration.
+ </p>
+ </usage>
+ </directivesynopsis>
+
+
</modulesynopsis>
#define MD_KEY_CONTACT "contact"
#define MD_KEY_CONTACTS "contacts"
#define MD_KEY_CSR "csr"
+#define MD_KEY_DETAIL "detail"
#define MD_KEY_DISABLED "disabled"
#define MD_KEY_DIR "dir"
#define MD_KEY_DOMAIN "domain"
int expired;
};
+/* TODO: not sure this is a good idea, testing some readability and debuggabiltiy of
+ * cascaded apr_status_t checks. */
+#define MD_CHK_VARS const char *md_chk_
+#define MD_LAST_CHK md_chk_
+#define MD_CHK_STEP(c, status, s) (md_chk_ = s, (void)md_chk_, status == (rv = (c)))
+#define MD_CHK(c, status) MD_CHK_STEP(c, status, #c)
+#define MD_IS_ERR(c, err) (md_chk_ = #c, APR_STATUS_IS_##err((rv = (c))))
+#define MD_CHK_SUCCESS(c) MD_CHK(c, APR_SUCCESS)
+#define MD_OK(c) MD_CHK_SUCCESS(c)
+
#endif /* mod_md_md_h */
const char *ptype, *pdetail;
req->resp_json = problem;
- ptype = md_json_gets(problem, "type", NULL);
- pdetail = md_json_gets(problem, "detail", NULL);
+ ptype = md_json_gets(problem, MD_KEY_TYPE, NULL);
+ pdetail = md_json_gets(problem, MD_KEY_DETAIL, NULL);
req->rv = problem_status_get(ptype);
if (APR_STATUS_IS_EAGAIN(req->rv)) {
md_store_t *store, apr_pool_t *p)
{
md_json_t *json;
- const char *s;
+ const char *s, *err;
+ md_log_level_t log_level;
apr_status_t rv;
+ MD_CHK_VARS;
(void)store;
assert(acme);
assert(authz);
assert(authz->location);
- if (APR_SUCCESS != (rv = md_acme_get_json(&json, acme, authz->location, p))) {
- md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "update authz for %s at %s",
- authz->domain, authz->location);
- return rv;
- }
-
- authz->resource = json;
- s = md_json_gets(json, "identifier", "type", NULL);
- if (!s || strcmp(s, "dns")) return APR_EINVAL;
- s = md_json_gets(json, "identifier", "value", NULL);
- if (!s || strcmp(s, authz->domain)) return APR_EINVAL;
-
authz->state = MD_ACME_AUTHZ_S_UNKNOWN;
- s = md_json_gets(json, "status", NULL);
- if (s && !strcmp(s, "pending")) {
- authz->state = MD_ACME_AUTHZ_S_PENDING;
- }
- else if (s && !strcmp(s, "valid")) {
- authz->state = MD_ACME_AUTHZ_S_VALID;
- if (md_log_is_level(p, MD_LOG_DEBUG)) {
- md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "ACME server validated challenge "
- "for %s in %s, ACME response is: %s",
- authz->domain, authz->location,
- md_json_writep(json, p, MD_JSON_FMT_COMPACT));
+ json = NULL;
+ err = "unable to parse response";
+ log_level = MD_LOG_ERR;
+
+ if (MD_OK(md_acme_get_json(&json, acme, authz->location, p))
+ && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_TYPE, NULL))
+ && !strcmp(s, "dns")
+ && (s = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_VALUE, NULL))
+ && !strcmp(s, authz->domain)
+ && (s = md_json_gets(json, MD_KEY_STATUS, NULL))) {
+
+ authz->resource = json;
+ if (!strcmp(s, "pending")) {
+ authz->state = MD_ACME_AUTHZ_S_PENDING;
+ err = "challenge 'pending'";
+ log_level = MD_LOG_DEBUG;
+ }
+ else if (!strcmp(s, "valid")) {
+ authz->state = MD_ACME_AUTHZ_S_VALID;
+ err = "challenge 'valid'";
+ log_level = MD_LOG_DEBUG;
+ }
+ else if (!strcmp(s, "invalid")) {
+ authz->state = MD_ACME_AUTHZ_S_INVALID;
+ err = "challenge 'invalid'";
}
}
- else if (s && !strcmp(s, "invalid")) {
- authz->state = MD_ACME_AUTHZ_S_INVALID;
- md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports challenge "
- "for %s in %s as 'invalid', ACME response is: %s",
- authz->domain, authz->location,
- md_json_writep(json, p, MD_JSON_FMT_COMPACT));
+
+ if (json && authz->state == MD_ACME_AUTHZ_S_UNKNOWN) {
+ err = "unable to understand response";
+ rv = APR_EINVAL;
}
- else if (s) {
- md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ACME server reports unrecognized "
- "authz state '%s' for %s in %s, ACME response is: %s",
- s, authz->domain, authz->location,
- md_json_writep(json, p, MD_JSON_FMT_COMPACT));
- return APR_EINVAL;
+
+ if (md_log_is_level(p, log_level)) {
+ md_log_perror(MD_LOG_MARK, log_level, rv, p, "ACME server authz: %s for %s at %s. "
+ "Exact repsonse was: %s", err? err : "", authz->domain, authz->location,
+ json? md_json_writep(json, p, MD_JSON_FMT_COMPACT) : "not available");
}
+
return rv;
}
{
