Open arminabf opened 1 year ago
i think the problem is this condition....
/* Allow others to provide certificate files */
pks = sc->server->pks;
n = pks->cert_files->nelts;
ap_ssl_add_cert_files(s, p, pks->cert_files, pks->key_files);
ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);
if (apr_is_empty_array(pks->cert_files)) {
/* does someone propose a certiciate to fall back on here? */
ap_ssl_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
if (n < pks->cert_files->nelts) {
pks->service_unavailable = 1;
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
"Init: %s will respond with '503 Service Unavailable' for now. There "
"are no SSL certificates configured and no other module contributed any.",
ssl_util_vhostid(p, s));
}
}
if the condition if (apr_is_empty_array(pks->cert_files)) {
is true, that means that n is 0.. (it was set to _pks->certfiles->nelts before the if)
now if another module provides a cert and key the var n is still 0, and this condition will always be true because n is not recalculated..
my feeling is that instead of checking if (n < pks->cert_files->nelts) {
we should check for apr_is_empty_array(pks->cert_files)
again..
"But the challenge request (after redirection to 443) gets responded with 503 Service Unavailable..."
There is the problem. If you redirect all plain http:
requests to https:, ACME will not work. You need to let the /.well-known/acme-challenge
through, so an answer can be sent back to boulder.
One way to achieve that is via the directive MDRequireHttps
. But adjusting your Rewrite will of course also work.
Hello,
on a local test setup I'm using httpd-2.4.57 to integrate mod_md with boulder. The setup looks like this
On startup of the instance, httpd complains that "there are no SSL certificates configured".
However, by debugging (see below) the startup phase it can be seen that mod_md provides a fallback certificate for the acme-test.foo.com vhost... as also shown by debug messages
But the challenge request (after redirection to 443) gets responded with 503 Service Unavailable...
After searching for the relevant parts of the code and then debugging, I could verify that mod_md returns a fallback certificate upon call of the _ssl_run_add_fallback_certfiles hook, but still the vhost is set as "service_unavailable" by ssl_engine_init.c and finally responded with 503 by ssl_engine_kernel.c.
As an experiment, I commented out this line and re-compiled the code, then the challenge request works.
Now I wonder if this is a special behavior due to the usage of boulder or if there is a general problem in ssl_engine_init.c with fallback certificates?