Merge /httpd/httpd/trunk:r1927807,1927874,1928039,1928839,1928861

mod_md: update to version 2.6.2



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1929515 13f79535-47bb-0310-9956-ffa450edef68

Author: icing

CMakeLists.txt

@@ -502,7 +502,7 @@ SET(mod_md_extra_sources
   modules/md/md_ocsp.c               modules/md/md_util.c               
   modules/md/mod_md_config.c         modules/md/mod_md_drive.c
   modules/md/mod_md_os.c             modules/md/mod_md_status.c
-  modules/md/mod_md_ocsp.c           modules/md/md_tailscale.c
+  modules/md/mod_md_ocsp.c
 )
 SET(mod_optional_hook_export_extra_defines AP_DECLARE_EXPORT) # bogus reuse of core API prefix
 SET(mod_proxy_extra_defines          PROXY_DECLARE_EXPORT)

STATUS

@@ -178,18 +178,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
-  *) mod_md: update to version 2.6.2
-     trunk patch:
-        http://svn.apache.org/r1927807
-        http://svn.apache.org/r1927874
-        http://svn.apache.org/r1928039
-        http://svn.apache.org/r1928839
-     2.4.x patch: svn merge -c 1927807,1927874,1928039,1928839 ^/httpd/httpd/trunk .
-     Might need some resolving in test code, as trunk and 2.4.x
-     are not in sync.
-     +1: icing, rpluem, jorton
-     rpluem says: Don't we need to add r1928861 as well to fix the LOGNO's?
-
   *) various: Update DOCTYPE tags in server-generated HTML to 4.01
      Trunk version of patch:
         https://svn.apache.org/r1873397

changes-entries/md_v2.6.1.txt

@@ -0,0 +1,13 @@
+  *) mod_md: update to version 2.6.1
+     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
+       traffic on errored renewals for the ACME CA. This leads to error retries
+        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
+     - Checking that configuring `MDRetryDelay` will result in a positive
+       duration. A delay of 0 is not accepted.
+     - Fix a bug in checking Content-Type of responses from the ACME server.
+     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
+       directive "MDRenewViaARI on|off" for controlling this.
+     - Removing tailscale support. It has not been working for a long time
+       as the company decided to change their APIs. Away with the dead code,
+       documentation and tests.
+     - Fixed a compilation issue with pre-industrial versions of libcurl.

changes-entries/md_v2.6.2.txt

@@ -0,0 +1,3 @@
+  *) mod_md: update to version 2.6.2
+     - Fix error retry delay calculation to not already doubling the wait
+       on the first error.

docs/manual/mod/mod_md.xml

@@ -285,44 +285,6 @@ MDChallengeDns01 /usr/bin/acme-setup-dns
             </p>
         </note>
 
-        <note><title>tailscale</title>
-            <p>
-                Since version 2.4.14 of the module, you can use it to get certificates
-                for your <a href="https://tailscale.com">tailscale</a> domains.
-            </p>
-            <highlight language="config">
-&lt;MDomain mydomain.some-thing.ts.net>
-  MDCertificateProtocol tailscale
-  MDCertificateAuthority file://localhost/var/run/tailscale/tailscaled.sock",
-&lt;/MDomain>
-            </highlight>
-            <p>
-                Tailscale provides secure networking between your machines, where ever
-                they are, and can provide domain names in the *.ts.net space for them.
-                For those, it will then provide Let's Encrypt certificates as well, so
-                you can open these domains in your browser securely.
-            </p>
-            <p>
-                The directives listed above tell Apache to contact the local tailscale
-                demon for obtaining and renewing certificates. This will only work for
-                the domain name that tailscale assigns to your machine.
-            </p>
-            <p>
-                Otherwise, these certificates work exactly like the ones retrieved
-                via the ACME protocol from Lets Encrypt. You see them in status reporting
-                and MDMessageCmd directives are executed for them as well.
-            </p>
-            <p>
-                More details are <a href="https://github.com/icing/mod_md#tailscale">
-                available at the mod_md github documentation</a>.
-            </p>
-            <p>
-                Note that this feature only works on machines where the tailscale
-                demon provides a unix domain socket. This, so far, seems only the
-                case on *nix systems.
-            </p>
-        </note>
-
     </summary>
 
     <directivesynopsis>
@@ -1393,7 +1355,7 @@ MDMessageCmd /etc/apache/md-message
         <name>MDRetryDelay</name>
         <description>Time length for first retry, doubled on every consecutive error.</description>
         <syntax>MDRetryDelay <var>duration</var></syntax>
-        <default>MDRetryDelay 5s</default>
+        <default>MDRetryDelay 30s</default>
         <contextlist>
             <context>server config</context>
         </contextlist>
@@ -1408,6 +1370,10 @@ MDMessageCmd /etc/apache/md-message
                 It is kept separate for each certificate renewal. Meaning an error
                 on one MDomain does not delay the renewals of other domains.
             </p>
+            <p>
+                In mod_md v2.6.1, the default delay has been increased from 5
+                seconds to 30.
+            </p>
         </usage>
     </directivesynopsis>
 