const char *thumb64, *key_authz;
apr_status_t rv;
+ MD_CHK_VARS;
(void)authz;
assert(cha);
assert(cha->token);
*pchanged = 0;
- if (APR_SUCCESS == (rv = md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) {
+ if (MD_OK(md_jws_pkey_thumb(&thumb64, p, acme->acct_key))) {
key_authz = apr_psprintf(p, "%s.%s", cha->token, thumb64);
if (cha->key_authz) {
if (strcmp(key_authz, cha->key_authz)) {
const char *data;
apr_status_t rv;
int notify_server;
+ MD_CHK_VARS;
(void)key_spec;
- if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server))) {
+ if (!MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server))) {
goto out;
}
apr_status_t rv;
int notify_server;
apr_array_header_t *domains;
+ MD_CHK_VARS;
- if ( APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, ¬ify_server))
- || APR_SUCCESS != (rv = setup_cha_dns(&cha_dns, cha, p))) {
+ if ( !MD_OK(setup_key_authz(cha, authz, acme, p, ¬ify_server))
+ || !MD_OK(setup_cha_dns(&cha_dns, cha, p))) {
goto out;
}
/* setup a certificate containing the challenge dns */
domains = apr_array_make(p, 5, sizeof(const char*));
APR_ARRAY_PUSH(domains, const char*) = cha_dns;
- rv = md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key,
- apr_time_from_sec(7 * MD_SECS_PER_DAY), p);
-
- if (APR_SUCCESS != rv) {
+ if (!MD_OK(md_cert_self_sign(&cha_cert, authz->domain, domains, cha_key,
+ apr_time_from_sec(7 * MD_SECS_PER_DAY), p))) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: setup self signed cert for %s",
authz->domain, cha_dns);
goto out;
}
- rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY,
- MD_SV_PKEY, (void*)cha_key, 0);
- if (APR_SUCCESS == rv) {
+ if (MD_OK(md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_PKEY,
+ MD_SV_PKEY, (void*)cha_key, 0))) {
rv = md_store_save(store, p, MD_SG_CHALLENGES, cha_dns, MD_FN_TLSSNI01_CERT,
MD_SV_CERT, (void*)cha_cert, 0);
}
apr_status_t md_cert_get_issuers_uri(const char **puri, md_cert_t *cert, apr_pool_t *p)
{
- int i, ext_idx, nid = NID_info_access;
- X509_EXTENSION *ext;
- X509V3_EXT_METHOD *ext_cls;
- void *ext_data;
- const char *uri = NULL;
apr_status_t rv = APR_ENOENT;
-
- /* Waddle through x509 API history to get someone that may be able
- * to hand us the issuer url for the cert chain */
- ext_idx = X509_get_ext_by_NID(cert->x509, nid, -1);
- ext = (ext_idx >= 0)? X509_get_ext(cert->x509, ext_idx) : NULL;
- ext_cls = ext? (X509V3_EXT_METHOD*)X509V3_EXT_get(ext) : NULL;
- if (ext_cls && (ext_data = X509_get_ext_d2i(cert->x509, nid, 0, 0))) {
- CONF_VALUE *cval;
- STACK_OF(CONF_VALUE) *ext_vals = ext_cls->i2v(ext_cls, ext_data, 0);
-
- for (i = 0; i < sk_CONF_VALUE_num(ext_vals); ++i) {
- cval = sk_CONF_VALUE_value(ext_vals, i);
- if (!strcmp("CA Issuers - URI", cval->name)) {
- uri = apr_pstrdup(p, cval->value);
+ STACK_OF(ACCESS_DESCRIPTION) *xinfos;
+ const char *uri = NULL;
+ unsigned char *buf;
+ int i;
+
+ xinfos = X509_get_ext_d2i(cert->x509, NID_info_access, NULL, NULL);
+ if (xinfos) {
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(xinfos); i++) {
+ ACCESS_DESCRIPTION *val = sk_ACCESS_DESCRIPTION_value(xinfos, i);
+ if (OBJ_obj2nid(val->method) == NID_ad_ca_issuers
+ && val->location && val->location->type == GEN_URI) {
+ ASN1_STRING_to_UTF8(&buf, val->location->d.uniformResourceIdentifier);
+ uri = apr_pstrdup(p, (char *)buf);
+ OPENSSL_free(buf);
rv = APR_SUCCESS;
break;
}
}
+ sk_ACCESS_DESCRIPTION_pop_free(xinfos, ACCESS_DESCRIPTION_free);
}
*puri = (APR_SUCCESS == rv)? uri : NULL;
return rv;
unsigned char *buf;
int i;
- xalt_names = (GENERAL_NAMES*)X509_get_ext_d2i(cert->x509, NID_subject_alt_name, NULL, NULL);
+ xalt_names = X509_get_ext_d2i(cert->x509, NID_subject_alt_name, NULL, NULL);
if (xalt_names) {
GENERAL_NAME *cval;
break;
}
}
+ sk_GENERAL_NAME_pop_free(xalt_names, GENERAL_NAME_free);
rv = APR_SUCCESS;
}
*pnames = (APR_SUCCESS == rv)? names : NULL;
return APR_SUCCESS;
}
+#define MD_OID_MUST_STAPLE_NUM "1.3.6.1.5.5.7.1.24"
+#define MD_OID_MUST_STAPLE_SNAME "tlsfeature"
+#define MD_OID_MUST_STAPLE_LNAME "TLS Feature"
+
+static int get_must_staple_nid(void)
+{
+ /* Funny API, the OID for must staple might be configured or
