You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Steffen <in...@apachelounge.com> on 2018/03/11 13:22:39 UTC
Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Have reports from users that have issues with mod_md :
[md:warn] [pid 7232:tid 2416] (22)Invalid argument: acme problem
urn:acme:error:malformed: Provided agreement URL
[https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf] does not
match current agreement URL
[https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]
Should be fixed !
Not sure this can voted as a -1 for 2.4.32 ?
New users follow:
https://www.apachelounge.com/viewtopic.php?t=7786
On 1-3-2018 16:01, Steffen wrote:
> Noticed now:
>
> In the doc 2.4:
>
> https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
>
> In the Git/Wiki we have:
>
> https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
>
> Cannot test if both work with mod_md. (Both links are pointing to the
> same pdf).
>
>
> On 20-2-2018 14:01, Stefan Eissing wrote:
>> elukey did fix the agreements in trunk. Now merged into 2.4.x in r1824871. Thanks for checking.
>>
>>> Am 20.02.2018 um 13:42 schrieb Steffen<in...@apachelounge.com>:
>>>
>>>
>>> In the mod_md 2.4 (not in trunk) documentationhttps://httpd.apache.org/docs/2.4/mod/mod_md.html
>>>
>>>
>>> I see three times:
>>>
>>> MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
>>>
>>> This errors if not an existing account.
>>>
>>> It should be now (should be nice we have it in 2.4.31) :
>>>
>>> MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
>>>
>>>
>>> As long as the CA reports that the account has an agreement in mod_md, no further checking is done. Existing accounts need no changes with
>>> this new agreement.
>>>
>>>
>>> I can see that the Wiki docu is newer:https://github.com/icing/mod_md/wiki.
>>>
>>>
>>> Cannot check if the rest of mod_md docu is up to date and in line with trunk ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 13.03.2018 um 21:43 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
>
>> On Mon, Mar 12, 2018 at 6:23 AM, Eric Covener <co...@gmail.com> wrote:
>> On Mon, Mar 12, 2018 at 6:33 AM, Stefan Eissing
>> <st...@greenbytes.de> wrote:
>>>
>>>> Am 12.03.2018 um 11:23 schrieb Daniel Gruno <hu...@apache.org>:
>>>>
>>>> Would it be possible to just have a link that always points to the
>>>> _current_ agreement, much like our docs have a /current/ directory that
>>>> always fetches you the current 2.4 docs?
>>>
>>> More a question for Let's Encrypt than us. Legally, that would make
>>> the ToS agreement a bit meaningless, I assume.
>>
>> Makes sense, and from our side we shouldn't go out of our way to
>> encourage some workflow where the agreement isn't being read.
>
> I don't know that we want to encourage service providers to make
> their service unusable in a production headless environment, either
I would consider their service highly usable. And given their numbers and feedback in the security community and from users, almost all seem to agree.
Maybe you are not fully aware of how this agreement thing works and how Let‘s Encrypt accounts continue to work once the initial agreement has been made?
>> Maybe just some additional text in the module description, including a
>> link to https://letsencrypt.org/repository/
>> I think the "prerequisites" we have could be improved with some more
>> formatting (maybe pull it out of <note> and into a section, add
>> bullets, etc.
>
> What about simplifying?
>
> [md:warn] [pid 7232:tid 2416] (22)Invalid argument: acme problem
> urn:acme:error:malformed: Provided agreement URL
> [https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf] does not
> match current agreement URL
> [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]
>
> That message could surely offer a pointer to the
> MDCertificateAgreement directive?
Good suggestion.
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Mar 12, 2018 at 6:23 AM, Eric Covener <co...@gmail.com> wrote:
> On Mon, Mar 12, 2018 at 6:33 AM, Stefan Eissing
> <st...@greenbytes.de> wrote:
>>
>>> Am 12.03.2018 um 11:23 schrieb Daniel Gruno <hu...@apache.org>:
>>>
>>> Would it be possible to just have a link that always points to the
>>> _current_ agreement, much like our docs have a /current/ directory that
>>> always fetches you the current 2.4 docs?
>>
>> More a question for Let's Encrypt than us. Legally, that would make
>> the ToS agreement a bit meaningless, I assume.
