rpms/mod_md
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8-stream-2.4
Branches Tags
rpms:c8-stream-2.4
rpms:c10
rpms:c9
rpms:stream-httpd-2.4-rhel-8.10.0
rpms:c10s
rpms:c9-beta
rpms:c9s
rpms:stream-httpd-2.4-rhel-8.9.0
rpms:c8-beta-stream-2.4
rpms:c8s-stream-2.4
rpms:imports/c10/mod_md-2.4.26-4.el10_1
rpms:imports/c9/mod_md-2.4.26-1.el9_7.1
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.10.0+23815+1b5e1c66.2
rpms:imports/c10/mod_md-2.4.26-3.el10_0
rpms:imports/c9/mod_md-2.4.26-1.el9
rpms:imports/c10s/mod_md-2.4.26-3.el10
rpms:imports/c9-beta/mod_md-2.4.26-1.el9
rpms:imports/c10s/mod_md-2.4.26-2.el10
rpms:imports/c9/mod_md-2.4.19-1.el9
rpms:imports/c9-beta/mod_md-2.4.19-1.el9
rpms:imports/c9/mod_md-2.4.0-3.el9
rpms:imports/c9-beta/mod_md-2.4.0-3.el9
rpms:imports/c8-beta-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-beta-stream-2.4/mod_md-2.0.8-6.module+el8.2.0+5146+97061b72
rpms:imports/c8s-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.9.0+19080+567b90f8
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-stream-2.4/mod_md-2.0.8-7.module+el8.2.0+5531+7e4d69a2
...
pull from: rpms:c10
Branches Tags
rpms:c10
rpms:c9
rpms:c8-stream-2.4
rpms:stream-httpd-2.4-rhel-8.10.0
rpms:c10s
rpms:c9-beta
rpms:c9s
rpms:stream-httpd-2.4-rhel-8.9.0
rpms:c8-beta-stream-2.4
rpms:c8s-stream-2.4
rpms:imports/c10/mod_md-2.4.26-4.el10_1
rpms:imports/c9/mod_md-2.4.26-1.el9_7.1
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.10.0+23815+1b5e1c66.2
rpms:imports/c10/mod_md-2.4.26-3.el10_0
rpms:imports/c9/mod_md-2.4.26-1.el9
rpms:imports/c10s/mod_md-2.4.26-3.el10
rpms:imports/c9-beta/mod_md-2.4.26-1.el9
rpms:imports/c10s/mod_md-2.4.26-2.el10
rpms:imports/c9/mod_md-2.4.19-1.el9
rpms:imports/c9-beta/mod_md-2.4.19-1.el9
rpms:imports/c9/mod_md-2.4.0-3.el9
rpms:imports/c9-beta/mod_md-2.4.0-3.el9
rpms:imports/c8-beta-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-beta-stream-2.4/mod_md-2.0.8-6.module+el8.2.0+5146+97061b72
rpms:imports/c8s-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.9.0+19080+567b90f8
rpms:imports/c8-stream-2.4/mod_md-2.0.8-8.module+el8.3.0+6814+67d1e611
rpms:imports/c8-stream-2.4/mod_md-2.0.8-7.module+el8.2.0+5531+7e4d69a2

2 Commits
c8-stream- ... c10

Author SHA1 Message Date
eabdullin
d433cff607 import UBI mod_md-2.4.26-4.el10_1 2025-12-22 05:23:51 +00:00
eabdullin
7cd426c38f import UBI mod_md-2.4.26-3.el10 2025-05-14 15:54:34 +00:00
10 changed files with 270 additions and 560 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/mod_md-2.0.8.tar.gz
mod_md-2.4.26.tar.gz

1
.mod_md.metadata
View File

@ -1 +0,0 @@
6cec32070c6fd83701be0874a2d8b4f30d929d03 SOURCES/mod_md-2.0.8.tar.gz

