apache
diff --git a/‎changes-entries/md_v2.6.1.txt‎
Lines changed: 13 additions & 0 deletions b/‎changes-entries/md_v2.6.1.txt‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎docs/manual/mod/mod_md.xml‎
Lines changed: 27 additions & 1 deletion b/‎docs/manual/mod/mod_md.xml‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎modules/md/config2.m4‎
Lines changed: 0 additions & 1 deletion b/‎modules/md/config2.m4‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎modules/md/md.h‎
Lines changed: 3 additions & 0 deletions b/‎modules/md/md.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎modules/md/md_acme.c‎
Lines changed: 10 additions & 8 deletions b/‎modules/md/md_acme.c‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎modules/md/md_acme.h‎
Lines changed: 3 additions & 1 deletion b/‎modules/md/md_acme.h‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎modules/md/md_acme_authz.c‎
Lines changed: 1 addition & 1 deletion b/‎modules/md/md_acme_authz.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/md/md_acme_drive.c‎
Lines changed: 149 additions & 4 deletions b/‎modules/md/md_acme_drive.c‎
Lines changed: 149 additions & 4 deletions
@@ -0,0 +1,13 @@
+  *) mod_md: update to version 2.6.1
+     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
+       traffic on errored renewals for the ACME CA. This leads to error retries
+        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
+     - Checking that configuring `MDRetryDelay` will result in a positive
+       duration. A delay of 0 is not accepted.
+     - Fix a bug in checking Content-Type of responses from the ACME server.
+     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
+       directive "MDRenewViaARI on|off" for controlling this.
+     - Removing tailscale support. It has not been working for a long time
+       as the company decided to change their APIs. Away with the dead code,
+       documentation and tests.
+     - Fixed a compilation issue with pre-industrial versions of libcurl.
@@ -1393,7 +1393,7 @@ MDMessageCmd /etc/apache/md-message
         <name>MDRetryDelay</name>
         <description>Time length for first retry, doubled on every consecutive error.</description>
         <syntax>MDRetryDelay <var>duration</var></syntax>
-        <default>MDRetryDelay 5s</default>
+        <default>MDRetryDelay 30s</default>
         <contextlist>
             <context>server config</context>
         </contextlist>
@@ -1408,6 +1408,10 @@ MDMessageCmd /etc/apache/md-message
                 It is kept separate for each certificate renewal. Meaning an error
                 on one MDomain does not delay the renewals of other domains.
             </p>
+            <p>
+                In mod_md v2.6.1, the default delay has been increased from 5
+                seconds to 30.
+            </p>
         </usage>
     </directivesynopsis>
 
@@ -1594,4 +1598,26 @@ MDMessageCmd /etc/apache/md-message
             </p>
         </usage>
     </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDRenewViaARI</name>
+        <description>usage of the ACME ARI extension (rfc9773).</description>
+        <syntax>MDRenewViaARI on|off</syntax>
+        <default>MDRenewViaARI on</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <usage>
+            <p>
+                En-/Disable certificate renewals triggered via the ACME ARI
+                extension (rfc9773). These renewals happen *in addition* to
+                the mechanism controlled by <directive>MDRenewWindow</directive>.
+           </p><p>
+                ACME ARI allows an ACME CA to somewhat shape incoming renewal
+                traffic. More importantly though, it can inform clients of
+                urgent renewals, e.g. when a certificate or part of its chain
+                has been revoked.
+            </p>
+        </usage>
+    </directivesynopsis>
 </modulesynopsis>
@@ -156,7 +156,6 @@ md_reg.lo dnl
 md_status.lo dnl
 md_store.lo dnl
 md_store_fs.lo dnl
-md_tailscale.lo dnl
 md_time.lo dnl
 md_util.lo dnl
 mod_md.lo dnl
 
