** Description changed: Starting with Apache 2.4.52-1ubuntu4.18 in 22.04 (and I suspect in all other supported Ubuntu releases, since the changelogs are similar), the mod_md setting MDStapleOthers is ignored. When enabled, this should cause mod_md to try to retrieve OCSP responses from CAs, and serve them to https clients for OCSP stapling. Prior to 2.4.52-1ubuntu4.18, this was working correctly. (I believe this bug only applies to domains whose certificate renewals are *not* managed by mod_md.) (MDStapleOthers status can be checked by examining the output of: - openssl s_client -status "$domain":443 + openssl s_client -status "$domain":443 or by checking the file /etc/apache2/md/ocsp/other/job.json which should contain entries in a "log" section.) The Ubuntu changelog for 2.4.52-1ubuntu4.18 notes: - * SECURITY UPDATE: Integer overflow in the case of failed ACME - certificate renewal - - debian/patches/CVE-2025-55753.patch: update mod_md to version - 2.6.6 in modules/md/* + * SECURITY UPDATE: Integer overflow in the case of failed ACME + certificate renewal + - debian/patches/CVE-2025-55753.patch: update mod_md to version + 2.6.6 in modules/md/* The mod_md changelog, available at https://github.com/icing/mod_md/blob/master/ChangeLog, notes that 2.6.6 has a bug: v2.6.7 ---------------------------------------------------------------------------------------------------- - * Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer - applied, no matter the configuration. + * Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer + applied, no matter the configuration. I can confirm that compiling mod_md 2.6.8 from source (configure/make), and using that module in 2.4.52-1ubuntu4.18, works as expected. + + Edited to add: I'm seeing the same behavior (and working fix) in 24.04 + with Apache 2.4.58-1ubuntu8.10.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142766 Title: mod_md setting MDStapleOthers is ignored breaking OCSP for some domains To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2142766/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
