From 0397f6a8882d700c8d33853f02874799cecbbe7e Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Wed, 20 Dec 2017 13:53:22 +0000 Subject: On the trunk: mod_md: reverses most of v1.0.5 optimization of post_config init, so that mod_ssl can ask for certiticates without crashing. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818792 13f79535-47bb-0310-9956-ffa450edef68 --- modules/md/md_acme_drive.c | 2 +- modules/md/md_crypt.c | 14 +++++++++----- modules/md/md_json.c | 1 + modules/md/md_version.h | 4 ++-- modules/md/mod_md.c | 13 ++++++------- 5 files changed, 19 insertions(+), 15 deletions(-) (limited to 'modules/md') diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c index 518225cc9a..023966ae81 100644 --- a/modules/md/md_acme_drive.c +++ b/modules/md/md_acme_drive.c @@ -894,7 +894,7 @@ static apr_status_t acme_stage(md_proto_driver_t *d) /** * The MD is complete and un-expired. This is a renewal run. * Give activation 24 hours leeway (if we have that time) to - * accomodate for clients with somewhat weird clocks. + * accommodate for clients with somewhat weird clocks. */ delay_activation = apr_time_from_sec(MD_SECS_PER_DAY); if (delay_activation > (max_delay = d->md->expires - now)) { diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c index 1fbc39c52c..7277806fec 100644 --- a/modules/md/md_crypt.c +++ b/modules/md/md_crypt.c @@ -1113,16 +1113,16 @@ static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t * X509_EXTENSION *x; int nid; - nid = OBJ_create("1.3.6.1.5.5.7.1.24", "OCSPReq", "OCSP Request"); + nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature"); if (NID_undef == nid) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, - "%s: unable to get NID for must-staple", md->name); - return APR_EGENERAL; + "%s: unable to get NID for v3 must-staple TLS feature", md->name); + return APR_ENOTIMPL; } x = X509V3_EXT_conf_nid(NULL, NULL, nid, (char*)"DER:30:03:02:01:05"); if (NULL == x) { md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, - "%s: unable to get x509 extension for must-staple", md->name); + "%s: unable to create x509 extension for must-staple", md->name); return APR_EGENERAL; } sk_X509_EXTENSION_push(exts, x); @@ -1164,7 +1164,11 @@ apr_status_t md_cert_req_create(const char **pcsr_der_64, const md_t *md, rv = APR_EGENERAL; goto out; } if (APR_SUCCESS != (rv = add_must_staple(exts, md, p))) { - md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: must staple", md->name); + md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: you requested that a certificate " + "is created with the 'must-staple' extension, however the SSL library was " + "unable to initialized that extension. Please file a bug report on which platform " + "and with which library this happens. To continue before this problem is resolved, " + "configure 'MDMustStaple off' for your domains", md->name); rv = APR_EGENERAL; goto out; } /* add extensions to csr */ diff --git a/modules/md/md_json.c b/modules/md/md_json.c index 7e79bd919a..ccf1ef6ae2 100644 --- a/modules/md/md_json.c +++ b/modules/md/md_json.c @@ -111,6 +111,7 @@ md_json_t *md_json_create_s(apr_pool_t *pool, const char *s) void md_json_destroy(md_json_t *json) { if (json && json->j) { + assert(json->j->refcount > 0); json_decref(json->j); json->j = NULL; } diff --git a/modules/md/md_version.h b/modules/md/md_version.h index d08b927ab4..f11d130987 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -26,7 +26,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "1.1.1" +#define MOD_MD_VERSION "1.1.2" /** * @macro @@ -34,7 +34,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x010101 +#define MOD_MD_VERSION_NUM 0x010102 #define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 76a92c2ebd..996b5b93ce 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -1060,11 +1060,6 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog, goto out; } - if (dry_run) { - /* enough done in this case */ - return APR_SUCCESS; - } - if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073) "synching %d mds to registry", mc->mds->nelts); @@ -1072,8 +1067,8 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog, /* Determine the managed domains that are in auto drive_mode. For those, * determine in which state they are: - * - UNKNOWN: should not happen, report, dont drive - * - ERROR: something we do not know how to fix, report, dont drive + * - UNKNOWN: should not happen, report, don't drive + * - ERROR: something we do not know how to fix, report, don't drive * - INCOMPLETE/EXPIRED: need to drive them right away * - COMPLETE: determine when cert expires, drive when the time comes * @@ -1099,6 +1094,10 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog, init_ssl(); + if (dry_run) { + goto out; + } + /* If there are MDs to drive, start a watchdog to check on them regularly */ if (drive_names->nelts > 0) { ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10074) -- cgit v1.2.3