diff options
author | Stefan Eissing <icing@apache.org> | 2021-10-29 09:04:38 +0000 |
---|---|---|
committer | Stefan Eissing <icing@apache.org> | 2021-10-29 09:04:38 +0000 |
commit | 51a214821cdceb0ae4153accf0d5f8c5207f6549 (patch) | |
tree | 1cf12feca8d899c0c59d356dfbc040a44406e549 /docs/manual | |
parent | 7b83bd03a93b28ec21be973936ad06c606fbf54f (diff) | |
download | httpd-51a214821cdceb0ae4153accf0d5f8c5207f6549.tar.gz |
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894610 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual')
-rw-r--r-- | docs/manual/mod/mod_md.xml | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index dc7fa62e6b..15ad758338 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -1292,4 +1292,37 @@ MDMessageCmd /etc/apache/md-message </usage> </directivesynopsis> + <directivesynopsis> + <name>MDExternalAccountBinding</name> + <description></description> + <syntax>MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var></syntax> + <default>MDExternalAccountBinding none</default> + <contextlist> + <context>server config</context> + </contextlist> + <usage> + <p> + Configure values for ACME "External Account Binding", a feature + of the ACME standard that allows clients to bind registrations + to an existing customer account on ACME servers. + </p> + <p> + Let's Encrypt does not require those, but other ACME CAs do. + Check with your ACME CA if you need those and how to obtain the + values. They are two strings, a key identifier and a base64 encoded + 'hmac' value. + </p> + <p> + You can configure those globally or for a specific MDomain. Since + these values allow anyone to register under the same account, it is + adivsable to give the configuration file restricted permissions, + e.g. root only. + </p> + <p> + If you change these values, the new ones will be used when the next + certificate renewal is due. + </p> + </usage> + </directivesynopsis> + </modulesynopsis> |