@@ -94,6 +94,7 @@ struct md_t {
     const char *ca_eab_hmac;        /* optional HMAC for external account binding */
     const char *profile;            /* optional cert profile to order */
     int profile_mandatory;          /* if profile, when given, is mandatory */
+    int ari_renewals;               /* if ACME ARI (RFC 9773) can trigger renewals */
 
     const char *state_descr;        /* description of state of NULL */
 
@@ -119,6 +120,8 @@ struct md_t {
 #define MD_KEY_ACTIVATION_DELAY "activation-delay"
 #define MD_KEY_ACTIVITY         "activity"
 #define MD_KEY_AGREEMENT        "agreement"
+#define MD_KEY_ARI_CERT_ID      "ari-cert-id"
+#define MD_KEY_ARI_RENEWALS     "ari-renewals"
 #define MD_KEY_AUTHORIZATIONS   "authorizations"
 #define MD_KEY_BITS             "bits"
 #define MD_KEY_CA               "ca"
 
@@ -332,7 +332,7 @@ static apr_status_t acmev2_GET_as_POST_init(md_acme_req_t *req, void *baton)
     return md_acme_req_body_init(req, NULL);
 }
 
-static apr_status_t md_acme_req_send(md_acme_req_t *req)
+static apr_status_t md_acme_req_send(md_acme_req_t *req, int get_as_post)
 {
     apr_status_t rv;
     md_acme_t *acme = req->acme;
@@ -352,7 +352,7 @@ static apr_status_t md_acme_req_send(md_acme_req_t *req)
         if (APR_SUCCESS != rv) goto leave;
     }
 
-    if (!strcmp("GET", req->method) && !req->on_init && !req->req_json) {
+    if (get_as_post && !strcmp("GET", req->method) && !req->on_init && !req->req_json) {
         /* See <https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.3>
          * and <https://mailarchive.ietf.org/arch/msg/acme/sotffSQ0OWV-qQJodLwWYWcEVKI>
          * and <https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380>
@@ -420,7 +420,7 @@ static apr_status_t md_acme_req_send(md_acme_req_t *req)
 
     if (APR_EAGAIN == rv && req->max_retries > 0) {
         --req->max_retries;
-        rv = md_acme_req_send(req);
+        rv = md_acme_req_send(req, 1);
     }
     req = NULL;
 
@@ -449,14 +449,15 @@ apr_status_t md_acme_POST(md_acme_t *acme, const char *url,
     req->on_err = on_err;
     req->baton = baton;
 
-    return md_acme_req_send(req);
+    return md_acme_req_send(req, 1);
 }
 
 apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
                          md_acme_req_init_cb *on_init,
                          md_acme_req_json_cb *on_json,
                          md_acme_req_res_cb *on_res,
-                          md_acme_req_err_cb *on_err,
+                         md_acme_req_err_cb *on_err,
+                         int get_as_post,
                          void *baton)
 {
     md_acme_req_t *req;
@@ -472,7 +473,7 @@ apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
     req->on_err = on_err;
     req->baton = baton;
 
-    return md_acme_req_send(req);
+    return md_acme_req_send(req, get_as_post);
 }
 
 void md_acme_report_result(md_acme_t *acme, apr_status_t rv, struct md_result_t *result)
@@ -507,15 +508,15 @@ static apr_status_t on_got_json(md_acme_t *acme, apr_pool_t *p, const apr_table_
 }
 
 apr_status_t md_acme_get_json(struct md_json_t **pjson, md_acme_t *acme, 
-                              const char *url, apr_pool_t *p)
+                              const char *url, int get_as_post, apr_pool_t *p)
 {
     apr_status_t rv;
     json_ctx ctx;
 
     ctx.pool = p;
     ctx.json = NULL;
 
-    rv = md_acme_GET(acme, url, NULL, on_got_json, NULL, NULL, &ctx);
+    rv = md_acme_GET(acme, url, NULL, on_got_json, NULL, NULL, get_as_post, &ctx);
     *pjson = (APR_SUCCESS == rv)? ctx.json : NULL;
     return rv;
 }
@@ -720,6 +721,7 @@ static apr_status_t update_directory(const md_http_response_t *res, void *data)
         acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL);
         acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL);
         acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL);
+        acme->api.v2.renewal_info = md_json_dups(acme->p, json, "renewalInfo", NULL);
         /* RFC 8555 only requires "directory" and "newNonce" resources.
          * mod_md uses "newAccount" and "newOrder" so check for them.
          * But mod_md does not use the "revokeCert" or "keyChange"
 