418
SOURCES/a2md.xml
View File

@ -1,418 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
]>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<refentry>
<refentryinfo>
<title>a2md</title>
<productname>mod_md</productname>
<author><contrib>Author</contrib><surname>Eissing</surname><firstname>Stefan</firstname><email>stefan.eissing@greenbytes.de</email></author>
<author><contrib>Documentation</contrib><surname>Uhliarik</surname><firstname>Lubos</firstname><email>luhliari@redhat.com</email></author>
</refentryinfo>
<refmeta>
<refentrytitle>a2md</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>a2md</refname>
<refpurpose>Show and manipulate Apache Managed Domains</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>a2md</command>
<arg choice="opt">options</arg>
<group choice="req">
<arg choice="plain">acme</arg>
<arg choice="plain">add</arg>
<arg choice="plain">update</arg>
<arg choice="plain">drive</arg>
<arg choice="plain">list</arg>
<arg choice="plain">store</arg>
</group>
<arg choice="opt">cmd options</arg>
<arg choice="opt">args</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
The a2md utility can be used to configure and update managed domains with
the mod_md module for Apache HTTP Server. Managed Domains are virtual hosts
which automatically obtain and renew TLS certificates from an ACME server.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<variablelist>
<varlistentry>
<term>
<option>-a</option> <replaceable>arg</replaceable>,
<option>--acme</option> <replaceable>arg</replaceable>
</term>
<listitem><simpara>The url of the ACME server directory</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-d</option> <replaceable>arg</replaceable>,
<option>--dir</option> <replaceable>arg</replaceable>
</term>
<listitem><simpara>Directory for file data</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-h</option>,
<option>--help</option>
</term>
<listitem><simpara>Print usage information</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-j</option>,
<option>--json</option>
</term>
<listitem><simpara>Produce JSON output</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-p</option> <replaceable>arg</replaceable>,
<option>--proxy</option> <replaceable>arg</replaceable>
</term>
<listitem><simpara>Use the HTTP proxy url</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-q</option>,
<option>--quiet</option>
</term>
<listitem><simpara>Produce less output</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-t</option> <replaceable>arg</replaceable>,
<option>--terms</option> <replaceable>arg</replaceable>
</term>
<listitem><simpara>You agree to the terms of services (url)</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-v</option>,
<option>--verbose</option>
</term>
<listitem><simpara>Produce more output</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-V</option>,
<option>--version</option>
</term>
<listitem><simpara>Print version</simpara></listitem>
</varlistentry>
</variablelist>
<refsect2>
<title>ACME server commands</title>
<cmdsynopsis>
<command>a2md acme</command>
<group choice="req">
<arg choice="plain">newreg</arg>
<arg choice="plain">delreg</arg>
<arg choice="plain">agree</arg>
<arg choice="plain">authz</arg>
<arg choice="plain">validate</arg>
</group>
<arg choice="opt">opts</arg>
<arg choice="opt">args</arg>
</cmdsynopsis>
<para>
Play with the ACME server. For most of the commands you need to specify
the url of the ACME server directory.
</para>
<refsect3>
<title>newreg</title>
<cmdsynopsis>
<command>newreg</command>
<arg choice="plain"><replaceable>contact-uri</replaceable></arg>
<arg choice="opt">contact-uri...</arg>
</cmdsynopsis>
<para>Register a new account at ACME server with given <replaceable>contact-uri</replaceable> (email)</para>
</refsect3>
<refsect3>
<title>delreg</title>
<cmdsynopsis>
<command>delreg</command>
<arg choice="plain"><replaceable>account</replaceable></arg>
</cmdsynopsis>
<para>Delete an existing ACME <replaceable>account</replaceable></para>
</refsect3>
<refsect3>
<title>agree</title>
<cmdsynopsis>
<command>agree</command>
<arg choice="plain"><replaceable>account</replaceable></arg>
</cmdsynopsis>
<para>Agree to ACME terms of service</para>
</refsect3>
<refsect3>
<title>authz</title>
<cmdsynopsis>
<command>authz</command>
<arg choice="plain"><replaceable>account</replaceable></arg>
<arg choice="plain"><replaceable>domain</replaceable></arg>
</cmdsynopsis>
<para>Request a new authorization for an <replaceable>account</replaceable> and
<replaceable>domain</replaceable></para>
</refsect3>
<refsect3>
<title>validate</title>
<cmdsynopsis>
<command>validate</command>
<arg choice="plain"><replaceable>account</replaceable></arg>
</cmdsynopsis>
<para>Validate <replaceable>account</replaceable> existence</para>
</refsect3>
</refsect2>
<refsect2>
<title>Managed domain addition</title>
<cmdsynopsis>
<command>a2md add</command>
<arg choice="opt">opts</arg>
<arg choice="plain"><replaceable>domain</replaceable></arg>
<arg choice="opt">domain...</arg>
</cmdsynopsis>
<para>
Adds a new managed domain. Must not overlap with existing domains.