+ * might be not. In the second case, we need to add it. But adding
+ * when it already is there is an error... */
+ int nid = OBJ_txt2nid(MD_OID_MUST_STAPLE_NUM);
+ if (NID_undef == nid) {
+ nid = OBJ_create(MD_OID_MUST_STAPLE_NUM,
+ MD_OID_MUST_STAPLE_SNAME, MD_OID_MUST_STAPLE_LNAME);
+ }
+ return nid;
+}
+
+int md_cert_must_staple(md_cert_t *cert)
+{
+ /* In case we do not get the NID for it, we treat this as not set. */
+ int nid = get_must_staple_nid();
+ return ((NID_undef != nid)) && X509_get_ext_by_NID(cert->x509, nid, -1) >= 0;
+}
+
static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t *md, apr_pool_t *p)
{
X509_EXTENSION *x;
int nid;
- nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature");
+ nid = get_must_staple_nid();
if (NID_undef == nid) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p,
"%s: unable to get NID for v3 must-staple TLS feature", md->name);
int md_cert_has_expired(const md_cert_t *cert);
int md_cert_covers_domain(md_cert_t *cert, const char *domain_name);
int md_cert_covers_md(md_cert_t *cert, const struct md_t *md);
+int md_cert_must_staple(md_cert_t *cert);
apr_time_t md_cert_get_not_after(md_cert_t *cert);
apr_time_t md_cert_get_not_before(md_cert_t *cert);
"needs sign up for a new certificate", md->name);
goto out;
}
+ if (!md->must_staple != !md_cert_must_staple(creds->cert)) {
+ state = MD_S_INCOMPLETE;
+ md_log_perror(MD_LOG_MARK, MD_LOG_INFO, rv, p,
+ "md{%s}: OCSP Stapling is%s requested, but certificate "
+ "has it%s enabled. Need to get a new certificate.", md->name,
+ md->must_staple? "" : " not",
+ !md->must_staple? "" : " not");
+ goto out;
+ }
for (i = 1; i < creds->pubcert->nelts; ++i) {
cert = APR_ARRAY_IDX(creds->pubcert, i, const md_cert_t *);
{
const char *from, *to;
apr_status_t rv = APR_SUCCESS;
-
+ MD_CHK_VARS;
+
(void)baton;
(void)ftype;
- if (APR_SUCCESS == (rv = md_util_path_merge(&from, ptemp, dir, name, NULL))
- && APR_SUCCESS == (rv = md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) {
+ if ( MD_OK(md_util_path_merge(&from, ptemp, dir, name, NULL))
+ && MD_OK(md_util_path_merge(&to, ptemp, dir, MD_FN_PRIVKEY, NULL))) {
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, "renaming %s/%s to %s",
dir, name, MD_FN_PRIVKEY);
return apr_file_rename(from, to, ptemp);
apr_array_header_t *chain, *pubcert;
const char *fname, *fpubcert;
apr_status_t rv = APR_SUCCESS;
+ MD_CHK_VARS;
(void)baton;
(void)ftype;
(void)p;
- if ( APR_SUCCESS == (rv = md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL))
- && APR_STATUS_IS_ENOENT((rv = md_chain_fload(&pubcert, ptemp, fpubcert)))
- && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, name, NULL))
- && APR_SUCCESS == (rv = md_cert_fload(&cert, ptemp, fname))
- && APR_SUCCESS == (rv = md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) {
+ if ( MD_OK(md_util_path_merge(&fpubcert, ptemp, dir, MD_FN_PUBCERT, NULL))
+ && MD_IS_ERR(md_chain_fload(&pubcert, ptemp, fpubcert), ENOENT)
+ && MD_OK(md_util_path_merge(&fname, ptemp, dir, name, NULL))
+ && MD_OK(md_cert_fload(&cert, ptemp, fname))
+ && MD_OK(md_util_path_merge(&fname, ptemp, dir, MD_FN_CHAIN, NULL))) {
rv = md_chain_fload(&chain, ptemp, fname);
if (APR_STATUS_IS_ENOENT(rv)) {
const char *key64, *key;
apr_status_t rv;
double store_version;
+ MD_CHK_VARS;
- if (APR_SUCCESS == (rv = md_json_readf(&json, p, fname))) {
+ if (MD_OK(md_json_readf(&json, p, fname))) {
store_version = md_json_getn(json, MD_KEY_STORE, MD_KEY_VERSION, NULL);
if (store_version <= 0.0) {
/* ok, an old one, compatible to 1.0 */
md_store_fs_t *s_fs = baton;
const char *fname;
apr_status_t rv;
+ MD_CHK_VARS;
(void)ap;
s_fs->plain_pkey[MD_SG_DOMAINS] = 1;
s_fs->plain_pkey[MD_SG_TMP] = 1;
- rv = md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL);
- if (APR_SUCCESS != rv) {
+ if (!MD_OK(md_util_path_merge(&fname, ptemp, s_fs->base, FS_STORE_JSON, NULL))) {
return rv;
}
read:
- if (APR_SUCCESS == (rv = md_util_is_file(fname, ptemp))) {
+ if (MD_OK(md_util_is_file(fname, ptemp))) {
rv = read_store_file(s_fs, fname, p, ptemp);
}
- else if (APR_STATUS_IS_ENOENT(rv)) {
- rv = init_store_file(s_fs, fname, p, ptemp);
