Server alias names are not considered when searching renamed MDs
mkauf opened this issue · 6 comments
The alias names of a new virtual host are not considered for the detection whether the new virtual host is actually an old virtual host that has been renamed (md_reg_sync_start() in md_reg.c). But the alias names should be considered if MDMembers auto is set.
The alias names are handled in auto_add_domains() in mod_md.c, but that's too late. md_reg_sync_start() is called earlier.
I'm not sure about the consequences of this bug... probably the only consequence is that mod_md sometimes requests a new certificate when it could use an existing one.
So, the scenario where this bites is a vhost change of ServerName and have the previous name in ServerAlias? And the move detection does not catch this.
This would lead the domain being subject to cert generation and give it a fallback cert until this succeeds. Although a possibly working certificate is in the store.
I added test_md_702_033 in e5d131b for this situation. The rename detection is working.
Thank you for the test!
In this scenario, it does not work:
- Old configuration: Virtual host with name "a", alias "b"
- New configuration: This virtual host is renamed to "c", with aliases "a" and "b"
The code in md_reg_sync_start() searches using the name "c" so it does not find the MD of the old configuration.
The code in
md_reg_sync_start()searches using the name "c" so it does not find the MD of the old configuration.
Ah, ok. Well, I think I can live with that the server gets a new cert then.
Yes, mod_md needs to get a new certificate. If it would find the old MD, it could rename the directory md/domains/a to md/domains/c. Currently the directory md/domains/a just stays there, not used anymore, but that's a minor problem.
No change planned on this.