It would be nice if https://github.com/icing/mod_md/wiki/2.4.x-Installation had more copy-pastable instructions for how to get set up. For instance, under Install, it could recommend running these (as root)
to get the PPA-version Apache2, plus the other requirements:

# add-apt-repository ppa:ondrej/apache2                                                                                                                                                                                                     
# apt update                                                                                                                                                                                                                                
# apt install -y apache2 apache2-dev build-essential autoconf make libtool libssl-dev libjansson-dev libcurl4-openssl-dev                                                                                                                   

Steps to reproduce:

Run Apache with a failing MD config (e.g. see #31), and try to connect via SSL (e.g. curl -k https://172.17.0.2:443).

Expected result: Bogus certificate

Actual result:

curl: (35) gnutls_handshake() failed: Error in the pull function.

In the Apache error logs, I see:

[Sat Aug 19 15:49:00.906790 2017] [ssl:error] [pid 9] [client 172.17.0.1:58708] AH01962: Unable to create a new SSL connection from the SSL context
[Sat Aug 19 15:49:00.907038 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907101 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907110 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907134 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907143 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907151 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907204 2017] [ssl:error] [pid 9] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

Ideally mod_md should generate a placeholder self-signed certificate for use when there is no real cert available, so handshakes can be completed. This will also avoid spamming the error logs in such a situation.

Have:
ManagedDomain domaind.nl www.domaind.nl
ServerName domaind.nl (in server config)

This gives a crash in mod_md:
Faulting application path: C:\apache24\bin\httpd.exe
Faulting module path: C:\apache24\modules\mod_md.so

Debug log:

[md:debug] [pid 7184:tid 364] mod_md.c(706): AH: initializing post config dry run
[md:debug] [pid 7184:tid 364] mod_md.c(100): AH: server seems not reachable via http: (port 80->80) and reachable via https: (port 443->444)
[md:debug] [pid 7184:tid 364] mod_md.c(157): AH: Added MD[domaind.nl, CA=https://acme-staging.api.letsencrypt.org/directory, Proto=ACME, Agreement=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf, Drive=1, renew=-1580777472]
[md:debug] [pid 7184:tid 364] mod_md.c(199): AH: Server www.domaind.nl:0 matches md domaind.nl (config srv[default])
[md:debug] [pid 7184:tid 364] mod_md.c(215): AH: Managed Domain domaind.nl applies to vhost www.domaind.nl:0
[md:debug] [pid 7184:tid 364] mod_md.c(222): AH: Managed Domain domaind.nl assigned server admin [email protected]

In the hope this module could be soon massively used, I'd be interesting to know whether the mod_ssl patch has been upstreameed.
In Debian it has not yet been integrated to the binary package ( https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877341 / https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/patches?h=stretch ).
What's the status of Apache's httpd w.r.t?

At least Makefile.am and test.ini.in are missing, maybe also others, so the tarball cannot be used to build the sources, as it fails to generate files in test/ during configure phase:

config.status:1141: creating Makefile
config.status:1141: creating src/md_version.h
config.status:1141: creating src/Makefile
config.status:1127: error: cannot find input file: `test/Makefile.in'

Just to be sure, is it mod_cert or mod_md?

From https://github.com/icing/mod_md/wiki/Directives#when-to-renew

Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 14 days before they expire. If you think this is too close, you can specify the number of days, as in:

However, the Let's Encrypt integration guide recommends renewing when 1/3rd of the certificate lifetime is left (i.e. 30 days for our current 90-day certs). Experience has shown this 30-day window is pretty important. People who let it go closer to the wire sometimes find themselves stuck and unable to renew a cert in the time they have left.

Do not auto-add server aliases to an MD when the virtualhost that provides these is clearly running on the http: port.

New directive MDHttpProxy for outgoing connections. Also available on a2md command line. Has only single test 70008 right now.

Will other ACME challenge methods than http/tls be available in this? I use cloudflare-dns challenge for the majority of my domains.

