On the trunk:

mod_md: reverses most of v1.0.5 optimization of post_config init, so that
     mod_ssl can ask for certiticates without crashing.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818792 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 19 insertions, 15 deletions

diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c
index 518225cc9a..023966ae81 100644
--- a/modules/md/md_acme_drive.c
+++ b/modules/md/md_acme_drive.c
@@ -894,7 +894,7 @@ static apr_status_t acme_stage(md_proto_driver_t *d)
                 /**
                  * The MD is complete and un-expired. This is a renewal run. 
                  * Give activation 24 hours leeway (if we have that time) to
-                 * accomodate for clients with somewhat weird clocks.
+                 * accommodate for clients with somewhat weird clocks.
                  */
                 delay_activation = apr_time_from_sec(MD_SECS_PER_DAY);
                 if (delay_activation > (max_delay = d->md->expires - now)) {
diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c
index 1fbc39c52c..7277806fec 100644
--- a/modules/md/md_crypt.c
+++ b/modules/md/md_crypt.c
@@ -1113,16 +1113,16 @@ static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t *
         X509_EXTENSION *x;
         int nid;
         
-        nid = OBJ_create("1.3.6.1.5.5.7.1.24", "OCSPReq", "OCSP Request");
+        nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature");
         if (NID_undef == nid) {
             md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, 
-                          "%s: unable to get NID for must-staple", md->name);
-            return APR_EGENERAL;
+                          "%s: unable to get NID for v3 must-staple TLS feature", md->name);
+            return APR_ENOTIMPL;
         }
         x = X509V3_EXT_conf_nid(NULL, NULL, nid, (char*)"DER:30:03:02:01:05");
         if (NULL == x) {
             md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, 
-                          "%s: unable to get x509 extension for must-staple", md->name);
+                          "%s: unable to create x509 extension for must-staple", md->name);
             return APR_EGENERAL;
         }
         sk_X509_EXTENSION_push(exts, x);
@@ -1164,7 +1164,11 @@ apr_status_t md_cert_req_create(const char **pcsr_der_64, const md_t *md,
         rv = APR_EGENERAL; goto out;
     }
     if (APR_SUCCESS != (rv = add_must_staple(exts, md, p))) {
-        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: must staple", md->name);
+        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: you requested that a certificate "
+            "is created with the 'must-staple' extension, however the SSL library was "
+            "unable to initialized that extension. Please file a bug report on which platform "
+            "and with which library this happens. To continue before this problem is resolved, "
+            "configure 'MDMustStaple off' for your domains", md->name);
         rv = APR_EGENERAL; goto out;
     }
     /* add extensions to csr */
diff --git a/modules/md/md_json.c b/modules/md/md_json.c
index 7e79bd919a..ccf1ef6ae2 100644
--- a/modules/md/md_json.c
+++ b/modules/md/md_json.c
@@ -111,6 +111,7 @@ md_json_t *md_json_create_s(apr_pool_t *pool, const char *s)
 void md_json_destroy(md_json_t *json)
 {
     if (json && json->j) {
+        assert(json->j->refcount > 0);
         json_decref(json->j);
         json->j = NULL;
     }
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index d08b927ab4..f11d130987 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -26,7 +26,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "1.1.1"
+#define MOD_MD_VERSION "1.1.2"
 
 /**
  * @macro
@@ -34,7 +34,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x010101
+#define MOD_MD_VERSION_NUM 0x010102
 
 #define MD_ACME_DEF_URL    "https://acme-v01.api.letsencrypt.org/directory"
 
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 76a92c2ebd..996b5b93ce 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1060,11 +1060,6 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
         goto out;
     }
     
-    if (dry_run) {
-        /* enough done in this case */
-        return APR_SUCCESS;
-    }
-    
     if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds))) {
         ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073)
                      "synching %d mds to registry", mc->mds->nelts);
@@ -1072,8 +1067,8 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
     
     /* Determine the managed domains that are in auto drive_mode. For those,
      * determine in which state they are:
-     *  - UNKNOWN:            should not happen, report, dont drive
-     *  - ERROR:              something we do not know how to fix, report, dont drive
+     *  - UNKNOWN:            should not happen, report, don't drive
+     *  - ERROR:              something we do not know how to fix, report, don't drive
      *  - INCOMPLETE/EXPIRED: need to drive them right away
      *  - COMPLETE:           determine when cert expires, drive when the time comes
      *
@@ -1099,6 +1094,10 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
     
     init_ssl();
     
+    if (dry_run) {
+        goto out;
+    }
+    
     /* If there are MDs to drive, start a watchdog to check on them regularly */
     if (drive_names->nelts > 0) {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10074)