@@ -1594,4 +1560,26 @@ MDMessageCmd /etc/apache/md-message
             </p>
         </usage>
     </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDRenewViaARI</name>
+        <description>usage of the ACME ARI extension (rfc9773).</description>
+        <syntax>MDRenewViaARI on|off</syntax>
+        <default>MDRenewViaARI on</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <usage>
+            <p>
+                En-/Disable certificate renewals triggered via the ACME ARI
+                extension (rfc9773). These renewals happen *in addition* to
+                the mechanism controlled by <directive>MDRenewWindow</directive>.
+           </p><p>
+                ACME ARI allows an ACME CA to somewhat shape incoming renewal
+                traffic. More importantly though, it can inform clients of
+                urgent renewals, e.g. when a certificate or part of its chain
+                has been revoked.
+            </p>
+        </usage>
+    </directivesynopsis>
 </modulesynopsis>

modules/md/config2.m4

@@ -264,7 +264,6 @@ md_reg.lo dnl
 md_status.lo dnl
 md_store.lo dnl
 md_store_fs.lo dnl
-md_tailscale.lo dnl
 md_time.lo dnl
 md_util.lo dnl
 mod_md.lo dnl

modules/md/md.h

@@ -94,6 +94,7 @@ struct md_t {
     const char *ca_eab_hmac;        /* optional HMAC for external account binding */
     const char *profile;            /* optional cert profile to order */
     int profile_mandatory;          /* if profile, when given, is mandatory */
+    int ari_renewals;               /* if ACME ARI (RFC 9773) can trigger renewals */
 
     const char *state_descr;        /* description of state of NULL */
 
@@ -119,6 +120,8 @@ struct md_t {
 #define MD_KEY_ACTIVATION_DELAY "activation-delay"
 #define MD_KEY_ACTIVITY         "activity"
 #define MD_KEY_AGREEMENT        "agreement"
+#define MD_KEY_ARI_CERT_ID      "ari-cert-id"
+#define MD_KEY_ARI_RENEWALS     "ari-renewals"
 #define MD_KEY_AUTHORIZATIONS   "authorizations"
 #define MD_KEY_BITS             "bits"
 #define MD_KEY_CA               "ca"

modules/md/md_acme.c

@@ -81,7 +81,7 @@ static apr_status_t problem_status_get(const char *type) {
     }
 
     for(i = 0; i < (sizeof(Problems)/sizeof(Problems[0])); ++i) {
-        if (!apr_strnatcasecmp(type, Problems[i].type)) {
+        if (!apr_cstr_casecmp(type, Problems[i].type)) {
             return Problems[i].rv;
         }
     }
@@ -100,7 +100,7 @@ int md_acme_problem_is_input_related(const char *problem) {
     }
 
     for(i = 0; i < (sizeof(Problems)/sizeof(Problems[0])); ++i) {
-        if (!apr_strnatcasecmp(problem, Problems[i].type)) {
+        if (!apr_cstr_casecmp(problem, Problems[i].type)) {
             return Problems[i].input_related;
         }
     }
@@ -332,7 +332,7 @@ static apr_status_t acmev2_GET_as_POST_init(md_acme_req_t *req, void *baton)
     return md_acme_req_body_init(req, NULL);
 }
 
-static apr_status_t md_acme_req_send(md_acme_req_t *req)
+static apr_status_t md_acme_req_send(md_acme_req_t *req, int get_as_post)
 {
     apr_status_t rv;
     md_acme_t *acme = req->acme;
@@ -352,7 +352,7 @@ static apr_status_t md_acme_req_send(md_acme_req_t *req)
         if (APR_SUCCESS != rv) goto leave;
     }
 
-    if (!strcmp("GET", req->method) && !req->on_init && !req->req_json) {
+    if (get_as_post && !strcmp("GET", req->method) && !req->on_init && !req->req_json) {
         /* See <https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.3>
          * and <https://mailarchive.ietf.org/arch/msg/acme/sotffSQ0OWV-qQJodLwWYWcEVKI>
          * and <https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380>
@@ -420,7 +420,7 @@ static apr_status_t md_acme_req_send(md_acme_req_t *req)
 
     if (APR_EAGAIN == rv && req->max_retries > 0) {
         --req->max_retries;
-        rv = md_acme_req_send(req);
+        rv = md_acme_req_send(req, 1);
     }
     req = NULL;
 
@@ -449,14 +449,15 @@ apr_status_t md_acme_POST(md_acme_t *acme, const char *url,
     req->on_err = on_err;
     req->baton = baton;
 
-    return md_acme_req_send(req);
+    return md_acme_req_send(req, 1);
 }
 
 apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
                          md_acme_req_init_cb *on_init,
                          md_acme_req_json_cb *on_json,
                          md_acme_req_res_cb *on_res,
-                          md_acme_req_err_cb *on_err,
+                         md_acme_req_err_cb *on_err,
+                         int get_as_post,
                          void *baton)
 {
     md_acme_req_t *req;
@@ -472,7 +473,7 @@ apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
     req->on_err = on_err;
     req->baton = baton;
 
-    return md_acme_req_send(req);
+    return md_acme_req_send(req, get_as_post);
 }
 
 void md_acme_report_result(md_acme_t *acme, apr_status_t rv, struct md_result_t *result)
@@ -507,15 +508,15 @@ static apr_status_t on_got_json(md_acme_t *acme, apr_pool_t *p, const apr_table_
 }
 
 apr_status_t md_acme_get_json(struct md_json_t **pjson, md_acme_t *acme, 
-                              const char *url, apr_pool_t *p)
+                              const char *url, int get_as_post, apr_pool_t *p)
 {
     apr_status_t rv;
     json_ctx ctx;
 
     ctx.pool = p;
     ctx.json = NULL;
 
-    rv = md_acme_GET(acme, url, NULL, on_got_json, NULL, NULL, &ctx);
+    rv = md_acme_GET(acme, url, NULL, on_got_json, NULL, NULL, get_as_post, &ctx);
     *pjson = (APR_SUCCESS == rv)? ctx.json : NULL;
     return rv;
 }
@@ -720,6 +721,7 @@ static apr_status_t update_directory(const md_http_response_t *res, void *data)
         acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL);
         acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL);
         acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL);
+        acme->api.v2.renewal_info = md_json_dups(acme->p, json, "renewalInfo", NULL);
         /* RFC 8555 only requires "directory" and "newNonce" resources.
          * mod_md uses "newAccount" and "newOrder" so check for them.
          * But mod_md does not use the "revokeCert" or "keyChange"

modules/md/md_acme.h

@@ -118,6 +118,7 @@ struct md_acme_t {
             const char *key_change;
             const char *revoke_cert;
             const char *new_nonce;
+            const char *renewal_info;
             struct apr_array_header_t *profiles;
         } v2;
     } api;
@@ -275,6 +276,7 @@ apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
                          md_acme_req_json_cb *on_json,
                          md_acme_req_res_cb *on_res,
                          md_acme_req_err_cb *on_err,
+                         int get_as_post,
                          void *baton);
 /**
  * Perform a POST against the ACME url. If a on_json callback is given and
@@ -301,7 +303,7 @@ apr_status_t md_acme_POST(md_acme_t *acme, const char *url,
  * Retrieve a JSON resource from the ACME server 
  */
 apr_status_t md_acme_get_json(struct md_json_t **pjson, md_acme_t *acme, 
-                              const char *url, apr_pool_t *p);
+                              const char *url, int get_as_post, apr_pool_t *p);
 
 
 apr_status_t md_acme_req_body_init(md_acme_req_t *req, struct md_json_t *jpayload);

modules/md/md_acme_authz.c

@@ -131,7 +131,7 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, apr_p
     err = "unable to parse response";
     log_level = MD_LOG_ERR;
 
-    if (APR_SUCCESS == (rv = md_acme_get_json(&json, acme, authz->url, p))
+    if (APR_SUCCESS == (rv = md_acme_get_json(&json, acme, authz->url, 1, p))
         && (s = md_json_gets(json, MD_KEY_STATUS, NULL))) {
 
         authz->domain = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_VALUE, NULL); 
@@ -594,7 +594,7 @@ static apr_status_t find_type(void *baton, size_t index, md_json_t *json)
     cha_find_ctx *ctx = baton;
 
     const char *ctype = md_json_gets(json, MD_KEY_TYPE, NULL);
-    if (ctype && !apr_strnatcasecmp(ctx->type, ctype)) {
+    if (ctype && !apr_cstr_casecmp(ctx->type, ctype)) {
         ctx->accepted = cha_from_json(ctx->p, index, json);
         return 0;
     }
@@ -644,7 +644,7 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
 
         if (fctx.accepted) {
             for (j = 0; j < (int)CHA_TYPES_LEN; ++j) {
-                if (!apr_strnatcasecmp(CHA_TYPES[j].name, fctx.accepted->type)) {
+                if (!apr_cstr_casecmp(CHA_TYPES[j].name, fctx.accepted->type)) {
                     md_result_activity_printf(result, "Setting up challenge '%s' for domain %s", 
                                               fctx.accepted->type, authz->domain);
                     rv = CHA_TYPES[j].setup(fctx.accepted, authz, acme, store, key_specs,
@@ -702,7 +702,7 @@ apr_status_t md_acme_authz_teardown(struct md_store_t *store, const char *token,
         domain = strchr(challenge, ':');
         *domain = '\0'; domain++;
         for (i = 0; i < (int)CHA_TYPES_LEN; ++i) {
-            if (!apr_strnatcasecmp(CHA_TYPES[i].name, challenge)) {
+            if (!apr_cstr_casecmp(CHA_TYPES[i].name, challenge)) {
                 if (CHA_TYPES[i].teardown) {
                     return CHA_TYPES[i].teardown(store, domain, md, env, p);
                 }