</para>
</refsect2>
<refsect2>
<title>Updating managed domain</title>
<cmdsynopsis>
<command>a2md update</command>
<arg choice="plain"><replaceable>name</replaceable></arg>
<arg choice="opt">opts</arg>
<group choice="req">
<arg choice="plain">domains</arg>
<arg choice="plain">ca</arg>
<arg choice="plain">account</arg>
<arg choice="plain">contacts</arg>
<arg choice="plain">agreement</arg>
</group>
</cmdsynopsis>
<para>
Update a managed domain's properties, where <replaceable>name</replaceable> belongs to managed domain which
will be updated.
</para>
<para>URL of ACME server can be also updated if <option>-a</option>|
<option>--acme</option> option is present.</para>
<refsect3>
<title>domains</title>
<cmdsynopsis>
<command>domains</command>
<arg choice="plain"><replaceable>dname</replaceable></arg>
<arg choice="opt">dname...</arg>
</cmdsynopsis>
<para>Update domain where <replaceable>dname</replaceable> is domain name which will be updated.</para>
</refsect3>
<refsect3>
<title>ca</title>
<cmdsynopsis>
<command>ca</command>
<arg choice="plain"><replaceable>url</replaceable></arg>
<arg choice="opt">proto</arg>
</cmdsynopsis>
<para>The <replaceable>URL</replaceable> where the CA offers its service.</para>
<para>Currently only ACME (LetsEncrypt) <replaceable>proto</replaceable> is implemented.</para>
</refsect3>
<refsect3>
<title>account</title>
<cmdsynopsis>
<command>account</command>
</cmdsynopsis>
<para>Account name on corresponding ACME server.</para>
</refsect3>
<refsect3>
<title>contacts</title>
<cmdsynopsis>
<command>contacts</command>
<arg choice="plain"><replaceable>email</replaceable></arg>
<arg choice="opt">email...</arg>
</cmdsynopsis>
<para>Contact address which will be used by ACME server to inform about renewals or changed terms of service.</para>
</refsect3>
<refsect3>
<title>agreement</title>
<cmdsynopsis>
<command>agreement</command>
<arg choice="plain"><replaceable>URI</replaceable></arg>
</cmdsynopsis>
<para>URI pointing to terms of service of ACME server.</para>
</refsect3>
</refsect2>
<refsect2>
<title>Drive managed domains</title>
<cmdsynopsis>
<command>a2md drive</command>
<arg choice="opt">md...</arg>
<arg choice="opt">options...</arg>
</cmdsynopsis>
<para>
Drive all or the mentioned managed domains toward completeness
</para>
<refsect3>
<title>Options</title>
<variablelist>
<varlistentry>
<term>
<option>-c</option> <replaceable>arg</replaceable>,
<option>--challenge</option> <replaceable>arg</replaceable>
</term>
<listitem><simpara>Which challenge type to use</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-f</option>,
<option>--force</option>
</term>
<listitem><simpara>Force driving the managed domain, even when it seems valid</simpara></listitem>
</varlistentry>
<varlistentry>
<term>
<option>-r</option>,
<option>--reset</option>
</term>
<listitem><simpara>Reset any staging data for the managed domain</simpara></listitem>
</varlistentry>
</variablelist>
</refsect3>
</refsect2>
<refsect2>
<title>List managed domamins</title>
<cmdsynopsis>
<command>a2md list</command>
</cmdsynopsis>
<para>
List all managed domains
</para>
</refsect2>
<refsect2>
<title>Manipulating MD store</title>
<cmdsynopsis>
<command>a2md store</command>
<group choice="req">
<arg choice="plain">add</arg>
<arg choice="plain">remove</arg>
<arg choice="plain">list</arg>
<arg choice="plain">update</arg>
</group>
<arg choice="opt">opts</arg>
<arg choice="opt">args</arg>
</cmdsynopsis>
<para>
Manipulate the MD store
</para>
<refsect3>
<title>add</title>
<cmdsynopsis>
<command>add</command>
<arg choice="plain"><replaceable>dns</replaceable></arg>
<arg choice="opt">dns2...</arg>
</cmdsynopsis>
<para>Add a new managed domain <replaceable>dns</replaceable> with all the additional domain names</para>
</refsect3>
<refsect3>
<title>remove</title>
<cmdsynopsis>
<command>remove</command>
<arg choice="opt">-f | --force</arg>
<arg choice="plain"><replaceable>name</replaceable></arg>
<arg choice="opt"><replaceable>name...</replaceable></arg>
</cmdsynopsis>
<para>Remove the managed domains <replaceable>name</replaceable> from the store</para>
<para>When <option>-f</option> or <option>--force</option> option is specified, force managed domain removal - be silent about missing domains</para>
</refsect3>
<refsect3>
<title>list</title>
<cmdsynopsis>
<command>list</command>
</cmdsynopsis>
<para>List all managed domains in the store</para>
</refsect3>
<refsect3>
<title>update</title>
<cmdsynopsis>
<command>update</command>
<arg choice="plain"><replaceable>name</replaceable></arg>
<arg choice="opt">
<arg choice="plain">domains</arg>
<arg choice="plain"><replaceable>dname</replaceable></arg>
<arg choice="opt"><replaceable>dname...</replaceable></arg>
</arg>
</cmdsynopsis>
<para>If <option>domains</option> cmd is specified followed by one or
more domains, MD store will be updated with those domains.</para>
<para>URL of ACME server can be also updated if <option>-a</option>|
<option>--acme</option> option is present.</para>
</refsect3>
</refsect2>
</refsect1>
</refentry>
<!-- LocalWords: a2md
-->

