> Am 18.03.2018 um 20:34 schrieb Gregg Smith <[email protected]>: > > My read on the original post: > > First we have stated that "For mod_ssl to work in the vote release, mod_md > must also be included..." > > That is what I honed in on. Apache will not start if there's a module > specific directive without that module being loaded. Since the OP states that > *mod_ssl* will not work without without mod_md included, there must be some > mod_md directives not contained inside <IfModule> laying around in the OP's > config. I believe this is the first of two parts.
Exactly. Everything works as before when one does not load mod_md. > Now, Apache serving a 404 on /.well-known/acme-challenge/test.txt when mod_md > is loaded I think is because mod_md stores this stuff under MDStoreDir where > the acme client puts it elsewhere IIRC. So this behavior I see as by design > since mod_md intercepts the requests coming from the acme server obviously to > serve what is stored under MDStoreDir. > > My guess anyway. Correct. And as noted in another mail, the fallback behaviour will be added so that md and external clients can co-exist. I did not foresee this mixed run mode and therefore decided to deny any fallback here. Seems like this security reduced the usability too much. Stefan >> On 3/18/2018 12:07 PM, Eric Covener wrote: >>> On Sun, Mar 18, 2018 at 2:25 PM, Steffen <[email protected]> wrote: >>> >>> It is indeed a limitation for an "old" account, and when LE enables TLS >>> again (not sure it does already in ACMEv2 protocol) >> When did this become about TLS-SNI challenges and how does that tie >> into the external ACME client? >> Can you connect the dots for me or is this unrelated? >>> In my test mod_md says; >>> >>> mod_md.c(1317): [client 2001:980:a510:1:c5e7:56f7:9d:ab36:65315] Challenge >>> for www.apachelounge.com (/.well-known/acme-challenge/test.txt) >>> >>> >>> For me case closed., sorry for the clutter. >> Does this confirm something beyond "mod_md works"? >>> When it is not appreciated that I share it with dev, say it please. >> My own 2 cents: It would be helpful and take much less of a toll on >> this volunteers time/patience/morale if this kind of feedback were >> refined before being brought forward. >> For example, here are hypothetical concise requirements / complaints >> that someone could meaningfully address without having to pull teeth: >> mod_md could do something specifically different with TLS-SNI >> challenges for old users >> mod_md pre-empts HTTP challenges for domains that are not mod_md managed. >> mod_md can't decline/defer to an Alias for /.well-known if it has no >> stored challenge >> But instead we have several paragraphs about votes and releases and >> mod_ssl depending on mod_md and two different clients and a request to >> test "it" on Linux.
