From 61fdda63d39874fe8a3db218338c8ca1ac8971bb Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Mon, 5 Aug 2019 11:29:58 +0000 Subject: [PATCH] *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration for a domain managed by mod_md caused a startup error. This happened when mod_md installed its fallback certificate, before it got the first real certificate from Lets Encrypt. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864428 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ modules/ssl/ssl_engine_init.c | 24 +++++++++++++----------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index c9a334e1d0..e6b48b22d0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration + for a domain managed by mod_md caused a startup error. This happened when mod_md installed + its fallback certificate, before it got the first real certificate from Lets Encrypt. + [Stefan Eissing] + *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via RegexDefaultOptions -DOTALL [Yann Ylavic] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ddc9641fa1..73ab07d64b 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1820,19 +1820,21 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, n = pks->cert_files->nelts; ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files); - if (n < pks->cert_files->nelts) { - /* this overrides any old chain configuration */ - sc->server->cert_chain = NULL; + if (apr_is_empty_array(pks->cert_files)) { + /* does someone propose a certiciate to fall back on here? */ + ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files); + if (n < pks->cert_files->nelts) { + pks->service_unavailable = 1; + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) + "Init: %s will respond with '503 Service Unavailable' for now. There " + "are no SSL certificates configured and no other module contributed any.", + ssl_util_vhostid(p, s)); + } } - if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) { - ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files); - - pks->service_unavailable = 1; - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) - "Init: %s will respond with '503 Service Unavailable' for now. There " - "are no SSL certificates configured and no other module contributed any.", - ssl_util_vhostid(p, s)); + if (n < pks->cert_files->nelts) { + /* additionally installed certs overrides any old chain configuration */ + sc->server->cert_chain = NULL; } if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) { -- 2.40.0