13
SOURCES/mod_md-2.0.8-duptrim-seg.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/md_result.c b/src/md_result.c
index 4076d5b..0e0b688 100644
--- a/src/md_result.c
+++ b/src/md_result.c
@@ -32,7 +32,7 @@
static const char *dup_trim(apr_pool_t *p, const char *s)
{
char *d = apr_pstrdup(p, s);
- apr_collapse_spaces(d, d);
+ if (d) apr_collapse_spaces(d, d);
return d;
}

22
SOURCES/mod_md-2.0.8-tolerate-missing-res.patch
View File

@ -1,22 +0,0 @@
diff --git a/src/md_acme.c b/src/md_acme.c
index d2cc00a..005a387 100644
--- a/src/md_acme.c
+++ b/src/md_acme.c
@@ -728,8 +728,15 @@ static apr_status_t update_directory(const md_http_response_t *res)
acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL);
acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL);
acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL);
- if (acme->api.v2.new_account && acme->api.v2.new_order
- && acme->api.v2.revoke_cert && acme->api.v2.key_change
+ /* RFC 8555 only requires "directory" and "newNonce" resources.
+ * mod_md uses "newAccount" and "newOrder" so check for them.
+ * But mod_md does not use the "revokeCert" or "keyChange"
+ * resources, so tolerate the absense of those keys. In the
+ * future if mod_md implements revocation or key rollover then
+ * the use of those features should be predicated on the
+ * server's advertised capabilities. */
+ if (acme->api.v2.new_account
+ && acme->api.v2.new_order
&& acme->api.v2.new_nonce) {
acme->version = MD_ACME_VERSION_2;
}