With the patch in #7, some failing tests are exposed. I'm currently working with test_600_000, which is triggering the new corruption check in that patch and leading to an APR_EINVAL return code.

I haven't root-caused completely yet, but it looks like md_acme_authz_set_to_json() and/or md_json_seta() are not handling the json_t refcounts correctly. Some of the JSON values we need are being released, and others are being given refcounts that seem overly large.

Is there documentation (or a rule of thumb) on how each JSON utility function is supposed to be manipulating refcounts?

(Also, has there been any discussion on a C-based test suite to complement pytest, so we can test the internals as well?)

In https://github.com/icing/mod_md/wiki#no-auto-restart-when-started-as-root, it says:

No Auto Restart when started as root

When httpd is started as root user by your system, as most *NIX distribution set it up, it is configured to have its children (the ones doing the actual work) run as a quite restricted user. On Ubuntu, this is commonly www-data. This is good for security, obviously.

mod_md runs the ACME protocol also in these child processes and is therefore also restricted in the damages it can do. Which at the moment, also means it cannot signal the parent process to do a graceful restart. So, you will see a line in the error log that it was forbidden to do that. For now, in such a setup, you have to manually restart httpd for any certificate changes to take effect.

Does this include renewals, or just adding names to certificates? If it applies to renewals, it would be helpful to include practical advice here, like "run service apache2 reload in a daily root cronjob to ensure renewed certificates are loaded."

I already deployed a few dozen LE enabled sites with certbot and dehydrated but for a private project I decided to give mod_md a try. I hope this is really an issue with mod_md and not a configuration issue on my side. This isn't supposed to be a support request; I think even if this is a dumb configuration issue, the error message I am staring at for a few hours now could be improved to point into the right direction.

A short history of steps I performed (with config reloads in between):

1. Installed apache2 and libapache-mod-md v1.0.1 from the PPA.
2. Configured a minimal HTTP and HTTPS config (current state below).
3. Configured the vhost as a ManagedDomain.
4. Found out from the very helpful log message (:+1:) that I had to set MDCertificateAgreement. Did so.
5. Remembered that my Redirect based config for port 80 is too broad and found out about MDRequireHttps instead.
6. Poked around in /etc/apache2/md and noticed that the initialIp has an IPv6 address and thus added the AAAA record to my domain just in case.
7. A few hours later: Still waiting for a proper cert to be deployed and wondering what the folliowing messages mean:

[Sun Nov 12 18:42:19.156053 2017] [md:debug] [pid 17202] mod_md.c(757): AH10055: md watchdog run, auto drive 1 mds
[Sun Nov 12 18:42:19.156116 2017] [md:debug] [pid 17202] mod_md.c(686): AH10052: md(cloud.msquadrat.de): state=1, driving
[Sun Nov 12 18:42:19.156141 2017] [md:debug] [pid 17202] md_reg.c(886): cloud.msquadrat.de: run staging
[Sun Nov 12 18:42:19.156148 2017] [md:debug] [pid 17202] md_acme_drive.c(666): cloud.msquadrat.de: staging started, state=1, can_http=1, can_https=1, challenges='http-01'
[Sun Nov 12 18:42:19.156256 2017] [md:debug] [pid 17202] md_acme_drive.c(888): (70008)Partial results are valid but processing is incomplete: cloud.msquadrat.de: ACME, ACME staging
[Sun Nov 12 18:42:19.156268 2017] [md:debug] [pid 17202] md_reg.c(893): (70008)Partial results are valid but processing is incomplete: cloud.msquadrat.de: staging done
[Sun Nov 12 18:42:19.156280 2017] [md:error] [pid 17202] (70008)Partial results are valid but processing is incomplete: AH10056: processing cloud.msquadrat.de
[Sun Nov 12 18:42:19.156288 2017] [md:info] [pid 17202] AH10057: cloud.msquadrat.de: encountered error for the 10. time, next run in  0:42:40 hours
[Sun Nov 12 18:42:19.156303 2017] [md:debug] [pid 17202] mod_md.c(779): AH: next run in  0:42:39 hours

According to my access.log there wasn't a single request from LE. Querying /.well-known/acme-challenge/foo woks though (ie. gives a 404 instead of a redirect).