>
> Makes sense, and from our side we shouldn't go out of our way to
> encourage some workflow where the agreement isn't being read.
I don't know that we want to encourage service providers to make
their service unusable in a production headless environment, either.
> Maybe just some additional text in the module description, including a
> link to https://letsencrypt.org/repository/
> I think the "prerequisites" we have could be improved with some more
> formatting (maybe pull it out of <note> and into a section, add
> bullets, etc.
What about simplifying?
[md:warn] [pid 7232:tid 2416] (22)Invalid argument: acme problem
urn:acme:error:malformed: Provided agreement URL
[https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf] does not
match current agreement URL
[https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]
That message could surely offer a pointer to the
MDCertificateAgreement directive?
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Stefan Eissing <st...@greenbytes.de>.
After consultation with Let's Encrypt developers I opened a new ticket
at their server: https://github.com/letsencrypt/boulder/issues/3547
They seem to be willing to be more forgiving when checking the URL
and accept alternate links to the same document (as used by their site
and which let to our confusion).
They make new releases quite regularly, so it may be available in the
not too distant future.
Cheers, Stefan
> Am 12.03.2018 um 12:23 schrieb Eric Covener <co...@gmail.com>:
>
> On Mon, Mar 12, 2018 at 6:33 AM, Stefan Eissing
> <st...@greenbytes.de> wrote:
>>
>>> Am 12.03.2018 um 11:23 schrieb Daniel Gruno <hu...@apache.org>:
>>>
>>> Would it be possible to just have a link that always points to the
>>> _current_ agreement, much like our docs have a /current/ directory that
>>> always fetches you the current 2.4 docs?
>>
>> More a question for Let's Encrypt than us. Legally, that would make
>> the ToS agreement a bit meaningless, I assume.
>
> Makes sense, and from our side we shouldn't go out of our way to
> encourage some workflow where the agreement isn't being read.
>
> Maybe just some additional text in the module description, including a
> link to https://letsencrypt.org/repository/
> I think the "prerequisites" we have could be improved with some more
> formatting (maybe pull it out of <note> and into a section, add
> bullets, etc.
>
> I don't think it impacts the release.
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Eric Covener <co...@gmail.com>.
On Mon, Mar 12, 2018 at 6:33 AM, Stefan Eissing
<st...@greenbytes.de> wrote:
>
>> Am 12.03.2018 um 11:23 schrieb Daniel Gruno <hu...@apache.org>:
>>
>> Would it be possible to just have a link that always points to the
>> _current_ agreement, much like our docs have a /current/ directory that
>> always fetches you the current 2.4 docs?
>
> More a question for Let's Encrypt than us. Legally, that would make
> the ToS agreement a bit meaningless, I assume.
Makes sense, and from our side we shouldn't go out of our way to
encourage some workflow where the agreement isn't being read.
Maybe just some additional text in the module description, including a
link to https://letsencrypt.org/repository/
I think the "prerequisites" we have could be improved with some more
formatting (maybe pull it out of <note> and into a section, add
bullets, etc.
I don't think it impacts the release.
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 12.03.2018 um 11:23 schrieb Daniel Gruno <hu...@apache.org>:
>
> Would it be possible to just have a link that always points to the
> _current_ agreement, much like our docs have a /current/ directory that
> always fetches you the current 2.4 docs?
More a question for Let's Encrypt than us. Legally, that would make
the ToS agreement a bit meaningless, I assume.
LE envisioned an interactive sign-up process, ironically for someone
mandating automatic cert management, which does not fit our little
web server.
In interactive use, a LE client would create an account, the server
would send the agreement URL back, the client would show it to the
user, she clicks ok, the client sends the agreed URL back to LE.
Since we do *not* want to be interactive on server start/reload, the
only solution I could come up with is that the admin provides the
agreement URL in the config.
Note that this needs to happen only once. LE does not want to force
re-agreement for accounts registered. That would wreak havoc on the
whole automation process.
Cheers, Stefan
>
> On 03/12/2018 11:03 AM, Stefan Eissing wrote:
>>
>>
>>> Am 12.03.2018 um 10:39 schrieb Luca Toscano <to...@gmail.com>:
>>>
>>> Hi Stefan!
