diff options
| author | Stefan Eissing <icing@apache.org> | 2019-08-05 13:29:58 +0200 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2019-08-05 13:29:58 +0200 |
| commit | 61fdda63d39874fe8a3db218338c8ca1ac8971bb (patch) | |
| tree | 57acbad4cc91209945c4e439d9f482723568b0ed | |
| parent | * mod_md: fix compiler warnings (diff) | |
| download | apache2-61fdda63d39874fe8a3db218338c8ca1ac8971bb.tar.xz apache2-61fdda63d39874fe8a3db218338c8ca1ac8971bb.zip | |
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
for a domain managed by mod_md caused a startup error. This happened when mod_md installed
its fallback certificate, before it got the first real certificate from Lets Encrypt.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864428 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | CHANGES | 5 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 24 |
2 files changed, 18 insertions, 11 deletions
@@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration + for a domain managed by mod_md caused a startup error. This happened when mod_md installed + its fallback certificate, before it got the first real certificate from Lets Encrypt. + [Stefan Eissing] + *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via RegexDefaultOptions -DOTALL [Yann Ylavic] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ddc9641fa1..73ab07d64b 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1820,19 +1820,21 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, n = pks->cert_files->nelts; ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files); - if (n < pks->cert_files->nelts) { - /* this overrides any old chain configuration */ - sc->server->cert_chain = NULL; + if (apr_is_empty_array(pks->cert_files)) { + /* does someone propose a certiciate to fall back on here? */ + ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files); + if (n < pks->cert_files->nelts) { + pks->service_unavailable = 1; + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) + "Init: %s will respond with '503 Service Unavailable' for now. There " + "are no SSL certificates configured and no other module contributed any.", + ssl_util_vhostid(p, s)); + } } - if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) { - ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files); - - pks->service_unavailable = 1; - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) - "Init: %s will respond with '503 Service Unavailable' for now. There " - "are no SSL certificates configured and no other module contributed any.", - ssl_util_vhostid(p, s)); + if (n < pks->cert_files->nelts) { + /* additionally installed certs overrides any old chain configuration */ + sc->server->cert_chain = NULL; } if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) { |