If required, I can provide the full error.log and any of the files from /etc/apache2/md:

/etc/apache2/md
├── accounts
├── challenges
├── domains
│   └── cloud.msquadrat.de
│       ├── fallback-cert.pem
│       ├── fallback-privkey.pem
│       └── md.json
├── httpd.json
├── md_store.json
└── staging
    └── cloud.msquadrat.de
        ├── account.json
        ├── account.pem
        └── md.json

My current config (not stripped down, I just redacted the ServerAdmin):

<ManagedDomain cloud.msquadrat.de>
        MDCAChallenges http-01
        MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
        MDRequireHttps permanent
</ManagedDomain>

<VirtualHost *:443>
        ServerName cloud.msquadrat.de
        ServerAdmin [email protected]

        Protocols h2 http/1.1
        SSLEngine on

        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
        ServerName cloud.msquadrat.de
        ServerAdmin [email protected]

        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Right now the user agent string for ACME requests contains "(Something, like certbot)". This shouldn't be necessary; Boulder does almost zero User-Agent detection. Ideally that string should just be removed, unless there's some reason to include it that I'm unaware of?

On windows with a2md and mod_md:

md_util.c(764): error C2099: initializer is not a constant

When renewing a cert (e.g. 14 days before expiry), it can be useful to delay using the new cert for 24 hours.

This is because the cert contains a "valid from" date, and it's quite common for users accessing the site to have their computers clock be wrong... if it's out by days, there isn't much you can do about that (but hopefully that's more obvious that it needs to be fixed), whereas being out by hours is more tricky.

A classic example is a computer that has been incorrectly configured to use UTC, so it does not alter the time from "local time" when comparing the UTC value in the cert.

Some CA's do round the "valid from" date back a bit to address this, but if memory serves, LE does not.

See with mod_md a behavior which is not standard as with other modules. The module mod_md is the only one where I see this behavior.

When installing as service log messages info/warn are reported as errors:

C:\apache24\bin>httpd -k install
Installing the 'Apache2.4' service
The 'Apache2.4' service is successfully installed.
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.
[Tue Nov 28 10:03:43.126510 2017] [md:info] [pid 7364:tid 392] AH10071: mod_md (v1.0.3-git), initializing...
C:\apache24\bin>

Please fix.

ps.
On the httpd dev list I posted other situations where log messages are reported as errors.

Suggest to rename the module to mod_acme as it implements the ACME protocol. This name was also suggested by Mozilla. It looks like the module leaves the addition alternative certificate management protocols open for now which would be an indication to not use mod_acme.

The added callback-mechanisms in mod_ssl would allow other certificate auto-renewal mechanisms to be implemented by other parties.

For me personally, md is Message Digest (md5. libmd) and the module doesn't manage the domain for me, only the certificate.

AcmeCertificateProtocol ACME is redundant...

A little one.

When installing a newer version, the version not updated in md_store.json.

"version": "0.8.0-git",

What not to use meaningful and understandable module name?

Per https://github.com/icing/mod_md/wiki/Edge-Cases#missing-names,

"While one MD may cover several VirtualHosts, it may never cover only part of one. All ServerName and ServerAlias names must be listed."

Intentionally configuring such a broken setup:

ManagedDomain powerdns.crud.net
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
<VirtualHost *:443>
ServerName powerdns.crud.net
ServerName misc.crud.net
...

Produces this error message:

[Sat Aug 19 15:47:31.158152 2017] [ssl:warn] [pid 1] AH: Init: (misc.crud.net:443) disabling this host for now as certificate/key data for the Managed Domain is incomplete.

Ideally this should say something like "Disabling misc.crud.net:443 because the corresponding ManagedDomain (powerdns.crud.net) doesn't include its hostname. Add misc.crud.net to the ManagedDomain directive to fix."