>>>
>>> 2018-03-12 10:29 GMT+01:00 Stefan Eissing <st...@greenbytes.de>:
>>> The recommended URL in our docs is wrong. The wrong one was introduced in r1820464.
>>> Supposedly as a fix to PR 35622. The proposed patch in the PR 35622 however
>>> carries the correct URL. Not sure how that happened. It should be changed in the docs.
>>>
>>> This elukey committer always makes mistakes, I am going to follow up with him to make sure he stops :D :D :D
>>
>> He is a real DareDevil!
>>
>>> Jokes aside, iirc I think I checked in https://letsencrypt.org/repository/ and copied the link "currently in effect", that now is:
>>>
>>> https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
>>>
>>> So possibly the Let's encrypt documentation needs to be fixed as well? I'll amend the link today in the docs though!
>>
>> I will contact LE. I think they need to accept the set of agreement URLs they use themselves on the site.
>>
>> Cheers,
>>
>> Stefan
>>
>>>
>>>> Not sure this can voted as a -1 for 2.4.32 ?
>>>
>>> It certainly can. The more relevant question is: should it?
>>>
>>> I think not, it is a documentation change only, let's keep testing 2.4.32 :)
>>>
>>> Luca
>>
>
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Daniel Gruno <hu...@apache.org>.
Would it be possible to just have a link that always points to the
_current_ agreement, much like our docs have a /current/ directory that
always fetches you the current 2.4 docs?
On 03/12/2018 11:03 AM, Stefan Eissing wrote:
>
>
>> Am 12.03.2018 um 10:39 schrieb Luca Toscano <to...@gmail.com>:
>>
>> Hi Stefan!
>>
>> 2018-03-12 10:29 GMT+01:00 Stefan Eissing <st...@greenbytes.de>:
>> The recommended URL in our docs is wrong. The wrong one was introduced in r1820464.
>> Supposedly as a fix to PR 35622. The proposed patch in the PR 35622 however
>> carries the correct URL. Not sure how that happened. It should be changed in the docs.
>>
>> This elukey committer always makes mistakes, I am going to follow up with him to make sure he stops :D :D :D
>
> He is a real DareDevil!
>
>> Jokes aside, iirc I think I checked in https://letsencrypt.org/repository/ and copied the link "currently in effect", that now is:
>>
>> https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
>>
>> So possibly the Let's encrypt documentation needs to be fixed as well? I'll amend the link today in the docs though!
>
> I will contact LE. I think they need to accept the set of agreement URLs they use themselves on the site.
>
> Cheers,
>
> Stefan
>
>>
>>> Not sure this can voted as a -1 for 2.4.32 ?
>>
>> It certainly can. The more relevant question is: should it?
>>
>> I think not, it is a documentation change only, let's keep testing 2.4.32 :)
>>
>> Luca
>
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 12.03.2018 um 10:39 schrieb Luca Toscano <to...@gmail.com>:
>
> Hi Stefan!
>
> 2018-03-12 10:29 GMT+01:00 Stefan Eissing <st...@greenbytes.de>:
> The recommended URL in our docs is wrong. The wrong one was introduced in r1820464.
> Supposedly as a fix to PR 35622. The proposed patch in the PR 35622 however
> carries the correct URL. Not sure how that happened. It should be changed in the docs.
>
> This elukey committer always makes mistakes, I am going to follow up with him to make sure he stops :D :D :D
He is a real DareDevil!
> Jokes aside, iirc I think I checked in https://letsencrypt.org/repository/ and copied the link "currently in effect", that now is:
>
> https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
>
> So possibly the Let's encrypt documentation needs to be fixed as well? I'll amend the link today in the docs though!
I will contact LE. I think they need to accept the set of agreement URLs they use themselves on the site.
Cheers,
Stefan
>
> > Not sure this can voted as a -1 for 2.4.32 ?
>
> It certainly can. The more relevant question is: should it?
>
> I think not, it is a documentation change only, let's keep testing 2.4.32 :)
>
> Luca
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Luca Toscano <to...@gmail.com>.
Hi Stefan!
2018-03-12 10:29 GMT+01:00 Stefan Eissing <st...@greenbytes.de>:
> The recommended URL in our docs is wrong. The wrong one was introduced in
> r1820464.
