Jan Ehrhardt in gmane.comp.apache.devel (Sun, 04 Aug 2019 01:26:27 +0200): >Maybe some config changes are needed, but then they should be clearly >documented in the change log. The trouble with this release is that the >problem with mod_md will only show up when the first certificate has to >be renewed.
Countless tests later I guess I have found out what was wrong. The server that I used for testing previously had a certificate by letsencrypt-win-simple. Back in the old days you had to load the intermediate certificate (Let's Encrypt Authority X3) with a SSLCertificateChainFile statement. The server was still doing that. The mod_md in 2.4.39 did not bother and just created a new certificate. However, the mod_md in 2.4.40 stumbled over it, despite the fact that the intermediate certificate was exactly the same that mod_md would have loaded. @icing: I tried it once again to see what is in the logs: | AH02572: Failed to configure at least one certificate and key for example.com:443 | SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned This gave me no clue at all why it failed. And it was not Apache that stumbled. With a valid MDomain certificate mod_md and the SSLCertificateChainFile could happily co-exist. So without the test to remove the /md dir I would have run into troubles at the moment when the certificates had to be renewed (somewhere in September). -- Jan