Have:
LoadModule md_module modules/mod_md.so
ManagedDomain domaind.nl www.domaind.nl
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

Initial it says all fine and ask for restart.
After restart I see (OS 5)Access is denied and asking again for restart.

It happens both when the Apache server is running with System or Administrator account.

Inititial:

[md:info] [pid 5776:tid 456] AH: mod_md (v0.5.0-git), initializing...
[md:info] [pid 10184:tid 372] AH: mod_md (v0.5.0-git), initializing...
[md:info] [pid 10184:tid 1964] domaind.nl: setup staging
[md:info] [pid 10184:tid 1964] domaind.nl: need certificate
[md:info] [pid 10184:tid 1964] registered new account https://acme-staging.api.letsencrypt.org/acme/reg/2907888
[md:info] [pid 10184:tid 1964] domaind.nl: check Terms-of-Service agreement
[md:info] [pid 10184:tid 1964] domaind.nl: setup new authorization
[md:info] [pid 10184:tid 1964] domaind.nl: setup new challenges
[md:info] [pid 10184:tid 1964] updated authz https://acme-staging.api.letsencrypt.org/acme/authz/jDHZI1F9a7KplK0RKN--ZOF9atEZfhwsM9IhTRgwdOU
[md:info] [pid 10184:tid 3020] [client 66.133.109.36:52256] AH: f972ca5e2bdcc62b9ff607c4a1e8e2bd.64d86ecf28901402270935aa2f61ba94.acme.invalid: is a tls-sni-01 challenge host
[md:info] [pid 10184:tid 1964] updated authz https://acme-staging.api.letsencrypt.org/acme/authz/KRS9-Fu2BVoETVbbmxvf6xGpgNF9xCYejs-7ks2sIdw
[md:info] [pid 10184:tid 1964] domaind.nl: monitoring challenge status
[md:info] [pid 10184:tid 3020] [client 66.133.109.36:52328] AH: 7237dd3a897d38e80ae12788930936f7.c605a08202905d490a609ccdaaba57a3.acme.invalid: is a tls-sni-01 challenge host
[md:info] [pid 10184:tid 1964] domaind.nl: checked all domain authorizations
[md:info] [pid 10184:tid 1964] domaind.nl: creating certificate request
[md:info] [pid 10184:tid 1964] domaind.nl: received certificate
[md:info] [pid 10184:tid 1964] domaind.nl: retrieving certificate chain
[md:notice] [pid 10184:tid 1964] AH: 1 Managed Domain has been setup and changes will be activated on next (graceful) server restart.

After restart:

[md:info] [pid 5776:tid 456] AH: mod_md (v0.5.0-git), initializing...
[md:notice] [pid 10184:tid 1964] AH: 1 Managed Domain has been setup and changes will be activated on next (graceful) server restart.
[md:error] [pid 5776:tid 456] (OS 5)Access is denied. : rename from D:/servers/apacheS/md/domains/domaind.nl to D:/servers/apacheS/md/archive/domaind.nl.1
[md:error] [pid 5776:tid 456] (OS 5)Access is denied. : AH: domaind.nl: error loading staged set
[md:error] [pid 10520:tid 364] (OS 183)Cannot create a file when that file already exists. : creating archive dir: D:/servers/apacheS/md/archive/domaind.nl.1
[md:error] [pid 10520:tid 364] (OS 183)Cannot create a file when that file already exists. : AH: domaind.nl: error loading staged set
[md:info] [pid 10520:tid 364] AH: mod_md (v0.5.0-git), initializing...
[md:error] [pid 10520:tid 364] (OS 183)Cannot create a file when that file already exists. : creating archive dir: D:/servers/apacheS/md/archive/domaind.nl.1
[md:error] [pid 10520:tid 364] (OS 183)Cannot create a file when that file already exists. : AH: domaind.nl: error loading staged set
[md:info] [pid 10520:tid 2044] domaind.nl: all data staged
[md:notice] [pid 10520:tid 2044] AH: 1 Managed Domain has been setup and changes will be activated on next (graceful) server restart.

