httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steffen <>
Subject Re: Let's Encrypt Feature Release
Date Sun, 19 Nov 2017 15:21:58 GMT
To get more needed feedback, it is good to go with experimental mod_md, not with a2md. 

Be aware that we have then experimental code in mod_ssl !

Hereby I want to request to notify on error, see below. Missing  message(s) in the log can
end with a non working ssl site. 

The command line utility a2md I have not seen tested by users, a -1 for a2md special because
it needs a change for windows to get it working, see below. 

2and3 not seen used so far, no opinion. 

The .dsp’s etc. are ok in trunk.  Utility a2md.exe needs for windows the include of OpenSSL
applink.c, like in abs.exe.  


It is not really a module, more a configuration/install utility. And introducing curl and
jansson dependencies. 

Running mod_md from the beginning and made available at ApacheLounge. It was a struggle to
get it working for me and others, docu needs more eyes for reviews. It works ok, but I do
not see that advantage over other utilities out there. 

Mod_md is standard oh so silence what it is doing behind the scenes. And with (config)errors
it is quite a puzzle what is wrong, loglevel debug/trace2 is mostly needed to figure out.
  When you miss a message for example with renew in the log, then  a change you end with a
not working ssl site. 

I like to make request to make it possible that on an error we can get a notify (like MDNotifyCmd)
for example by email. 

On my request already info/ warnings were added. We need more users to evaluate. 

In January LetsEncrypt is starting with wildcard certs. Maybe worth to wait. I know users
waiting for that and experience learns that changes at LE can trouble mod_md. 

> Op 15 nov. 2017 om 10:59 heeft Stefan Eissing <> het
volgende geschreven:
> Now that Gregg has landed Windows build support in trunk (yay!), I would really like
us to include the Let's Encrypt Support in the next 2.4 release as an experimental mod_md
plus the required and recommended changes to mod_ssl.
> Atm there is one blocker that prevents me from proposing mod_ssl backports: the pending
backport of "Handle SSLProxy* directives in <Proxy> sections" by Yann. That one has
just many changes in the module and making independant patches with/without that one is too
much work. With one vote missing, if anyone could find the cycles to vote on that, that'd
be great.
> Once that is out of the way, I will propose the following changes for backport:
> 1. mod_md plus the *required* mod_ssl changes for interworking
> 2. SSLPolicy/SSLProxyPolicy feature
> 3. SSLEngine addr:port feature
> 2+3 are not required. For 2 I have gotten a lot of responses by people who'd like to
have that for their servers. 3 I do not feel strong about.
> Maybe we can give our early adopters a nice Xmas present.
> Cheers,
> Stefan

View raw message