> Supposedly as a fix to PR 35622. The proposed patch in the PR 35622 however
> carries the correct URL. Not sure how that happened. It should be changed
> in the docs.
>
This elukey committer always makes mistakes, I am going to follow up with
him to make sure he stops :D :D :D
Jokes aside, iirc I think I checked in https://letsencrypt.org/repository/
and copied the link "currently in effect", that now is:
https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
So possibly the Let's encrypt documentation needs to be fixed as well? I'll
amend the link today in the docs though!
>
> > Not sure this can voted as a -1 for 2.4.32 ?
>
> It certainly can. The more relevant question is: should it?
I think not, it is a documentation change only, let's keep testing 2.4.32 :)
Luca
Re: Vote 2.4.32 and mod_md no valid Certificate Agreement directive
Posted by Stefan Eissing <st...@greenbytes.de>.
The recommended URL in our docs is wrong. The wrong one was introduced in r1820464.
Supposedly as a fix to PR 35622. The proposed patch in the PR 35622 however
carries the correct URL. Not sure how that happened. It should be changed in the docs.
However:
The *really* correct URL, however, is *always* the one that Let's Encrypt says
it is. Next week, our documentation can be outdated by LE changing its Terms of Service.
That is why mod_md gives a WARNING with the error message provided by Let's Encrypt
itself: "Provided agreement URL [XXX] does not match current agreement URL [YYY].
And that is why our documentation states:
"In case of Let's Encrypt, their current Terms of Service are [here]. Those terms
might (and probably will) change over time. So, the certificate renewal might
require you to update this agreement URL."
What the admin needs to do is change, in his servers config:
MDCertificateAgreement XXX
to
MDCertificateAgreement YYY
and reload.
> Not sure this can voted as a -1 for 2.4.32 ?
It certainly can. The more relevant question is: should it? And
if you say yes, then you'd have to provide technical arguments
for it and weigh the pros and cons. You had that explained
sufficiently on your last -1 vote, I think.
So, what will it be, Steffen? How do you think we should treat
this error in the docs?
Cheers,
Stefan
> Am 11.03.2018 um 14:22 schrieb Steffen <in...@apachelounge.com>:
>
>
> Have reports from users that have issues with mod_md :
>
> [md:warn] [pid 7232:tid 2416] (22)Invalid argument: acme problem urn:acme:error:malformed: Provided agreement URL [https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]
>
> Should be fixed !
> Not sure this can voted as a -1 for 2.4.32 ?
>
> New users follow:
> https://www.apachelounge.com/viewtopic.php?t=7786
>
> On 1-3-2018 16:01, Steffen wrote:
>> Noticed now:
>>
>> In the doc 2.4:
>>
>> https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf
>>
>> In the Git/Wiki we have:
>>
>> https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
>>
>> Cannot test if both work with mod_md. (Both links are pointing to the same pdf).
>>
>>
>> On 20-2-2018 14:01, Stefan Eissing wrote:
>>> elukey did fix the agreements in trunk. Now merged into 2.4.x in r1824871. Thanks for checking.
>>>
>>>
>>>> Am 20.02.2018 um 13:42 schrieb Steffen <in...@apachelounge.com>
>>>> :
>>>>
>>>>
>>>> In the mod_md 2.4 (not in trunk) documentation
>>>> https://httpd.apache.org/docs/2.4/mod/mod_md.html
>>>>
>>>>
>>>>
>>>> I see three times:
>>>>
>>>> MDCertificateAgreement
>>>> https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
>>>>
>>>>
>>>> This errors if not an existing account.
>>>>
>>>> It should be now (should be nice we have it in 2.4.31) :
>>>>
>>>> MDCertificateAgreement
>>>> https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
>>>>
>>>>
>>>>
>>>> As long as the CA reports that the account has an agreement in mod_md, no further checking is done. Existing accounts need no changes with
>>>> this new agreement.
>>>>
>>>>
>>>> I can see that the Wiki docu is newer:
>>>> https://github.com/icing/mod_md/wiki
>>>> .
>>>>
>>>>
>>>> Cannot check if the rest of mod_md docu is up to date and in line with trunk ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>