Crash: a2md drive with no domain: a2md -vvv -a https://acme-staging.api.letsencrypt.org/directory -d C:\apache24\md drive

Crash; mod_md ServerName is equal to name ManagedDomain

Hi,

sorry for abusing the issues for question...

If I were to provide packaged mod_md via my PPA as a separate package, how intrusive are the changes to mod_ssl? Could I just patch it for everybody without breaking anything?

Or when do you expect to land these required changes in 2.4.x upstream?

I'm trying to build from source based on the instructions on the wiki, and getting this build failure on the v0.7.0 tag:

configure: summary of build options:

    Version:        0.7.0 shared 11:0:6
    Host type:      x86_64-pc-linux-gnu
    Install prefix: /usr
    APXS:           /usr/bin/apxs
    HTTPD-VERSION:  2.4.18
    C compiler:     gcc
    CFLAGS:         -g -O2 
    WARNCFLAGS:     
    LDFLAGS:         -L/usr/lib
    LIBS:           -lcurl -ljansson -lcrypto  -L/usr/lib/x86_64-linux-gnu -lcurl
    CPPFLAGS:        -I/usr/include/apache2 -I/usr/include/apr-1.0
    curl            ./curl
    curl-config     curl-config
    openssl         /usr/bin/openssl

$ make
Making all in src
make[1]: Entering directory '/root/mod_md/src'
  CC       mod_md_la-mod_md_config.lo
mod_md_config.c: In function ‘inside_section’:
mod_md_config.c:190:13: error: implicit declaration of function ‘ap_cstr_casecmp’ [-Werror=implicit-function-declaration]
        if (!ap_cstr_casecmp(d->directive, section)) {
             ^
cc1: all warnings being treated as errors
Makefile:768: recipe for target 'mod_md_la-mod_md_config.lo' failed
make[1]: *** [mod_md_la-mod_md_config.lo] Error 1
make[1]: Leaving directory '/root/mod_md/src'
Makefile:498: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

In the Readme:
When mod_md gets a certificate from Let's Encrypt, installs it in your file system and restart the server to activate it.

For Windows to stop/restart auto the server must be an option, best is to sent an email that the certs are renewed or it can start a script. On windows stopping/restarting mostly leaves e.g. mod_fcgid processes running. When I restart Apache, I run a script that also kills all the mod_fcgid processes.

In the readme is stressed that you need a curl with openssl.

On windows then we get:

Peer certificate cannot be authenticated with given CA certificates.

Building with Winssl it works !

1. Add a BIG FAT WARNING at the top of the 2.4.x Installation wiki page that mod_ssl must be patched for mod_md to work.
2. Start with generic build instructions on 2.4.x Installation and then add specifics for OS's.
3. Add link to the mod_md on the Apache httpd website to the top of the mod_md docs and Directives wiki pages
4. Add missing directives, e.g. MDPrivateKeys, to the Directives wiki page (alternative: redirect to the docs/trunk/mod/mod_md.html page on httpd.apache.org)

Re. 1. That was just me not reading all the docs...

The Directives wiki page still mentions that LE staging environment is the default whereas an unmodified 0.9.1 install uses the production environment.

mod_md 0.9.7 is trying to renew and was getting errors:

..
..
[md:info] [pid 7072:tid 1964] apachelounge.nl: need certificate
[md:info] [pid 7072:tid 1964] apachelounge.nl: check Terms-of-Service agreement
[md:info] [pid 7072:tid 1964] apachelounge.nl: setup new authorization
[md:info] [pid 7072:tid 1964] apachelounge.nl: setup new challenges
[md:error] [pid 7072:tid 1964] (22)Invalid argument: apachelounge.nl: unexpected AUTHZ state 3 at https://acme-v01.api.letsencrypt.org/acme/authz/iDqjBmUgvLmip0QQDvfSuvQTtZYWJnXjQ87cgURSU28
[md:error] [pid 7072:tid 1964] (22)Invalid argument: AH10056: processing apachelounge.nl
[md:info] [pid 7072:tid 1964] AH10057: apachelounge.nl: encountered error for the 11. time, next run in 1:00:00 hours