- if (APR_STATUS_IS_EEXIST(rv)) {
- goto read;
- }
+ else if (APR_STATUS_IS_ENOENT(rv)
+ && MD_IS_ERR(init_store_file(s_fs, fname, p, ptemp), EEXIST)) {
+ goto read;
}
return rv;
}
{
md_store_fs_t *s_fs;
apr_status_t rv = APR_SUCCESS;
+ MD_CHK_VARS;
s_fs = apr_pcalloc(p, sizeof(*s_fs));
s_fs->base = apr_pstrdup(p, path);
- if (APR_SUCCESS != (rv = md_util_is_dir(s_fs->base, p))) {
- if (APR_STATUS_IS_ENOENT(rv)) {
- rv = apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p);
- if (APR_SUCCESS == rv) {
- rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD);
- if (APR_STATUS_IS_ENOTIMPL(rv)) {
- rv = APR_SUCCESS;
- }
- }
+ if (MD_IS_ERR(md_util_is_dir(s_fs->base, p), ENOENT)
+ && MD_OK(apr_dir_make_recursive(s_fs->base, s_fs->def_perms.dir, p))) {
+ rv = apr_file_perms_set(s_fs->base, MD_FPROT_D_UALL_WREAD);
+ if (APR_STATUS_IS_ENOTIMPL(rv)) {
+ rv = APR_SUCCESS;
}
}
- rv = md_util_pool_vdo(setup_store_file, s_fs, p, NULL);
- if (APR_SUCCESS != rv) {
+ if ((APR_SUCCESS != rv) || !MD_OK(md_util_pool_vdo(setup_store_file, s_fs, p, NULL))) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "init fs store at %s", path);
}
*pstore = (rv == APR_SUCCESS)? &(s_fs->s) : NULL;
md_store_group_t group;
void **pvalue;
apr_status_t rv;
+ MD_CHK_VARS;
group = (md_store_group_t)va_arg(ap, int);
name = va_arg(ap, const char *);
vtype = (md_store_vtype_t)va_arg(ap, int);
pvalue= va_arg(ap, void **);
- rv = fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp);
- if (APR_SUCCESS == rv) {
+ if (MD_OK(fs_get_fname(&fpath, &s_fs->s, group, name, aspect, ptemp))) {
rv = fs_fload(pvalue, s_fs, fpath, group, vtype, p, ptemp);
}
return rv;
{
const perms_t *perms;
apr_status_t rv;
+ MD_CHK_VARS;
perms = gperms(s_fs, group);
- if (APR_SUCCESS == (rv = fs_get_dname(pdir, &s_fs->s, group, name, p))
- && (MD_SG_NONE != group)) {
- if (APR_SUCCESS != md_util_is_dir(*pdir, p)) {
- if (APR_SUCCESS == (rv = apr_dir_make_recursive(*pdir, perms->dir, p))) {
- rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p);
- }
- }
- else {
- /* already exists */
+ if (MD_OK(fs_get_dname(pdir, &s_fs->s, group, name, p)) && (MD_SG_NONE != group)) {
+ if ( !MD_OK(md_util_is_dir(*pdir, p))
+ && MD_OK(apr_dir_make_recursive(*pdir, perms->dir, p))) {
+ rv = dispatch(s_fs, MD_S_FS_EV_CREATED, group, *pdir, APR_DIR, p);
}
if (APR_SUCCESS == rv) {
apr_finfo_t inf1, inf2;
int *pnewer;
apr_status_t rv;
+ MD_CHK_VARS;
(void)p;
group1 = (md_store_group_t)va_arg(ap, int);
pnewer = va_arg(ap, int*);
*pnewer = 0;
- if ( APR_SUCCESS == (rv = fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp))
- && APR_SUCCESS == (rv = fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp))
- && APR_SUCCESS == (rv = apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp))
- && APR_SUCCESS == (rv = apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) {
+ if ( MD_OK(fs_get_fname(&fname1, &s_fs->s, group1, name, aspect, ptemp))
+ && MD_OK(fs_get_fname(&fname2, &s_fs->s, group2, name, aspect, ptemp))
+ && MD_OK(apr_stat(&inf1, fname1, APR_FINFO_MTIME, ptemp))
+ && MD_OK(apr_stat(&inf2, fname2, APR_FINFO_MTIME, ptemp))) {
*pnewer = inf1.mtime > inf2.mtime;
}
const perms_t *perms;
const char *pass;
apr_size_t pass_len;
+ MD_CHK_VARS;
group = (md_store_group_t)va_arg(ap, int);
name = va_arg(ap, const char*);
perms = gperms(s_fs, group);
- if (APR_SUCCESS == (rv = mk_group_dir(&gdir, s_fs, group, NULL, p))
- && APR_SUCCESS == (rv = mk_group_dir(&dir, s_fs, group, name, p))
- && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) {
+ if ( MD_OK(mk_group_dir(&gdir, s_fs, group, NULL, p))
+ && MD_OK(mk_group_dir(&dir, s_fs, group, name, p))
+ && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) {
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "storing in %s", fpath);
switch (vtype) {
int force;
apr_finfo_t info;
md_store_group_t group;
+ MD_CHK_VARS;
(void)p;
group = (md_store_group_t)va_arg(ap, int);
groupname = md_store_group_name(group);
- if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))
- && APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) {
+ if ( MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))
