You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2019/08/05 11:29:58 UTC
svn commit: r1864428 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_init.c
Author: icing
Date: Mon Aug 5 11:29:58 2019
New Revision: 1864428
URL: http://svn.apache.org/viewvc?rev=1864428&view=rev
Log:
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
for a domain managed by mod_md caused a startup error. This happened when mod_md installed
its fallback certificate, before it got the first real certificate from Lets Encrypt.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1864428&r1=1864427&r2=1864428&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Aug 5 11:29:58 2019
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
+ for a domain managed by mod_md caused a startup error. This happened when mod_md installed
+ its fallback certificate, before it got the first real certificate from Lets Encrypt.
+ [Stefan Eissing]
+
*) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via
RegexDefaultOptions -DOTALL [Yann Ylavic]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1864428&r1=1864427&r2=1864428&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Mon Aug 5 11:29:58 2019
@@ -1820,19 +1820,21 @@ static apr_status_t ssl_init_server_ctx(
n = pks->cert_files->nelts;
ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);
- if (n < pks->cert_files->nelts) {
- /* this overrides any old chain configuration */
- sc->server->cert_chain = NULL;
+ if (apr_is_empty_array(pks->cert_files)) {
+ /* does someone propose a certiciate to fall back on here? */
+ ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
+ if (n < pks->cert_files->nelts) {
+ pks->service_unavailable = 1;
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
+ "Init: %s will respond with '503 Service Unavailable' for now. There "
+ "are no SSL certificates configured and no other module contributed any.",
+ ssl_util_vhostid(p, s));
+ }
}
- if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) {
- ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
-
- pks->service_unavailable = 1;
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
- "Init: %s will respond with '503 Service Unavailable' for now. There "
- "are no SSL certificates configured and no other module contributed any.",
- ssl_util_vhostid(p, s));
+ if (n < pks->cert_files->nelts) {
+ /* additionally installed certs overrides any old chain configuration */
+ sc->server->cert_chain = NULL;
}
if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {