Trying to sum up what you are saying: mod_md 2.4.40 does not introduce a new problem, but testing with it exposed an issue that affects both. There is no regression in 2.4.40.
As to the problem: the SSLCertificateChainFile directive made mod_ssl fail in conjunction with mod_md and an empty MDomain. Probably, the fallback certificate was conflicting with the additional chain file. This fallback is installed until mod_md gets the "real" certificate from Lets Encrypt. I try to add a test case for that and see how we can improve the interworking. - Stefan > Am 05.08.2019 um 10:12 schrieb Jan Ehrhardt <[email protected]>: > > Jan Ehrhardt in gmane.comp.apache.devel (Sun, 04 Aug 2019 01:26:27 > +0200): >> Maybe some config changes are needed, but then they should be clearly >> documented in the change log. The trouble with this release is that the >> problem with mod_md will only show up when the first certificate has to >> be renewed. > > Countless tests later I guess I have found out what was wrong. The > server that I used for testing previously had a certificate by > letsencrypt-win-simple. Back in the old days you had to load the > intermediate certificate (Let's Encrypt Authority X3) with a > SSLCertificateChainFile statement. The server was still doing that. The > mod_md in 2.4.39 did not bother and just created a new certificate. > > However, the mod_md in 2.4.40 stumbled over it, despite the fact that > the intermediate certificate was exactly the same that mod_md would have > loaded. > > @icing: I tried it once again to see what is in the logs: > > | AH02572: Failed to configure at least one certificate and key for > example.com:443 > | SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no > certificate assigned > > This gave me no clue at all why it failed. And it was not Apache that > stumbled. With a valid MDomain certificate mod_md and the > SSLCertificateChainFile could happily co-exist. So without the test to > remove the /md dir I would have run into troubles at the moment when the > certificates had to be renewed (somewhere in September). > -- > Jan >