+ && MD_OK(md_util_path_merge(&fpath, ptemp, dir, aspect, NULL))) {
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, ptemp, "start remove of md %s/%s/%s",
groupname, name, aspect);
- if (APR_SUCCESS != (rv = apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) {
+ if (!MD_OK(apr_stat(&info, dir, APR_FINFO_TYPE, ptemp))) {
if (APR_ENOENT == rv && force) {
return APR_SUCCESS;
}
const char *dir, *name, *groupname;
md_store_group_t group;
apr_status_t rv;
+ MD_CHK_VARS;
(void)p;
group = (md_store_group_t)va_arg(ap, int);
groupname = md_store_group_name(group);
- if (APR_SUCCESS == (rv = md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) {
+ if (MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base, groupname, name, NULL))) {
/* Remove all files in dir, there should be no sub-dirs */
rv = md_util_rm_recursive(dir, ptemp, 1);
}
apr_status_t rv;
void *value;
const char *fpath;
+ MD_CHK_VARS;
(void)ftype;
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, ptemp, "inspecting value at: %s/%s", dir, name);
- if (APR_SUCCESS == (rv = md_util_path_merge(&fpath, ptemp, dir, name, NULL))) {
- rv = fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp);
- if (APR_SUCCESS == rv
- && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) {
- return APR_EOF;
- }
+ if ( MD_OK(md_util_path_merge(&fpath, ptemp, dir, name, NULL))
+ && MD_OK(fs_fload(&value, ctx->s_fs, fpath, ctx->group, ctx->vtype, p, ptemp))
+ && !ctx->inspect(ctx->baton, name, ctx->aspect, ctx->vtype, value, ptemp)) {
+ return APR_EOF;
}
return rv;
}
md_store_group_t from, to;
int archive;
apr_status_t rv;
+ MD_CHK_VARS;
(void)p;
from = (md_store_group_t)va_arg(ap, int);
return APR_EINVAL;
}
- rv = md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL);
- if (APR_SUCCESS != rv) goto out;
- rv = md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL);
- if (APR_SUCCESS != rv) goto out;
+ if ( !MD_OK(md_util_path_merge(&from_dir, ptemp, s_fs->base, from_group, name, NULL))
+ || !MD_OK(md_util_path_merge(&to_dir, ptemp, s_fs->base, to_group, name, NULL))) {
+ goto out;
+ }
- if (APR_SUCCESS != (rv = md_util_is_dir(from_dir, ptemp))) {
+ if (!MD_OK(md_util_is_dir(from_dir, ptemp))) {
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "source is no dir: %s", from_dir);
goto out;
}
- rv = archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT;
- if (APR_SUCCESS == rv) {
+ if (MD_OK(archive? md_util_is_dir(to_dir, ptemp) : APR_ENOENT)) {
int n = 1;
const char *narch_dir;
- rv = md_util_path_merge(&dir, ptemp, s_fs->base, md_store_group_name(MD_SG_ARCHIVE), NULL);
- if (APR_SUCCESS != rv) goto out;
- rv = apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp);
- if (APR_SUCCESS != rv) goto out;
- rv = md_util_path_merge(&arch_dir, ptemp, dir, name, NULL);
- if (APR_SUCCESS != rv) goto out;
+ if ( !MD_OK(md_util_path_merge(&dir, ptemp, s_fs->base,
+ md_store_group_name(MD_SG_ARCHIVE), NULL))
+ || !MD_OK(apr_dir_make_recursive(dir, MD_FPROT_D_UONLY, ptemp))
+ || !MD_OK(md_util_path_merge(&arch_dir, ptemp, dir, name, NULL))) {
+ goto out;
+ }
#ifdef WIN32
/* WIN32 and handling of files/dirs. What can one say? */
while (n < 1000) {
narch_dir = apr_psprintf(ptemp, "%s.%d", arch_dir, n);
- rv = apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp);
- if (APR_SUCCESS == rv) {
+ if (MD_OK(apr_dir_make(narch_dir, MD_FPROT_D_UONLY, ptemp))) {
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, ptemp, "using archive dir: %s",
narch_dir);
break;
goto out;
}
- if (APR_SUCCESS != (rv = apr_file_rename(to_dir, narch_dir, ptemp))) {
+ if (!MD_OK(apr_file_rename(to_dir, narch_dir, ptemp))) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "rename from %s to %s",
to_dir, narch_dir);
goto out;
}
- if (APR_SUCCESS != (rv = apr_file_rename(from_dir, to_dir, ptemp))) {
+ if (!MD_OK(apr_file_rename(from_dir, to_dir, ptemp))) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp, "moving %s to %s: %s",
from_dir, to_dir);
apr_file_rename(narch_dir, to_dir, ptemp);
goto out;
}
- rv = dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp);
- if (APR_SUCCESS == rv) {
