[Bug 65860] Revoked certificate block httpd start

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65860

--- Comment #3 from Stefan Eissing <ic...@apache.org> ---
This will be hard to analyze. Let me explain:

When a certificate for xxx.com is renewed.

- $server_root/md/domains/xxx.com contains the working certs
- $server_root/md/staging/xxx.com contains all about the renewal

If the server reloads, it checks "staging/*" for complete file sets.
When that indicates success, it 

- *creates* and *copies* a "tmp/xxx.com". The copy really parses
  key and certificates and PEM serializes them again
- if *moves* the whole dir "domains/xxx.com" to "archive/xxx.com.N"
  to preserve the old file set
- then it *moves* "tmp/xxx.com" to "domains/xxx.com".
- then it *deletes" "staging/xxx.com"

This is all done so that no interruption will produce a "half-updated"
set of files where things do not match.

In Apache httpd 2.4.49 the test for matching key and certificate was
added during activation of a staging area to make sure mod_md never
activates a set of files that do not match.

You see, there is considerate thought gone into avoiding the thing
you experienced. Especially with 2.4.49 or newer, the server should
never load a cert+key that do not match, even if something was messed
up in the "staging" subdir.

Any thoughts? Otherwise I think we need to close this as not reproducable.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org