Hey all,I had an interesting dilemma come up. I want to start using mod_md, but needed an answer as to what to do if lets encrypt can't auth.
Now, unlike any other certificate solution, mod_md will not block a vhost from starting if no cert is defined. This is good. But it places the following in the logs on first run of an MDomain.
[Sun May 09 11:16:02.989759 2021] [ssl:info] [pid 72605] AH01914: Configuring server drivingdemocrats.org:443 for SSL protocol [Sun May 09 11:16:02.989900 2021] [ssl:warn] [pid 72605] AH10085: Init: drivingdemocrats.org:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any. [Sun May 09 11:16:02.991557 2021] [ssl:info] [pid 72605] AH02568: Certificate and private key drivingdemocrats.org:443:0 configured from /usr/local/etc/apache24/md/domains/drivingdemocrats.org/fallback-cert.pem and /usr/local/etc/apache24/md/domains/drivingdemocrats.org/fallback-privkey.pem [Sun May 09 11:16:02.991980 2021] [ssl:error] [pid 72605] AH02604: Unable to configure certificate drivingdemocrats.org:443:0 for stapling [Sun May 09 11:16:11.090952 2021] [md:notice] [pid 72625] AH10059: The Managed Domain drivingdemocrats.org has been setup and changes will be activated on next (graceful) server restart.
(apachectl graceful)[Sun May 09 11:16:33.957317 2021] [md:info] [pid 72605] AH10068: drivingdemocrats.org: staged set activated [Sun May 09 11:16:33.958937 2021] [ssl:info] [pid 72605] AH01914: Configuring server drivingdemocrats.org:443 for SSL protocol [Sun May 09 11:16:33.960105 2021] [ssl:info] [pid 72605] AH02568: Certificate and private key drivingdemocrats.org:443:0 configured from /usr/local/etc/apache24/md/domains/drivingdemocrats.org/pubcert.pem and /usr/local/etc/apache24/md/domains/drivingdemocrats.org/privkey.pem
This file doesn't exist either.Apache seems to have some concept of a "fallback" cert. Something that I could generate, self-signed, with straight openssl, or perhaps use this as a mechanism from moving to a different ssl signing solution (an external acme script, perhaps...or just a classic commercial cert).
This means if DNS isn't pointed right (say, the site is being staged on my server but hasn't been re-pointed, the user can still CONNECT, get a certificate warning, and preview their site.)
The problem?This isn't in the docs AT ALL. The only mention of the word "fallback" in https://httpd.apache.org/docs/trunk/mod/mod_md.html (or http://httpd.apache.org/docs/current/mod/mod_md.html)
is:"It is recommended that you have virtual hosts for all managed domains and do not rely on the global, [fallback] server configuration."
There seems to be no way to configure a global fallback cert, instead of per-domain. (That is to say, if I'm going to get a cert warning anyway, I might as well just use a single cert for a staging site)
Can someone offer some enlightenment on what this feature is intended for? Is this a half-done thing?
-Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org --------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|