+ if (MD_OK(dispatch(s_fs, MD_S_FS_EV_MOVED, to, to_dir, APR_DIR, ptemp))) {
rv = dispatch(s_fs, MD_S_FS_EV_MOVED, MD_SG_ARCHIVE, narch_dir, APR_DIR, ptemp);
}
}
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "1.1.4"
+#define MOD_MD_VERSION "1.1.8"
/**
* @macro
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x010104
+#define MOD_MD_VERSION_NUM 0x010108
#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"
servers = apr_array_make(ptemp, 5, sizeof(server_rec*));
for (s = base_server; s; s = s->next) {
- r.server = s;
+ if (!mc->manage_base_server && s == base_server) {
+ /* we shall not assign ourselves to the base server */
+ continue;
+ }
+ r.server = s;
for (i = 0; i < md->domains->nelts; ++i) {
domain = APR_ARRAY_IDX(md->domains, i, const char*);
{
const char *base_dir;
apr_status_t rv;
+ MD_CHK_VARS;
base_dir = ap_server_root_relative(p, mc->base_dir);
- if (APR_SUCCESS != (rv = md_store_fs_init(pstore, p, base_dir))) {
+ if (!MD_OK(md_store_fs_init(pstore, p, base_dir))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10046)"setup store for %s", base_dir);
goto out;
}
md_store_fs_set_event_cb(*pstore, store_file_ev, s);
- if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_CHALLENGES, p, s))) {
+ if ( !MD_OK(check_group_dir(*pstore, MD_SG_CHALLENGES, p, s))
+ || !MD_OK(check_group_dir(*pstore, MD_SG_STAGING, p, s))
+ || !MD_OK(check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10047)
- "setup challenges directory");
- goto out;
- }
- if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_STAGING, p, s))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10048)
- "setup staging directory");
- goto out;
- }
- if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10049)
- "setup accounts directory");
- goto out;
+ "setup challenges directory, call %s", MD_LAST_CHK);
}
out:
md_mod_conf_t *mc;
md_store_t *store;
apr_status_t rv;
+ MD_CHK_VARS;
sc = md_config_get(s);
mc = sc->mc;
- if (APR_SUCCESS == (rv = setup_store(&store, mc, p, s))
- && APR_SUCCESS == (rv = md_reg_init(preg, p, store, mc->proxy_url))) {
+ if ( MD_OK(setup_store(&store, mc, p, s))
+ && MD_OK(md_reg_init(preg, p, store, mc->proxy_url))) {
mc->reg = *preg;
return md_reg_set_props(*preg, p, can_http, can_https);
}
"next run in %s", md_print_duration(ptemp, next_run - now));
}
wd_set_interval(wd->watchdog, next_run - now, wd, run_watchdog);
-
- for (i = 0; i < wd->jobs->nelts; ++i) {
- job = APR_ARRAY_IDX(wd->jobs, i, md_job_t *);
- }
break;
case AP_WATCHDOG_STATE_STOPPING:
return 0;
}
-static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md, apr_pool_t *p)
+static apr_status_t setup_fallback_cert(md_store_t *store, const md_t *md,
+ server_rec *s, apr_pool_t *p)
{
md_pkey_t *pkey;
md_cert_t *cert;
md_pkey_spec_t spec;
apr_status_t rv;
-
+ MD_CHK_VARS;
+
spec.type = MD_PKEY_TYPE_RSA;
spec.params.rsa.bits = MD_PKEY_RSA_BITS_DEF;
-
- if ( APR_SUCCESS == (rv = md_pkey_gen(&pkey, p, &spec))
- && APR_SUCCESS == (rv = md_store_save(store, p, MD_SG_DOMAINS, md->name,
- MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0))
- && APR_SUCCESS == (rv = md_cert_self_sign(&cert, "Apache Managed Domain Fallback",
- md->domains, pkey,
- apr_time_from_sec(14 * MD_SECS_PER_DAY), p))) {
- rv = md_store_save(store, p, MD_SG_DOMAINS, md->name,
- MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0);
+
+ if ( !MD_OK(md_pkey_gen(&pkey, p, &spec))
+ || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name,
+ MD_FN_FALLBACK_PKEY, MD_SV_PKEY, (void*)pkey, 0))
+ || !MD_OK(md_cert_self_sign(&cert, "Apache Managed Domain Fallback",
+ md->domains, pkey, apr_time_from_sec(14 * MD_SECS_PER_DAY), p))
+ || !MD_OK(md_store_save(store, p, MD_SG_DOMAINS, md->name,
+ MD_FN_FALLBACK_CERT, MD_SV_CERT, (void*)cert, 0))) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+ "%s: setup fallback certificate, call %s", md->name, MD_LAST_CHK);
}
-
return rv;
}
md_reg_t *reg;
md_store_t *store;
const md_t *md;
+ MD_CHK_VARS;
*pkeyfile = NULL;
*pcertfile = NULL;
-
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10113)
+ "md_get_certificate called for vhost %s.", s->server_hostname);
+
