}
}
else {
- job->next_check = job->md->expires - job->md->renew_window;
-
+ /* Renew is not necessary yet, leave job->next_check as 0 since
+ * that keeps the default schedule of running twice a day. */
apr_rfc822_date(ts, job->md->expires);
ap_log_error( APLOG_MARK, APLOG_DEBUG, 0, wd->s, APLOGNO(10053)
- "md(%s): is complete, cert expires %s", job->md->name, ts);
+ "md(%s): no need to renew yet, cert expires %s", job->md->name, ts);
}
}
wd->mc->notify_cmd, exit_code);
}
else {
+ if (APR_EINCOMPLETE == rv && exit_code) {
+ rv = 0;
+ }
ap_log_error(APLOG_MARK, APLOG_ERR, rv, wd->s, APLOGNO(10109)
- "executing configured MDNotifyCmd %s", wd->mc->notify_cmd);
+ "executing MDNotifyCmd %s returned %d",
+ wd->mc->notify_cmd, exit_code);
notified = 0;
}
}
const md_srv_conf_t *sc;
const char *name, *data;
md_reg_t *reg;
+ int configured;
apr_status_t rv;
- if (!strncmp(ACME_CHALLENGE_PREFIX, r->parsed_uri.path, sizeof(ACME_CHALLENGE_PREFIX)-1)) {
- if (r->method_number == M_GET) {
-
- sc = ap_get_module_config(r->server->module_config, &md_module);
- reg = sc && sc->mc? sc->mc->reg : NULL;
+ if (r->parsed_uri.path
+ && !strncmp(ACME_CHALLENGE_PREFIX, r->parsed_uri.path, sizeof(ACME_CHALLENGE_PREFIX)-1)) {
+ sc = ap_get_module_config(r->server->module_config, &md_module);
+ if (sc && sc->mc) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+ "access inside /.well-known/acme-challenge for %s%s",
+ r->hostname, r->parsed_uri.path);
+ configured = (NULL != md_get_by_domain(sc->mc->mds, r->hostname));
name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
-
- r->status = HTTP_NOT_FOUND;
- if (!ap_strchr_c(name, '/') && reg) {
+ reg = sc && sc->mc? sc->mc->reg : NULL;
+
+ if (strlen(name) && !ap_strchr_c(name, '/') && reg) {
md_store_t *store = md_reg_store_get(reg);
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Challenge for %s (%s)", r->hostname, r->uri);
-
+
rv = md_store_load(store, MD_SG_CHALLENGES, r->hostname,
MD_FN_HTTP01, MD_SV_TEXT, (void**)&data, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
+ "loading challenge for %s (%s)", r->hostname, r->uri);
if (APR_SUCCESS == rv) {
apr_size_t len = strlen(data);
+ if (r->method_number != M_GET) {
+ return HTTP_NOT_IMPLEMENTED;
+ }
+ /* A GET on a challenge resource for a hostname we are
+ * configured for. Let's send the content back */
r->status = HTTP_OK;
apr_table_setn(r->headers_out, "Content-Length", apr_ltoa(r->pool, (long)len));
apr_brigade_write(bb, NULL, NULL, data, len);
ap_pass_brigade(r->output_filters, bb);
apr_brigade_cleanup(bb);
+
+ return DONE;
+ }
+ else if (!configured) {
+ /* The request hostname is not for a configured domain. We are not
+ * the sole authority here for /.well-known/acme-challenge (see PR62189).
+ * So, we decline to handle this and let others step in.
+ */
+ return DECLINED;
}
else if (APR_STATUS_IS_ENOENT(rv)) {
return HTTP_NOT_FOUND;
}
- else if (APR_ENOENT != rv) {
+ else {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10081)
"loading challenge %s from store", name);
return HTTP_INTERNAL_SERVER_ERROR;
}
}
- return r->status;
- }
- else {
- return HTTP_NOT_IMPLEMENTED;
}
}
return DECLINED;
const char *s;
int status;
- if (opt_ssl_is_https
+ if (opt_ssl_is_https && r->parsed_uri.path
&& strncmp(WELL_KNOWN_PREFIX, r->parsed_uri.path, sizeof(WELL_KNOWN_PREFIX)-1)) {
sc = ap_get_module_config(r->server->module_config, &md_module);
return apr_pstrcat(cmd->pool, "unsupported private key type \"", ptype, "\"", NULL);
}
-static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *arg, const char *value)
+static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err) {
return err;
}
- sc->mc->notify_cmd = value;
- (void)arg;
+ sc->mc->notify_cmd = arg;
+ (void)mconfig;
return NULL;
}
"Time length for renewal before certificate expires (defaults to days)"),
AP_INIT_TAKE1( MD_CMD_REQUIREHTTPS, md_config_set_require_https, NULL, RSRC_CONF,
"Redirect non-secure requests to the https: equivalent."),
- AP_INIT_TAKE1( MD_CMD_NOTIFYCMD, md_config_set_notify_cmd, NULL, RSRC_CONF,
- "set the command to run when signup/renew of domain is complete."),
+ AP_INIT_RAW_ARGS(MD_CMD_NOTIFYCMD, md_config_set_notify_cmd, NULL, RSRC_CONF,
+ "set the command and optional arguments to run when signup/renew of domain is complete."),
AP_INIT_TAKE1( MD_CMD_BASE_SERVER, md_config_set_base_server, NULL, RSRC_CONF,
"allow managing of base server outside virtual hosts."),