Releases · icing/mod_md

Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions,
the parsing of ASN.1 time strings did not do a length check.
Hardening: when reading back OCSP responses stored in the local JSON store,
missing 'valid' key led to uninitialized values, resulting in wrong
refresh behaviour.

New directive MDInitialDelay, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]

Fix error retry delay calculation to not already doubling the wait on the first error.

Increasing default MDRetryDelay to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
Checking that configuring MDRetryDelay will result in a positive
duration. A delay of 0 is not accepted.
Fix a bug in checking Content-Type of responses from the ACME server.

Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this. Documentation in
README.md
Removed tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.

Fixed TLS-ALPN-01 challenges when multiple MDPrivateKeys are specified
with EC keys before RSA ones. Fixes #377.
Fixed missing newlines in the status page output. [andreasgroth]

When installing a custom CA file via MDCACertificateFile, also set the
libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
(when curl is linked with it) about missing CRL/OCSP in certificates.
Fixes #361.
Fixed handling of corrupted httpd.json and added test 300_30 for it.
File is removed on error and written again. Fixes #369.
Added explanation in log for how to proceed when md_store.json could not be
parsed and prevented the server start.

Added support for ACME profiles. See README on how to use them.
restored fixed to #336 and #337 which got lost in a sync with Apache svn
Add Issue Name/Uris to certificate information in md-status handler
MDomains with static certificate files have MDRenewMode "manual", unless
"always" is configured.

Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.

Releases: icing/mod_md