update mod_md documentation now in line with trunk

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926086 13f79535-47bb-0310-9956-ffa450edef68

Author: icing

docs/manual/mod/mod_md.xml

@@ -37,7 +37,7 @@
         ACME protocol (<a href="https://tools.ietf.org/html/rfc8555">RFC 8555</a>). 
         Certificates will be renewed by the module ahead of their expiration to account 
         for disruption in internet services. There are ways to monitor the status of all 
-        certififcates managed this way and configurations that will run your own 
+        certificates managed this way and configurations that will run your own 
         notification commands on renewal, expiration and errors.
         </p><p>
         Second, mod_md offers an alternate OCSP Stapling implementation. This works with
@@ -495,7 +495,7 @@ MDomain example2.org auto
                 For testing, CAs commonly offer a second service URL.
                 The 'test' service does not give certificates valid in a browser,
                 but are more relaxed in regard to rate limits.
-                This allows for verfication of your own setup before switching
+                This allows for verification of your own setup before switching
                 to the production service URL.
             </p>
             <example><title>LE Test Setup</title>
@@ -1299,7 +1299,7 @@ MDMessageCmd /etc/apache/md-message
 
     <directivesynopsis>
         <name>MDCertificateCheck</name>
-        <description>Set name and URL pattern for a certificate monitoring sitSet name and URL pattern for a certificate monitoring sitee</description>
+        <description>Set name and URL pattern for a certificate monitoring site.</description>
         <syntax>MDCertificateCheck <var>name</var> <var>url</var></syntax>
         <contextlist>
             <context>server config</context>
@@ -1369,7 +1369,7 @@ MDMessageCmd /etc/apache/md-message
             <p>
                 You can configure those globally or for a specific MDomain. Since
                 these values allow anyone to register under the same account, it is
-                adivsable to give the configuration file restricted permissions,
+                advisable to give the configuration file restricted permissions,
                 e.g. root only.
             </p>
             <p>
@@ -1512,4 +1512,86 @@ MDMessageCmd /etc/apache/md-message
         </usage>
     </directivesynopsis>
 
+    <directivesynopsis>
+        <name>MDCheckInterval</name>
+        <description>Determines how often certificates are checked</description>
+        <syntax>MDCheckInterval <var>duration</var></syntax>
+        <default>MDCheckInterval 12h</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.60 and later</compatibility>
+        <usage>
+            <p>
+                The time between certificate checks. By default, the validity
+                and need for renewals is checked twice a day. This interval is
+                not followed precisely. Instead the module randomly applies
+                a +/-50% jitter to it. With the default of 12 hours, this
+                means the actual time between runs varies between 6 and 18
+                hours, jittered anew every run. This helps to mitigate
+                traffic peaks at ACME servers.
+            </p><p>
+                The minimum duration you may configure is 1 second. It is
+                not recommended to use such short times in production.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDProfile</name>
+        <description>Use a specific ACME profile from the CA</description>
+        <syntax>MDProfile name</syntax>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.64 and later</compatibility>
+        <usage>
+            <p>
+                This about a non-standard ACME extension by Let's Encrypt.
+            </p><p>
+                Lets Encrypt announced they will add Certificate Profiles
+                support in their CA during 2025, beginning with their staging
+                servers. This, among some other details, let's you select the
+                lifetime of the certificates you get. The "default" profile
+                will keep the 90 days and a "tlsserver" profile will issue
+                certificates with only 6 days of validity.
+            </p><p>
+                If you do not change your mod_md configuration, you will
+                continue to get the 90 days certificates. Should you believe
+                that a shorter lifetime is beneficial for you (and take the
+                risk that the renewal time is way shorter),
+                you can configure the profile to use via 'MDProfile tlsserver'.
+           </p><p>
+                The profile names are defined by the CA. If a profile you
+                configure is not available, no profile will be used and
+                the certificate will be issue according to what the CA
+                considers default.
+           </p><p>
+                See <directive module="mod_md">MDProfileMandatory</directive>
+                on how to disable defaults for profiles.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDProfileMandatory</name>
+        <description>Control if an MDProfile is mandatory.</description>
+        <syntax>MDProfileMandatory on|off</syntax>
+        <default>MDProfileMandatory off</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <usage>
+            <p>
+                Controls if a <directive module="mod_md">MDProfile</directive>
+                you configure is mandatory or not. When mandatory and the CA
+                does not offer a configured profile, the certificate
+                renewal will fail.
+           </p><p>
+                When not mandatory and a profile is not offered by the CA,
+                renewals will be performed without specifying a profile and
+                the CA will issue a certificates according to its defaults.
+            </p>
+        </usage>
+    </directivesynopsis>
 </modulesynopsis>