I stopped and started Apache again and same error and trying it over and over again:

see trace2:
mod_md-error.txt

I disabled mod_md.

a2md: Show and manipulate Apache Manged Domains. Must be Show and manipulate Apache Managed Domains

14 days not correct at https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdrenewwindow

In the apache error.log I get: the server reports that is is not reachable via http (port 80) or https (port 443). The ACME protocol needs at least one of those so the CA can talk to the server and verify a domain ownership.

It is def reachable on port 80 and port 443.

Every few hours it is trying again, with the same error.

My config:

Listen 80
Listen 443
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so

ManagedDomain domain.nl www.domain.nl
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

Following the Ubuntu installation guide, I ran the following commands:

mod_md > ./configure --with-apxs=/usr/bin/apxs --enable-werror
mod_md > make

I get the following error:

mod_md.c:737:17: error: variable 'store' set but not used [-Werror=unused-but-set-variable]
     md_store_t *store;

Workaround: I removed the option --enable-werror

I see that mod_md is generating the certs: cert.pem and chain.pem

Nowadays you must combine that two. This since it became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

I am now not auto compatible with my (mail)servers, it needs a cert.pem with both cert.pem and chain.pem. Have to manual combine the two.

Request is that mod_md generates also a combined file.
Like to see a cert.pem, chain.pem and a chain+cert.pem

Note: The tool that I used is generating a combined file.

I have a mod_md that got into a bad state somehow. Right now, every time it retries, it gets a badNonce error. As far as I can tell, this triggers a retry a few minutes later, using the new nonce received with the error. Since nonces currently expire after a few minutes, this retry fails.

Bad nonce errors should be treated differently than other errors, and should be retried immediately at least once.

I am not native English speaking, so I hope I am clear.

The current 0.3.0 not build on Windows:

md_os.c(121): error C2371: 'mpm_signal_service': redefinition; different basic types
C:\VC15\Win32\httpd-2.4.27\server\mpm\winnt\mpm_winnt.h(56): note: see declaration of 'mpm_signal_service'
md_os.c(128): error C2561: 'md_server_graceful': function must return a value
md_os.c(126): note: see declaration of 'md_server_graceful'

note:
Version 0.2.0 did not have a compiler error, but a link error. It was building by commenting in md_os.c
/* mpm_signal_service(p, 1); */

Scenario: create a ManagedDomain with n dns names. One of them is not working, e.g. the server is not reachable under that domain (common case, DNS entry with A record pointing to an old IP address). mod_md will then detect that ACME authentication for that domain failed and go into the retry loop.

1. Issue: the offending domain is not logged at the appropriate level
2. Issue: when the admin removes that dns name from the apache conf, the staging area is not reset. mod_md reuses the already created AUTHZ resource, which continues to fail since it still contains the wrong dns name.

Solution: on changes in dns name list, reset the staging area, always.

Running a2md 0.2.0.
Complaining server not reachable. With this trick I could run command line a2md: edited in md/httpd.json http and https to true.

Lot is going on, but no certificate.

In the output I see the error: ... Received 2 certificate(s)....

Does this mean that I cannot have one with mod_md/a2md if I have already one with an other tool ?

Running v0.8.2

At the initial setup we get: Managed Domain has been setup and changes will be activated on next (graceful) server restart.

With renewal I miss that kind of logline.

last lines in log with loglevel = info:

[md:info] [pid 4112:tid 1964] apachelounge.nl: received certificate
[md:info] [pid 4112:tid 1964] apachelounge.nl: retrieving certificate chain

No loglevel = notice and warn entries.

