Hey all,
I had an interesting dilemma come up. I want to start using mod_md, but
needed an answer as to what to do if lets encrypt can't auth.
Now, unlike any other certificate solution, mod_md will not block a vhost
from starting if no cert is defined. This is good. But it places the
following in the logs on first run of an MDomain.
[Sun May 09 11:16:02.989759 2021] [ssl:info] [pid 72605] AH01914:
Configuring server drivingdemocrats.org:443 for SSL protocol
[Sun May 09 11:16:02.989900 2021] [ssl:warn] [pid 72605] AH10085: Init:
drivingdemocrats.org:443 will respond with '503 Service Unavailable' for
now. There are no SSL certificates configured and no other module
contributed any.
[Sun May 09 11:16:02.991557 2021] [ssl:info] [pid 72605] AH02568:
Certificate and private key drivingdemocrats.org:443:0 configured from
/usr/local/etc/apache24/md/domains/drivingdemocrats.org/fallback-cert.pem
and
/usr/local/etc/apache24/md/domains/drivingdemocrats.org/fallback-privkey.pem
[Sun May 09 11:16:02.991980 2021] [ssl:error] [pid 72605] AH02604: Unable
to configure certificate drivingdemocrats.org:443:0 for stapling
[Sun May 09 11:16:11.090952 2021] [md:notice] [pid 72625] AH10059: The
Managed Domain drivingdemocrats.org has been setup and changes will be
activated on next (graceful) server restart.
(apachectl graceful)
[Sun May 09 11:16:33.957317 2021] [md:info] [pid 72605] AH10068:
drivingdemocrats.org: staged set activated
[Sun May 09 11:16:33.958937 2021] [ssl:info] [pid 72605] AH01914:
Configuring server drivingdemocrats.org:443 for SSL protocol
[Sun May 09 11:16:33.960105 2021] [ssl:info] [pid 72605] AH02568:
Certificate and private key drivingdemocrats.org:443:0 configured from
/usr/local/etc/apache24/md/domains/drivingdemocrats.org/pubcert.pem and
/usr/local/etc/apache24/md/domains/drivingdemocrats.org/privkey.pem
This file doesn't exist either.
Apache seems to have some concept of a "fallback" cert. Something that I
could generate, self-signed, with straight openssl, or perhaps use this as
a mechanism from moving to a different ssl signing solution (an external
acme script, perhaps...or just a classic commercial cert).
This means if DNS isn't pointed right (say, the site is being staged on my
server but hasn't been re-pointed, the user can still CONNECT, get a
certificate warning, and preview their site.)
The problem?
This isn't in the docs AT ALL. The only mention of the word "fallback" in
https://httpd.apache.org/docs/trunk/mod/mod_md.html (or
http://httpd.apache.org/docs/current/mod/mod_md.html)
is:
"It is recommended that you have virtual hosts for all managed domains and
do not rely on the global, [fallback] server configuration."
There seems to be no way to configure a global fallback cert, instead of
per-domain. (That is to say, if I'm going to get a cert warning anyway, I
might as well just use a single cert for a staging site)
Can someone offer some enlightenment on what this feature is intended for?
Is this a half-done thing?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org