99
SPECS/mod_md.spec
View File

@ -1,99 +0,0 @@
# Module Magic Numberfa
%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}
Name: mod_md
Version: 2.0.8
Release: 8%{?dist}
Summary: Certificate provisioning using ACME for the Apache HTTP Server
License: ASL 2.0
URL: https://icing.github.io/mod_md/
Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
# documentation
Source10: a2md.xml
Patch1: mod_md-2.0.8-state_dir.patch
Patch2: mod_md-2.0.8-duptrim-seg.patch
Patch3: mod_md-2.0.8-tolerate-missing-res.patch
BuildRequires: gcc
BuildRequires: pkgconfig, httpd-devel >= 2.4.37, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel
BuildRequires: xmlto
Requires: httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.37-17
Conflicts: httpd < 2.4.37-17
Epoch: 1
%description
This module manages common properties of domains for one or more
virtual hosts. Specifically it can use the ACME protocol to automate
certificate provisioning. Certificates will be configured for managed
domains and their virtual hosts automatically, including at renewal.
%prep
%setup -q
%patch1 -p1 -b .state_dir
%patch2 -p1 -b .dup_trim
%patch3 -p1 -b .tol_missing_res
xmlto man $RPM_SOURCE_DIR/a2md.xml
%build
%configure
# remove rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%make_build V=1
%check
%make_build check
%install
%make_install
rm -rf %{buildroot}/etc/httpd/share/doc/
# remove links and rename SO files
rm -f %{buildroot}%{_httpd_moddir}/mod_md.so
mv %{buildroot}%{_httpd_moddir}/mod_md.so.0.0.0 %{buildroot}%{_httpd_moddir}/mod_md.so
# create configuration
mkdir -p %{buildroot}%{_httpd_modconfdir}
echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}/01-md.conf
# Install man pages
install -d $RPM_BUILD_ROOT%{_mandir}/man1
install -m 644 -p a2md.1 $RPM_BUILD_ROOT%{_mandir}/man1
%files
%doc README.md ChangeLog AUTHORS
%license LICENSE
%config(noreplace) %{_httpd_modconfdir}/01-md.conf
%{_httpd_moddir}/mod_md.so
%{_bindir}/a2md
%{_mandir}/man1/*
%changelog
* Thu May 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:2.0.8-8
- Resolves: #1832844 - mod_md does not work with ACME server that does not
provide keyChange or revokeCert resources
* Wed Jan 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:2.0.8-7
- Resolves: #1747912 - add a2md(1) documentation
* Mon Dec 09 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:2.0.8-6
- Resolves: #1781263 - mod_md ACMEv1 crash
* Thu Oct 03 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:2.0.8-5
- Resolves: #1747898 - add mod_md package
* Fri Aug 30 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-4
- require mod_ssl, update package description
* Fri Aug 30 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-3
- rebuild against 2.4.41
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jul 12 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-1
- update to 2.0.8
* Tue Jun 11 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.0.3-1
- Initial import (#1719248).

12
SOURCES/mod_md-2.0.8-state_dir.patch → mod_md-2.0.8-state_dir.patch
View File

@ -1,21 +1,21 @@
Enable state_dir support for 2.4.x.
--- mod_md-2.0.8/src/mod_md_config.c.state_dir
+++ mod_md-2.0.8/src/mod_md_config.c
@@ -44,7 +44,7 @@
--- mod_md-2.2.6/src/mod_md_config.c.state_dir
+++ mod_md-2.2.6/src/mod_md_config.c
@@ -54,7 +54,7 @@
/* Default settings for the global conf */
static md_mod_conf_t defmc = {
NULL, /* list of mds */
-#if AP_MODULE_MAGIC_AT_LEAST(20180906, 2)
+#if 1
NULL, /* base dir by default state-dir-relative */
NULL, /* base dirm by default state-dir-relative */
#else
MD_DEFAULT_BASE_DIR,
@@ -898,7 +898,7 @@
@@ -1039,7 +1039,7 @@
mc->hsts_header = apr_psprintf(p, "max-age=%d", mc->hsts_max_age);
}
-#if AP_MODULE_MAGIC_AT_LEAST(20180906, 2)
+#if 1
if (mc->base_dir == NULL) {