sc = md_config_get(s);
+ if (!sc) {
+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+ "asked for certificate of server %s which has no md config",
+ s->server_hostname);
+ return APR_ENOENT;
+ }
+
+ if (!sc->assigned) {
+ /* Hmm, mod_ssl (or someone like it) asks for certificates for a server
+ * where we did not assign a MD to. Either the user forgot to configure
+ * that server with SSL certs, has misspelled a server name or we have
+ * a bug that prevented us from taking responsibility for this server.
+ * Either way, make some polite noise */
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10114)
+ "asked for certificate of server %s which has no MD assigned. This "
+ "could be ok, but most likely it is either a misconfiguration or "
+ "a bug. Please check server names and MD names carefully and if "
+ "everything checks open, please open an issue.",
+ s->server_hostname);
+ return APR_ENOENT;
+ }
- if (sc && sc->assigned) {
- assert(sc->mc);
- reg = sc->mc->reg;
- assert(reg);
+ assert(sc->mc);
+ reg = sc->mc->reg;
+ assert(reg);
+
+ md = md_reg_get(reg, sc->assigned->name, p);
+ if (!md) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10115)
+ "unable to hand out certificates, as registry can no longer "
+ "find MD '%s'.", sc->assigned->name);
+ return APR_ENOENT;
+ }
+
+ if (!MD_OK(md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110)
+ "retrieving credentials for MD %s", md->name);
+ return rv;
+ }
+
+ if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) {
+ /* Provide temporary, self-signed certificate as fallback, so that
+ * clients do not get obscure TLS handshake errors or will see a fallback
+ * virtual host that is not intended to be served here. */
store = md_reg_store_get(reg);
- assert(store);
-
- md = md_reg_get(reg, sc->assigned->name, p);
-
- if (APR_SUCCESS != (rv = md_reg_get_cred_files(reg, md, p, pkeyfile, pcertfile))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10110)
- "retrieving credentials for MD %s", md->name);
- return rv;
- }
-
+ assert(store);
+
+ md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS,
+ md->name, MD_FN_FALLBACK_PKEY, p);
+ md_store_get_fname(pcertfile, store, MD_SG_DOMAINS,
+ md->name, MD_FN_FALLBACK_CERT, p);
if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) {
- /* Provide temporary, self-signed certificate as fallback, so that
- * clients do not get obscure TLS handshake errors or will see a fallback
- * virtual host that is not intended to be served here. */
-
- md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS,
- md->name, MD_FN_FALLBACK_PKEY, p);
- md_store_get_fname(pcertfile, store, MD_SG_DOMAINS,
- md->name, MD_FN_FALLBACK_CERT, p);
- if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) {
- if (APR_SUCCESS != (rv = setup_fallback_cert(store, md, p))) {
- ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s,
- "%s: setup fallback certificate", md->name);
- return rv;
- }
+ if (!MD_OK(setup_fallback_cert(store, md, s, p))) {
+ return rv;
}
-
- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
- "%s: providing fallback certificate for server %s",
- md->name, s->server_hostname);
- return APR_EAGAIN;
}
-
- /* We have key and cert files, but they might no longer be valid or not
- * match all domain names. Still use these files for now, but indicate that
- * resources should no longer be served until we have a new certificate again. */
- if (md->state != MD_S_COMPLETE) {
- return APR_EAGAIN;
- }
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10077)
- "%s: providing certificate for server %s", md->name, s->server_hostname);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10116)
+ "%s: providing fallback certificate for server %s",
+ md->name, s->server_hostname);
+ return APR_EAGAIN;
}
+
+ /* We have key and cert files, but they might no longer be valid or not
+ * match all domain names. Still use these files for now, but indicate that
+ * resources should no longer be served until we have a new certificate again. */
+ if (md->state != MD_S_COMPLETE) {
+ rv = APR_EAGAIN;
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10077)