Maybe better to log some with loglevel = warn (is default), like:

apachelounge.nl: received certificate
apachelounge.nl: retrieving certificate chain
all managed domains are valid
Managed Domain has been setup and changes will be activated on next (graceful) server restart.
AH10053: md(apachelounge.nl): is complete, cert expires Mon, 04 Dec 2017 13:06:00 GMT
AH: next run in 12:00:00 hours
..
..

So it is less magic.

There are admin/users around who have no vhosts in a SSL-Front, the back has the Vhosts.

Does this work ? They like to run mod_md in the Front.

A typical config in this case is:

==443==> Front minimal apache listen 443 and no vhosts =====Proxypass==> 80===>Back with all the vhosts and no ssl

I saw that with 0.3.0 "tls-sni-01" is supported and with 0.3.0+ there is 'MDDriveMode always'.
I cannot test it, because 0.3.0 gives compile errors (see other issue).

Steps to reproduce:

Start Apache with mod_md and ManagedDomain powerdns.crud.net
Note error in logs:

[Sat Aug 19 15:39:09.499585 2017] [md:error] [pid 6] need to accept terms-of-service <https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf> for account (null)
[Sat Aug 19 15:39:09.500467 2017] [md:error] [pid 6] (13)Permission denied: AH10056: processing powerdns.crud.net

Add MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf to Apache config and restart.

Expected result: MD continues with registration process and issues a certificate.

Actual result: MD continues to log:

[Sat Aug 19 15:41:15.584970 2017] [md:error] [pid 8] need to accept terms-of-service <https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf> for account (null)
[Sat Aug 19 15:41:15.585283 2017] [md:error] [pid 8] (13)Permission denied: AH10056: processing powerdns.crud.net

Note that there are a few things in the logs that could be improved:

• "for account (null)" should probably say something other than "(null)"
• Permission denied doesn't say for what operation or what file
• The error log should ideally include instructions on what directive to add in order to agree to terms

Noticed that in trunk is a diff on 1 Sept in ssl_engine_init.c :

...
"Init: %s will respond with '503 Service Unavailable' for now. This " ....

I do not see this in the V3 patch. Did not check more diff.

Hi,

I am also experiencing a similar error like described in this issue ticket #29 when I try to build the mod_md on an embedded ARMv5 NAS:

configure: summary of build options:

    Version:        1.0.1 shared 11:0:6
    Host type:      armv5tel-unknown-linux-uclibceabi
    Install prefix: /ffp/apache
    APXS:           /ffp/bin/apxs
    HTTPD-VERSION:  2.4.18
    C compiler:     gcc -std=gnu99
    CFLAGS:         -g -O2 -I/ffp/include -DMD_HAVE_ARC4RANDOM
    WARNCFLAGS:
    LDFLAGS:         -L/ffp/apache/lib
    LIBS:           -lcurl -ljansson -lcrypto  -L/ffp/lib -lcurl
    CPPFLAGS:        -I/ffp/apache/include -I/ffp/include/apr-1
    curl            curl
    curl-config     curl-config
    jansson         -
    openssl         openssl

root@NSA320S:/i-data/bf835951/build/mod_md# make
Making all in src
make[1]: Entering directory '/i-data/bf835951/build/mod_md/src'
  CC       mod_md_la-mod_md_config.lo
mod_md_config.c: In function 'inside_section':
mod_md_config.c:217:8: error: implicit declaration of function 'ap_cstr_casecmp' [-Werror=implicit-function-declaration]
        if (!ap_cstr_casecmp(d->directive, section)) {
        ^
cc1: all warnings being treated as errors
Makefile:759: recipe for target 'mod_md_la-mod_md_config.lo' failed
make[1]: *** [mod_md_la-mod_md_config.lo] Error 1
make[1]: Leaving directory '/i-data/bf835951/build/mod_md/src'
Makefile:489: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

What Can I do?

Thanks.

In the current list of directives I don't see any way (short of maybe the email address which would be badly overloaded for this purpose) to signal to a CA that we're one of their existing customers.

