-
Notifications
You must be signed in to change notification settings - Fork 27
V2Design
The next version of mod_md will have two major new features:
- ACMEv2 (wildcards, tls-alpn challenge)
-
OCSP Stapling (alternative to
mod_ssl)
This page describes what the features will mean for the users of Apache httpd. You are encouraged to give feedback on them in the issues I created for ACMEv2 and OCSPv2.
Version 1 of mod_md uses version 1 of the ACME protocol. That is the version that
Let's Encrypt(LE) started with and it existed before the standardisation of ACME at the IETF in
RFC 8555. The standard became known as ACMEv2.
There are subtle differences between the procotols where mod_md needs to adapt. From
a user's point of view they are not very relevant, however:
- wildcard certificates from Let's Encrypt are only available via ACMEv2.
- TLS challenges are also only available in ACMEv2.
Let's Encrypt offers wildcard certificates since January 2018. But only via ACMEv2 and only
when the challenge dns-01 is used. This is not really a protocol restriction, but a
policy by LE. Other CAs could handle that differently, but for LE it is so.
The challenge method dns-01 requires, as the name cleverly implies, that you have
ownership of the domain in question via the DNS system. A sub-record of the domain
needs to show a specific challenge value (that varies every time).
Apache mod_md will provide a way for you to configure a command for this. It will be
invoked with setup or teardown, the domain name and the challenge value. Some
DNS providers have already started to offer APIs for such manipulations, you have to ask
them about this.
Or you may run your own DNS server. There are blogs on how to set this up only for your ACME challenges. Google and duckduckgo are your friends.