+ "%s: providing certificate for server %s", md->name, s->server_hostname);
return rv;
}
+static int compat_warned;
+static apr_status_t md_get_credentials(server_rec *s, apr_pool_t *p,
+ const char **pkeyfile,
+ const char **pcertfile,
+ const char **pchainfile)
+{
+ *pchainfile = NULL;
+ if (!compat_warned) {
+ compat_warned = 1;
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, /* no APLOGNO */
+ "You are using mod_md with an old patch to mod_ssl. This will "
+ " work for now, but support will be dropped in a future release.");
+ }
+ return md_get_certificate(s, p, pkeyfile, pcertfile);
+}
+
static int md_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey)
{
APR_REGISTER_OPTIONAL_FN(md_is_managed);
APR_REGISTER_OPTIONAL_FN(md_get_certificate);
APR_REGISTER_OPTIONAL_FN(md_is_challenge);
+ APR_REGISTER_OPTIONAL_FN(md_get_credentials);
}
md_is_challenge, (struct conn_rec *, const char *,
X509 **pcert, EVP_PKEY **pkey));
+/* Backward compatibility to older mod_ssl patches, will generate
+ * a WARNING in the logs, use 'md_get_certificate' instead */
+APR_DECLARE_OPTIONAL_FN(apr_status_t,
+ md_get_credentials, (struct server_rec *, apr_pool_t *,
+ const char **pkeyfile,
+ const char **pcertfile,
+ const char **pchainfile));
#endif /* mod_md_mod_md_h */
#define MD_CMD_OLD_MD "ManagedDomain"
#define MD_CMD_MD_SECTION "<MDomainSet"
#define MD_CMD_MD_OLD_SECTION "<ManagedDomain"
+#define MD_CMD_BASE_SERVER "MDBaseServer"
#define MD_CMD_CA "MDCertificateAuthority"
#define MD_CMD_CAAGREEMENT "MDCertificateAgreement"
#define MD_CMD_CACHALLENGES "MDCAChallenges"
#define MD_CMD_MEMBER "MDMember"
#define MD_CMD_MEMBERS "MDMembers"
#define MD_CMD_MUSTSTAPLE "MDMustStaple"
+#define MD_CMD_NOTIFYCMD "MDNotifyCmd"
#define MD_CMD_PORTMAP "MDPortMap"
#define MD_CMD_PKEYS "MDPrivateKeys"
#define MD_CMD_PROXY "MDHttpProxy"
#define MD_CMD_RENEWWINDOW "MDRenewWindow"
#define MD_CMD_REQUIREHTTPS "MDRequireHttps"
#define MD_CMD_STOREDIR "MDStoreDir"
-#define MD_CMD_NOTIFYCMD "MDNotifyCmd"
#define DEF_VAL (-1)
443,
0,
0,
+ 0,
MD_HSTS_MAX_AGE_DEFAULT,
NULL,
NULL,
return NULL;
}
+static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value)
+{
+ md_srv_conf_t *config = md_config_get(cmd->server);
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+ (void)dc;
+ if (!err) {
+ if (!apr_strnatcasecmp("off", value)) {
+ config->mc->manage_base_server = 0;
+ }
+ else if (!apr_strnatcasecmp("on", value)) {
+ config->mc->manage_base_server = 1;
+ }
+ else {
+ err = apr_pstrcat(cmd->pool, "unknown '", value,
+ "', supported parameter values are 'on' and 'off'", NULL);
+ }
+ }
+ return err;
+}
+
static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const char *value)
{
md_srv_conf_t *config = md_config_get(cmd->server);
"Redirect non-secure requests to the https: equivalent."),
AP_INIT_TAKE1( MD_CMD_NOTIFYCMD, md_config_set_notify_cmd, NULL, RSRC_CONF,
"set the command to run when signup/renew of domain is complete."),
+ AP_INIT_TAKE1( MD_CMD_BASE_SERVER, md_config_set_base_server, NULL, RSRC_CONF,
+ "allow managing of base server outside virtual hosts."),
/* This will disappear soon */
AP_INIT_TAKE_ARGV( MD_CMD_OLD_MD, md_config_set_names_old, NULL, RSRC_CONF,
int local_443; /* On which port https:443 arrives */
int can_http; /* Does someone listen to the local port 80 equivalent? */
int can_https; /* Does someone listen to the local port 443 equivalent? */
+ int manage_base_server; /* If base server outside vhost may be managed */
int hsts_max_age; /* max-age of HSTS (rfc6797) header */
const char *hsts_header; /* computed HTST header to use or NULL */
apr_array_header_t *unused_names; /* post config, names of all MDs not assigned to a vhost */
/*
* Create the server host:port string because we need it a lot
*/
+ if (sc->vhost_id) {
+ /* already set. This should only happen if this config rec is
+ * shared with another server. Argh! */
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10104)
+ "%s, SSLSrvConfigRec shared from %s",
+ ssl_util_vhostid(p, s), sc->vhost_id);
+ }
sc->vhost_id = ssl_util_vhostid(p, s);
sc->vhost_id_len = strlen(sc->vhost_id);
projects / apache / commitdiff