94
mod_md-2.4.26-CVE-2025-55753.patch Normal file
View File

@ -0,0 +1,94 @@
From b00d19ea455f45376d5393aae60588915c59898e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Tue, 9 Dec 2025 16:08:47 +0100
Subject: [PATCH] * Increasing default `MDRetryDelay` to 30 seconds to
generate less bursty (#391)
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
* Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
---
README.md | 2 +-
src/md_cmd_main.c | 2 +-
src/md_status.c | 14 ++++++++++----
src/mod_md_config.c | 5 ++++-
4 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index b3b2a7e..03ec74c 100644
--- a/README.md
+++ b/README.md
@@ -2371,7 +2371,7 @@ files as usual.
## MDRetryDelay
`MDRetryDelay duration`
-Default: 5s
+Default: 30s
The delay on a failed renewal before the next attempt is done. This doubles on every consecutive error with a
cap of 24 hours, e.g. daily retries. Furthermore, the effective delay is randomly jiggled by +-50%. This is
diff --git a/src/md_cmd_main.c b/src/md_cmd_main.c
index 7e7d209..4329e28 100644
--- a/src/md_cmd_main.c
+++ b/src/md_cmd_main.c
@@ -186,7 +186,7 @@ static apr_status_t cmd_process(md_cmd_ctx *ctx, const md_cmd_t *cmd)
}
if (APR_SUCCESS != (rv = md_reg_create(&ctx->reg, ctx->p, ctx->store,
md_cmd_ctx_get_option(ctx, MD_CMD_OPT_PROXY_URL),
- ctx->ca_file, apr_time_from_sec(2), 10,
+ ctx->ca_file, apr_time_from_sec(15), 10,
0, apr_time_from_sec(5)))) {
fprintf(stderr, "error %d creating registry from store: %s\n", rv, ctx->base_dir);
return APR_EINVAL;
diff --git a/src/md_status.c b/src/md_status.c
index 936c653..8d7d173 100644
--- a/src/md_status.c
+++ b/src/md_status.c
@@ -589,10 +589,16 @@ apr_time_t md_job_delay_on_errors(md_job_t *job, int err_count, const char *last
delay = max_delay;
}
else if (err_count > 0) {
- /* back off duration, depending on the errors we encounter in a row */
- delay = job->min_delay << (err_count - 1);
- if (delay > max_delay) {
- delay = max_delay;
+ /* back off duration, depending on the errors we encounter in a row.
+ * As apr_time_t is signed, this might wrap around*/
+ int i;
+ delay = job->min_delay;
+ for (i = 0; i < (err_count - 1); ++i) {
+ delay <<= 1;
+ if ((delay <= 0) || (delay > max_delay)) {
+ delay = max_delay;
+ break;
+ }
}
}
if (delay > 0) {
diff --git a/src/mod_md_config.c b/src/mod_md_config.c
index 500f0dd..a13e00d 100644
--- a/src/mod_md_config.c
+++ b/src/mod_md_config.c
@@ -85,7 +85,7 @@ static md_mod_conf_t defmc = {
"https://crt.sh?q=", /* default cert checker site url */
NULL, /* CA cert file to use */
apr_time_from_sec(MD_SECS_PER_DAY/2), /* default time between cert checks */
- apr_time_from_sec(5), /* minimum delay for retries */
+ apr_time_from_sec(30), /* minimum delay for retries */
13, /* retry_failover after 14 errors, with 5s delay ~ half a day */
0, /* store locks, disabled by default */
apr_time_from_sec(5), /* max time to wait to obaint a store lock */
@@ -654,6 +654,9 @@ static const char *md_config_set_min_delay(cmd_parms *cmd, void *dc, const char
if (md_duration_parse(&delay, value, "s") != APR_SUCCESS) {
return "unrecognized duration format";
}
+ if (delay <= 0) {
+ return "minimum delay must be greater than 0";
+ }
config->mc->min_delay = delay;
return NULL;
}
--
2.44.0