ACME includes a method to bind the ACME account to some sort of per-CA customer account, see e.g. 7.3.5 "External Account Binding" in the most recent draft. We can expect that if ACME takes off with Commercial CAs they will want a simple way for sysadmins at a larger customer to bind all their machines to the company's account.

Ideally there'd be one directive to support this: to both specify a customer ID and to specify a MAC key which proves you're that customer, since it makes no sense to have one without the other, or for one to vary without the other. The documentation and preferably directive name should make clear that the latter is secret and not to be shared.

For Let's Encrypt obviously this is largely irrelevant, but for a commercial CA this is vital to distinguish random people with mod_md installed from legitimate paying customers and one customer from another.

I can imagine that I'd be able to tell a new Apache install, here's the URL for Honest Achmed, here's my customer ID 123456, and here's a gibberish ASCII-encoded MAC to prove I'm 123456. Then my certificates would get an EV OID and O="EXA Metal Pole Europe LTD" which I've paid Achmed $100 per year to verify with an extra $10 to pay every extra hundred certificates. DV would take place as usual for the specific names that Apache is configured with.

The following scenarios are not covered by test cases:

• Tests for MDRenewWindow (percentage and absolute)
• Tests for MDPrivateKeys options
• There is logic to delay activation of renewed certificates when the old ones are still valid. Test by creating a staging directory with appropriate notBefore, notAfter values?

Hi, I installed mod_md on Apache 2.4X, running on windows 7. Up to now I installed letsencrypt certificates manually, so I wanted to try the new possibility to automate this process via mod_md. But unfortunatelly I run into errors. The first error says:
"[md:trace2] [pid 6892:tid 408] md_store_fs.c(434): (OS 2)Das System kann die angegebene Datei nicht finden. : loading type 1 from C:/path/to/directory/md/httpd.json" md cant find that file.
But there are more problems. If you don`t mind I would sent the error Log directly to you. Please let me know if this is ok.

See attached logs.

See a lot: warning C4003: not enough actual parameters for macro 'APLOGNO'

And attention for: md_store_fs.c(143): warning C4700: uninitialized local variable 's' used

mod_md.txt
a2md.txt

ServerName and ServerAlias names may carry port numbers, as in greenbytes.de:443 and mod_md needs to strip those silently when matching MDs against vhosts.

Probably not very critical at this point, but make -j often fails for me because the top-level rule for making src/libapachemd.la overlaps with the work done by the recursive SUBDIRS. This leads to errors like

mv: cannot stat 'acme/.deps/libapachemd_la-md_acme.Tpo': No such file or directory
Makefile:540: recipe for target 'acme/libapachemd_la-md_acme.lo' failed
make[1]: *** [acme/libapachemd_la-md_acme.lo] Error 1

At the same time that the top-level Makefile recurses into the src subdirectory to start its work (it does this because we've set the SUBDIRS variable), the rule for src/libapachemd.la is spawning a second process to do the same work with $(MAKE) -C src. They step on each other.

Following the documentation provided in this Wiki, some things are not clear:

1) SSLEngine required

Error

Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

Solution

mod_ssl still needs to be enabled (a2enmod ssl)

2) ServerAdmin required

Error

[Mon Nov 13 14:29:51.987135 2017] [md:error] [pid 30:tid 140356995012352] (22)Invalid argument: no contact information for md example.com

Solution

I added the ServerAdmin

This mentioned at the last section.

3) MDCertificateAgreement required

Error

[Mon Nov 13 14:53:17.692973 2017] [md:error] [pid 29:tid 140457350256384] (70008)Partial results are valid but processing is incomplete: example.com: the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.

[EDIT]: Even after a restart, I cannot access my domain via https.

Solution

I added

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

4) Server restart required

Error

Now, everything is configured, the server tells me the following:

[Mon Nov 13 14:55:52.800165 2017] [md:notice] [pid 29:tid 139962436892416] AH10059: The Managed Domain example.com has been setup and changes will be activated on next (graceful) server restart.

I expeted, that the certifcates are fully installed and renewed automatically without further reload/restart.

Resoution

Unknown. What do you recommend?