| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3130
Location: Hilversum, NL, EU
|
 Posted: Mon 19 Mar '18 12:46 Post subject: mod_md 1.1.10 for 2.4.30+ |
 |
|
mod_md version 1.1.10 (in 2.4.33 it is 1.1.8 )
Solves the ApacheLounge reported issues with 1.1.8 :
https://www.apachelounge.com/viewtopic.php?p=36633
http://www.apachelounge.com/viewtopic.php?p=36634
download : Removed
Applied fixes:
http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1827180
http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1827175
The ASF is not including this fix in the current 2.4.33.
Change log 1.1.10 over 1.1.8
•fixes error in renew window calculation that may lead to mod_md running
watchdog in a tight loop until actual renewal becomes necessary.
•/.well-known/acme-challenge requests that cannot be answered for hostnames
outside the configured MDs are free to be answered by other handlers. This allows
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
•Removed bould check from configure. Not everone building the module needs it installed.
Fixes #76.
•Tests with boulder now need a mater revision >= 2018-01-10 or you will see failures in the
0800 tests.
•Updated with log format fixes and copyright ASF insistence from apache httpd trunk
Last edited by Steffen on Tue 20 Mar '18 17:54; edited 1 time in total |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3130
Location: Hilversum, NL, EU
|
| Posted: Tue 20 Mar '18 12:50 Post subject: |
|
|
Still not ok with the.well-know dir :
Chrome:
This site can’t be reached
ERR_SPDY_PROTOCOL_ERROR
IE:
This page can’t be displayed
With 1.1.8 it was:
Just a Not Found |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Tue 20 Mar '18 17:49 Post subject: |
|
|
| Steffen wrote: | Still not ok with the.well-know dir :
|
Yes, unfortunately I can confirm that.
But with Firefox, I have an interesting effect:
- I test with ftp.pbhq.com (mod_md) and have access
- I test with www.pbhq.com (LE/ACME) and sometimes I have one-time access
It basically does not work with other LE/ACME domains and WGET/IE/etc.. Well, a little strange  |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3130
Location: Hilversum, NL, EU
|
| Posted: Tue 20 Mar '18 17:51 Post subject: |
|
|
| And the watchdog loop ? |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Tue 20 Mar '18 18:00 Post subject: |
|
|
| Steffen wrote: | | And the watchdog loop ? |
The problem with the watchdog loop has resolved itself after a few days (2-3). No idea why ...
Next weekend, a Renew would have to queue again (per "84d" config) |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 706
|
| Posted: Thu 22 Mar '18 18:16 Post subject: |
|
|
| Fingers crossed. |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Sun 25 Mar '18 13:28 Post subject: |
|
|
| admin wrote: | | Fingers crossed. |
So, yesterday was the magic day (85d) ...
...
...
...
...
... and the Renew per watchdog worked without any problems!
Today the server was restarted via MDNotifyCMD succesfully, but already after 23h and not after 24h (according to documentation). Ok, the error can now find another user, but not Stefan 
What I personally do not understand with Renew, why mod_MD requests two different certificates, one yesterday (in the staging area), the other today, which is probably used. Anyway, it worked. |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 706
|
| Posted: Mon 26 Mar '18 15:57 Post subject: |
|
|
| So we have the first success story on windows. Was a long way. |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Mon 26 Mar '18 17:31 Post subject: |
|
|
| admin wrote: | | So we have the first success story on windows. Was a long way. |
But actually Peanuts, if I see against it, how to restart the Apache with MDNotifyCMD under Windows .
The short version: In the absence of the lack of rights of the Apache service, this just does not work, even with the usual tricks for extending the rights.
For me, the restart works, but here are 3 accounts involved. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Tue 27 Mar '18 10:05 Post subject: |
|
|
I use this :
| Code: | @ECHO OFF
:: On execute les commandes en administateur
REM --> Verification des permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
REM --> Erreur vous ne possedez pas les droits admin
if '%errorlevel%' NEQ '0' (
echo Verification des privileges administrateur
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"="
echo UAC.ShellExecute "%~s0", "%params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
exit /B
:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
Net stop Apache2.4
REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*
Net start Apache2.4 |
To restart apache with admin rights. |
|
| Back to top |
|
pbhq
Joined: 17 Mar 2013
Posts: 37
Location: Germany
|
| Posted: Sun 01 Apr '18 17:04 Post subject: |
|
|
| bagu wrote: | I use this :
goto UACPrompt
|
I'm talking about the automatic restart of Apache from the MDNotifyCMD function. This does not work because the necessary rights are missing as a service and these rights can not be acquired with the usual tricks (RunAs, SCHTASKS.etc.)  |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Mon 02 Apr '18 21:55 Post subject: |
|
|
MDNotifyCMD function launch the .bat wich have the code i wrote. (which restart apache with admin right and bypass UAC promt with my config of UAC)
With this solution, apache restart well on my server.
Maybe i don't understand what you expect. |
|
| Back to top |
|