@@ -118,6 +118,7 @@ struct md_acme_t {
             const char *key_change;
             const char *revoke_cert;
             const char *new_nonce;
+            const char *renewal_info;
             struct apr_array_header_t *profiles;
         } v2;
     } api;
@@ -275,6 +276,7 @@ apr_status_t md_acme_GET(md_acme_t *acme, const char *url,
                          md_acme_req_json_cb *on_json,
                          md_acme_req_res_cb *on_res,
                          md_acme_req_err_cb *on_err,
+                         int get_as_post,
                          void *baton);
 /**
  * Perform a POST against the ACME url. If a on_json callback is given and
@@ -301,7 +303,7 @@ apr_status_t md_acme_POST(md_acme_t *acme, const char *url,
  * Retrieve a JSON resource from the ACME server 
  */
 apr_status_t md_acme_get_json(struct md_json_t **pjson, md_acme_t *acme, 
-                              const char *url, apr_pool_t *p);
+                              const char *url, int get_as_post, apr_pool_t *p);
 
 
 apr_status_t md_acme_req_body_init(md_acme_req_t *req, struct md_json_t *jpayload);
 
@@ -131,7 +131,7 @@ apr_status_t md_acme_authz_update(md_acme_authz_t *authz, md_acme_t *acme, apr_p
     err = "unable to parse response";
     log_level = MD_LOG_ERR;
 
-    if (APR_SUCCESS == (rv = md_acme_get_json(&json, acme, authz->url, p))
+    if (APR_SUCCESS == (rv = md_acme_get_json(&json, acme, authz->url, 1, p))
         && (s = md_json_gets(json, MD_KEY_STATUS, NULL))) {
 
         authz->domain = md_json_gets(json, MD_KEY_IDENTIFIER, MD_KEY_VALUE, NULL); 
 
@@ -256,7 +256,7 @@ static apr_status_t get_cert(void *baton, int attempt)
     (void)attempt;
     md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, d->p, "retrieving cert from %s",
                   ad->order->certificate);
-    return md_acme_GET(ad->acme, ad->order->certificate, NULL, NULL, on_add_cert, NULL, d);
+    return md_acme_GET(ad->acme, ad->order->certificate, NULL, NULL, on_add_cert, NULL, 1, d);
 }
 
 apr_status_t md_acme_drive_cert_poll(md_proto_driver_t *d, int only_once)
@@ -429,7 +429,7 @@ static apr_status_t get_chain(void *baton, int attempt)
 
             md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p, 
                           "next chain cert at  %s", ad->chain_up_link);
-            rv = md_acme_GET(ad->acme, ad->chain_up_link, NULL, NULL, on_add_chain, NULL, d);
+            rv = md_acme_GET(ad->acme, ad->chain_up_link, NULL, NULL, on_add_chain, NULL, 1, d);
 
             if (APR_SUCCESS == rv && nelts == ad->cred->chain->nelts) {
                 break;
@@ -1094,10 +1094,155 @@ static apr_status_t acme_complete_md(md_t *md, apr_pool_t *p)
     return APR_SUCCESS;
 }
 
