Tolerate missing revokeCert or keyChange resource

mod_md does not work with ACME server that does not revokeCert or keyChange resource. The fix from a merged upstream pull request https://github.com/icing/mod_md/pull/214 fixes this issue and allows mod_md to be used against FreeIPA ACME service. Fixes: rhbz#1832841
2020-06-23 11:21:16 +03:00 · 2020-06-23 11:21:16 +03:00 · bcb2623447
commit bcb2623447
parent cf6762f4ce
2 changed files with 29 additions and 1 deletions
--- a/mod_md-2.0.8-tolerate-missing-res.patch
+++ b/mod_md-2.0.8-tolerate-missing-res.patch
@ -0,0 +1,22 @@
+diff --git a/src/md_acme.c b/src/md_acme.c
+index d2cc00a..005a387 100644
+--- a/src/md_acme.c
+++ b/src/md_acme.c
+@@ -728,8 +728,15 @@ static apr_status_t update_directory(const md_http_response_t *res)
+         acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL);
+         acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL);
+         acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL);
+-        if (acme->api.v2.new_account && acme->api.v2.new_order 
+-            && acme->api.v2.revoke_cert && acme->api.v2.key_change
+        /* RFC 8555 only requires "directory" and "newNonce" resources.
+         * mod_md uses "newAccount" and "newOrder" so check for them.
+         * But mod_md does not use the "revokeCert" or "keyChange"
+         * resources, so tolerate the absense of those keys.  In the
+         * future if mod_md implements revocation or key rollover then
+         * the use of those features should be predicated on the
+         * server's advertised capabilities. */
+        if (acme->api.v2.new_account
+            && acme->api.v2.new_order
+             && acme->api.v2.new_nonce) {
+             acme->version = MD_ACME_VERSION_2;
+         }
--- a/mod_md.spec
+++ b/mod_md.spec
@ -3,13 +3,14 @@

 Name:           mod_md
 Version:        2.2.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Certificate provisioning using ACME for the Apache HTTP Server
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_md/
 Source0:        https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
 Patch1:         mod_md-2.0.8-state_dir.patch
 Patch2:         mod_md-2.2.6-warnfix.patch
+Patch3:         mod_md-2.0.8-tolerate-missing-res.patch
 BuildRequires:  gcc
 BuildRequires:  pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
 Requires:       httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.41
@ -26,6 +27,7 @@ domains and their virtual hosts automatically, including at renewal.
 %setup -q
 %patch1 -p1 -b .state_dir
 %patch2 -p1 -b .warnfix
+%patch3 -p1 -b .tol_missing_res

 %build
 %configure
@ -59,6 +61,10 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}
 %{_mandir}/man1/*

 %changelog
+* Tue Jun 23 2020 Alexander Bokovoy <abokovoy@redhat.com> - 1:2.2.7-2
+- mod_md does not work with ACME server that does not provide revokeCert or
+  keyChange resource (#1832841)
+
 * Tue Feb 11 2020 Joe Orton <jorton@redhat.com> - 1:2.2.7-1
 - update to 2.2.7