I suspect it is the change in mod_ssl interface to the other modules. I have to write a test for it.
It used to be that this chain file was ignored in mod_ssl 2.4.39 when it retrieved certificates from mod_md. Now mod_md adds its certificate via a hook and the chain file seems to remain in effect. I would say that 2.4.40 refuses a configuration that does not really make sense. And 2.4.39 silently ignored it. > Am 05.08.2019 um 10:53 schrieb Jan Ehrhardt <[email protected]>: > > Stefan Eissing in gmane.comp.apache.devel (Mon, 5 Aug 2019 10:23:27 > +0200): >> Trying to sum up what you are saying: mod_md 2.4.40 does not introduce a >> new problem, but testing with it exposed an issue that affects both. >> There is no regression in 2.4.40. > > It was not an noticable issue in 2.4.39 and previous versions. The > SSLCertificateChainFile statement may have been superfluous, but it did > not prevent Apache from running and it also did not prevent mod_md to do > what it is supposed to do: generate a new certificate when the time is > there. It had been working flawlessly for the last 7 months. > >> As to the problem: the SSLCertificateChainFile directive made mod_ssl >> fail in conjunction with mod_md and an empty MDomain. Probably, the >> fallback certificate was conflicting with the additional chain file. >> This fallback is installed until mod_md gets the "real" certificate >> from Lets Encrypt. > > The fallback certificate does not conflict with the > SSLCertificateChainFile directive in 2.4.39. Any idea why it fails in > 2.4.40, but does not in 2.4.39? > >> I try to add a test case for that and see how we can improve the >> interworking. > > Thanks for your continuing work on the mod_md module! Thanks! Nice to hear! - Stefan > -- > Jan >