+static apr_status_t acme_get_ari(md_proto_driver_t *d,
+                                 struct md_result_t *result,
+                                 apr_time_t *prenew_at,
+                                 const char **purl)
+{
+    md_acme_driver_t *ad = d->baton;
+    apr_status_t rv = APR_SUCCESS;
+    const char *ca_effective = NULL;
+    apr_array_header_t *certs;
+    const md_cert_t *cert;
+    int i;
+
+    *prenew_at = 0;
+    *purl = NULL;
+    md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                  "get ARI status for %s", d->md->name);
+
+    if (d->md->cert_files && d->md->cert_files->nelts) {
+        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                      "%s is configured with static files, no ARI", d->md->name);
+        goto out;
+    }
+
+    if (!d->md->ca_urls || d->md->ca_urls->nelts <= 0) {
+        /* No CA defined? This is checked in several other places, but lets be sure */
+        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                      "%s is missing MDCertificateAuthority", d->md->name);
+        goto out;
+    }
+
+    /* always pick the first CA for this */
+    ca_effective = APR_ARRAY_IDX(d->md->ca_urls, 0, const char*);
+
+    certs = apr_array_make(d->p, 5, sizeof(md_cert_t*));
+    for (i = 0; i < md_pkeys_spec_count(d->md->pks); ++i) {
+        const md_pubcert_t *pubcert;
+        if (APR_SUCCESS == md_reg_get_pubcert(&pubcert, d->reg, d->md, i, d->p)) {
+            cert = APR_ARRAY_IDX(pubcert->certs, 0, const md_cert_t*);
+            APR_ARRAY_PUSH(certs, const md_cert_t*) = cert;
+        }
+    }
+
+    if (!certs->nelts) {
+      rv = APR_SUCCESS;
+      goto out;
+    }
+
+    if (APR_SUCCESS != (rv = md_acme_create(&ad->acme, d->p, ca_effective,
+                                            d->proxy_url, d->ca_file))) {
+        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, d->p,
+                      "create ACME communications");
+        goto out;
+    }
+    if (APR_SUCCESS != (rv = md_acme_setup(ad->acme, result))) {
+        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, d->p,
+                      "setup ACME communications");
+        goto out;
+    }
+    if (ad->acme->version != MD_ACME_VERSION_2 || !ad->acme->api.v2.renewal_info) {
+        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                      "ARI not supported by ACME CA %s", ca_effective);
+        goto out;
+    }
+
+    md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                  "assessing ARI status for %d certificates", certs->nelts);
+    for (i = 0; i < certs->nelts; ++i) {
+        const char *ari_cert_id;
+        const char *ari_url = NULL, *ari_expl_url;
+        const char *renew_start, *renew_end;
+        apr_time_t start, end;
+        md_json_t *json;
+        unsigned char c;
+
+        cert = APR_ARRAY_IDX(certs, i, md_cert_t*);
+        if (md_cert_get_ari_cert_id(&ari_cert_id, cert, d->p) != APR_SUCCESS)
+          continue;
+
+        ari_url = apr_psprintf(d->p, "%s/%s", ad->acme->api.v2.renewal_info,
+                               ari_cert_id);
+        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                      "GET #%d ARI from %s", i, ari_url);
+        if ((rv = md_acme_get_json(&json, ad->acme, ari_url, 0, d->p)) != APR_SUCCESS) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "error retrieving ARI from %s", ari_url);
+            continue;
+        }
+
+        if(!json) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "ARI returned no JSON from %s", ari_url);
+            continue;
+        }
+
+        renew_start = md_json_gets(json, "suggestedWindow", "start", NULL);
+        renew_end = md_json_gets(json, "suggestedWindow", "end", NULL);
+        ari_expl_url = md_json_gets(json, "explanationURL", NULL);
+        if (!renew_start || !renew_end) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "renewal info from CA incomplete for %s", ari_url);
+            continue;
+        }
+        start = md_time_parse_rfc3339(renew_start);
+        end = md_time_parse_rfc3339(renew_end);
+        if (!start) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "error parsing CA renew start time: '%s'",
+                          renew_start);
+            continue;
+        }
+        if (!end) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "error parsing CA renew end time: '%s'",
+                          renew_end);
+            continue;
+        }
+        if (start > end) {
+            md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, d->p,
+                          "CA advises weird renewal between '%s' and '%s'",
+                          renew_start, renew_end);
+            continue;
+        }
+        md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, d->p,
+                      "CA advises renew via ARI between %s and %s"
+                      " (explantion: %s)",
+                      renew_start, renew_end,
+                      ari_expl_url? ari_expl_url : "none given");
+        /* select a random value between start and end */
+        md_rand_bytes(&c, sizeof(c), d->p);
+        start += apr_time_from_sec((apr_time_sec(end - start) * (c - 128)) / 256);
+        if (!*prenew_at || (start < *prenew_at)) {
+          *prenew_at = start;
+          *purl = apr_pstrdup(d->p, ari_expl_url);
+        }
+    }
+
+    rv = APR_SUCCESS;
+out:
+    return rv;
+}
+
 static md_proto_t ACME_PROTO = {
-    MD_PROTO_ACME, acme_driver_init, acme_driver_renew, 
-    acme_driver_preload_init, acme_driver_preload,
+    MD_PROTO_ACME,
+    acme_driver_init,
+    acme_driver_renew,
+    acme_driver_preload_init,
+    acme_driver_preload,
     acme_complete_md,
+    acme_get_ari,
 };
 
 apr_status_t md_acme_protos_add(apr_hash_t *protos, apr_pool_t *p)