mod_md authoritative for disabled challenge types
CursedDevelopment opened this issue · 2 comments
We're exclusively using MDCAChallenges dns-01 on our edge servers (Apache httpd 2.4.52). Simultaneously, they are acting as a reverse proxy for an email server system which itself is also trying to issue certificates using http-01 (non-mod_md) to be used for its TLS-enabled services (SMTPS, IMAPS,...). In our case these certificates overlap with wildcard certificates that have previously been issued on the edge servers through mod_md, which may or may not complicate things.
Sadly, mod_md is eagerly capturing requests it isn't configured to handle (disabled http-01 challenge type). This causes mod_md to trigger a 404 response via
mod_md.c(1367): (2)No such file or directory: [client x.x.x.x:x] loading challenge for x.y.z (/.well-known/acme-challenge/random_code)
instead of having these requests be processed by the proxied remote server which does serve the files.
Going over the documentation, I couldn't find a way to make this scenario work. Ideally, mod_md shouldn't capture/respond to requests it isn't configured to handle.
A valid point. So far, it was only checked if the domain was handled. I added a test and fixed the behaviour so that requests to /.well-known/acme-challenge resources are no longer tampered with if the domain is not available for http-01 challenges.
Updated our environment with your patch and can confirm that it works perfectly. Thank you so much!