1. In post_config:
mod_ssl can ask mod_md via optional functions, if a server_rec is managed.
- it checks if certificates already defined for this server.
If so, it logs and ignores mod_md. (Safe route. Can be discussed if it should
- it asks mod_md for the key/cert/chain files
a) if they are all there, they are added to the server configuration
b) if all or some are missing, a new "service_unavailable"
flag is set in the server config. (This is new, a vhost that does not fail
config, but is unavailable for config reasons.)
2. In The mod_ssl read_request hook:
mod_ssl checks if the requests server config has "service_unavailable" set.
If so, the request is answered with a 503. This should prevent any access
to a server whose certificate is (not yet) available.
3. In the SNI callback:
If no matching virtual host is found for the client supplied server name, mod_ssl
asks mod_md (if available) if this server name is a challenge. When mod_md answers
positive, it will provide certificate and key.
mod_ssl sets these in the SSL* of the connection and also sets the "service_unavailable"
for the connection so that change 2.) also gives 503 for all requests to this domain.
(This is for the "tls-sni-01" authorization method of the ACME protocol.)
PS. @Jchampion: I am not sure how to best merge the unit test cases into httpd. They need to be optional,
tied to the availability of mod_md and I do not know how to do that.
PPS. Another nit: mod_md also builds an executable, currently named a2md. I thought about putting
it in support/, but since this depends upon the optional mod_md, it is more natural in
modules/md, I thought.
On 08/08/2017 07:19 AM, Stefan Eissing wrote:
> PS. @Jchampion: I am not sure how to best merge the unit test cases
> into httpd. They need to be optional, tied to the availability of
> mod_md and I do not know how to do that.
I need to solve this problem for another module as well (mod_auth_digest
has a regression unit test case), but I haven't decided how to tackle it
> PPS. Another nit: mod_md also builds an executable, currently named
> a2md. I thought about putting it in support/, but since this depends
> upon the optional mod_md, it is more natural in modules/md, I
I don't think having an optional support executable would be a bad
thing. That said, I don't have strong opinions either way.
FYI I'll be somewhat inactive here on dev@ for a couple of weeks as I
adjust to a new job, so don't be afraid to ping me multiple times if you
need me. :D