168
mod_md.spec Normal file
View File

@ -0,0 +1,168 @@
# Module Magic Number
%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}
# State directory
%{!?_httpd_statedir: %global _httpd_statedir %{_localstatedir}/lib/httpd}
Name: mod_md
Version: 2.4.26
Release: 4%{?dist}
Summary: Certificate provisioning using ACME for the Apache HTTP Server
License: Apache-2.0
URL: https://icing.github.io/mod_md/
Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
Patch1: mod_md-2.0.8-state_dir.patch
Patch2: mod_md-2.4.26-CVE-2025-55753.patch
BuildRequires: make, gcc
BuildRequires: pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
Requires: httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.41
Conflicts: httpd < 2.4.39-7
Epoch: 1
%description
This module manages common properties of domains for one or more
virtual hosts. Specifically it can use the ACME protocol to automate
certificate provisioning. Certificates will be configured for managed
domains and their virtual hosts automatically, including at renewal.
%prep
%autosetup -p1
%build
%configure --with-apxs=%{_httpd_apxs}
# remove rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%make_build V=1
%check
%make_build check
%install
%make_install
rm -rf %{buildroot}/etc/httpd/share/doc/
# remove links and rename SO files
rm -f %{buildroot}%{_httpd_moddir}/mod_md.so
mv %{buildroot}%{_httpd_moddir}/mod_md.so.0.0.0 %{buildroot}%{_httpd_moddir}/mod_md.so
# create configuration and state directory
mkdir -p %{buildroot}%{_httpd_modconfdir} %{buildroot}%{_httpd_statedir}/md
echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}/01-md.conf
%files
%doc README.md ChangeLog AUTHORS
%license LICENSE
%config(noreplace) %{_httpd_modconfdir}/01-md.conf
%{_httpd_moddir}/mod_md.so
%{_bindir}/a2md
%{_mandir}/man1/*
%dir %{_httpd_statedir}/md
%changelog
* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-4
- Resolves: RHEL-134483 - httpd: Apache HTTP Server: mod_md (ACME), unintended
retry intervals (CVE-2025-55753)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.4.26-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:2.4.26-2
- Bump release for June 2024 mass rebuild
* Thu Jan 25 2024 Joe Orton <jorton@redhat.com> - 1:2.4.26-1
- update to 2.4.26
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Nov 28 2023 Joe Orton <jorton@redhat.com> - 1:2.4.25-1
- update to 2.4.25
* Mon Sep 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.24-1
- new version 2.4.24
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.21-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 01 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.21-1
- new version 2.4.21
- SPDX migration
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 1:2.4.19-2
- package the "md" directory (#2154348)
* Thu Oct 6 2022 Joe Orton <jorton@redhat.com> - 1:2.4.19-1
- update to 2.4.19
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Dec 3 2021 Joe Orton <jorton@redhat.com> - 1:2.4.10-1
- update to 2.4.10
* Fri Sep 17 2021 Joe Orton <jorton@redhat.com> - 1:2.4.7-1
- update to 2.4.7
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:2.4.0-3
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Mar 9 2021 Joe Orton <jorton@redhat.com> - 1:2.4.0-1
- update to 2.4.0
* Tue Feb 2 2021 Joe Orton <jorton@redhat.com> - 1:2.3.7-1
- update to 2.3.7 (beta)
- use autosetup macro
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.2.8-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 1:2.2.8-4
- update to 2.2.8
* Fri Aug 28 2020 Joe Orton <jorton@redhat.com> - 1:2.2.7-4
- use _httpd_apxs macro
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.2.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Alexander Bokovoy <abokovoy@redhat.com> - 1:2.2.7-2
- mod_md does not work with ACME server that does not provide revokeCert or
keyChange resource (#1832841)
* Tue Feb 11 2020 Joe Orton <jorton@redhat.com> - 1:2.2.7-1
- update to 2.2.7
* Fri Feb 7 2020 Joe Orton <jorton@redhat.com> - 1:2.2.6-1
- update to 2.2.6 (#1799660)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.8-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Aug 30 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-4
- require mod_ssl, update package description
* Fri Aug 30 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-3
- rebuild against 2.4.41
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jul 12 2019 Joe Orton <jorton@redhat.com> - 1:2.0.8-1
- update to 2.0.8
* Tue Jun 11 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.0.3-1
- Initial import (#1719248).

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (mod_md-2.4.26.tar.gz) = 438d914684042356d80f2c04740051e9d2a8d1762c46c53bc4a96b25dc691e0034a7871ddf02cc40e075290a62413707926661fb707f19d9a06fc255ef9cc6c1