Bug 1832841 - mod_md does not work with ACME server that does not provide keyChange or revokeCert resources
Summary: mod_md does not work with ACME server that does not provide keyChange or revo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_md
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Luboš Uhliarik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1832844
TreeView+ depends on / blocked
 
Reported: 2020-05-07 11:16 UTC by Fraser Tweedale
Modified: 2020-06-26 00:46 UTC (History)
3 users (show)

Fixed In Version: mod_md-2.2.7-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1832844 (view as bug list)
Environment:
Last Closed: 2020-06-26 00:46:25 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Fraser Tweedale 2020-05-07 11:16:53 UTC 
Problem and fix description per below commit message.
Upstream PR was already merged; commit is:
https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4


RFC 8555 §7.1 states:

  The server MUST provide "directory" and "newNonce" resources.

But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).

Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow.  Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange".  mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.

Update the check to require only "newNonce", "newAccount" and
"newOrder".  Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".

If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
Comment 1 Alexander Bokovoy 2020-06-23 08:25:49 UTC 
I created a pull request that adds the patch: https://src.fedoraproject.org/rpms/mod_md/pull-request/1

Please consider merging, we need this to be able to consume FreeIPA ACME service.
Comment 2 Luboš Uhliarik 2020-06-23 10:31:49 UTC 
(In reply to Alexander Bokovoy from comment #1)
> I created a pull request that adds the patch:
> https://src.fedoraproject.org/rpms/mod_md/pull-request/1
> 
> Please consider merging, we need this to be able to consume FreeIPA ACME
> service.

Thanks Alexander for your PR. I've already merged it.
Comment 3 Alexander Bokovoy 2020-06-23 10:47:36 UTC 
Could you please get an update to F32 as well?
Comment 4 Fedora Update System 2020-06-23 11:38:01 UTC 
FEDORA-2020-213b890d4b has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-213b890d4b
Comment 5 Fedora Update System 2020-06-24 01:01:40 UTC 
FEDORA-2020-213b890d4b has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-213b890d4b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-213b890d4b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-06-26 00:46:25 UTC 
FEDORA-2020-213b890d4b has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.