FYI: mod_md merge into trunk is incoming, most likely tomorrow.
The merge candidate is in ^/httpd/httpd/branches/trunk-md. Existing code
has only been changed in mod_ssl. A diff is available via:
svn diff ^/httpd/httpd/trunk/modules/ssl
^/httpd/httpd/branches/trunk-md/modules/ssl
Gist of the mod_ssl changes:
1. In post_config:
mod_ssl can ask mod_md via optional functions, if a server_rec is managed.
If yes:
- it checks if certificates already defined for this server.
If so, it logs and ignores mod_md. (Safe route. Can be discussed if it
should
override instead.)
- it asks mod_md for the key/cert/chain files
a) if they are all there, they are added to the server configuration
b) if all or some are missing, a new "service_unavailable"
flag is set in the server config. (This is new, a vhost that does not
fail
config, but is unavailable for config reasons.)
2. In The mod_ssl read_request hook:
mod_ssl checks if the requests server config has "service_unavailable" set.
If so, the request is answered with a 503. This should prevent any access
to a server whose certificate is (not yet) available.
3. In the SNI callback:
If no matching virtual host is found for the client supplied server name,
mod_ssl
asks mod_md (if available) if this server name is a challenge. When mod_md
answers
positive, it will provide certificate and key.
mod_ssl sets these in the SSL* of the connection and also sets the
"service_unavailable"
for the connection so that change 2.) also gives 503 for all requests to
this domain.
(This is for the "tls-sni-01" authorization method of the ACME protocol.)
Cheers,
Stefan
PS. @Jchampion: I am not sure how to best merge the unit test cases into httpd.
They need to be optional,
tied to the availability of mod_md and I do not know how to do that.
PPS. Another nit: mod_md also builds an executable, currently named a2md. I
thought about putting
it in support/, but since this depends upon the optional mod_md, it is more
natural in
modules/md, I thought.
