0

I want to enable OCSP stapling with mod_md on my Debian 10 server with Apache httpd. I have enabled the module, and the command MDomain example.org is understood, but the example

<MDomain mydomain.net>
  MDStapling on
</MDomain>

yields an error "Invalid command '<MDomain', perhaps misspelled or defined by a module not included..." when starting apache2. And if I just keep MDStapling on, I get an error "Invalid command 'MDStapling', perhaps misspelled or defined by a module not included...".

If do not enable the mod_md module, I get an error on the command MDomain example.org. Thus the fact that command is understood shows that this module has been loaded.

Note: the suggestion to use mod_md comes from this comment of Apache bug 57121.

vinc17
  • 213
  • 2
  • 6

1 Answers1

2

It seems that in older versions of mod_md you have to use: <MDomainSet> if you make it a container directive. OCSP stapling however only made its appearance in mod_md version 2.1.0 and can only be used with mod_ssl from Apache 2.4.41 and higher.

Apache 2.4.30 upstream included mod_md 1.1.8 in the base build.

Current Buster stable Apache is derived from 2.4.38 and should contain mod_md 1.1.17. But that is only fit for ACME v1 protocol, so even if you can get it to work, it would be useless when Letsencrypt stops handling ACME v1 domain validations in june of 2020. Already you can't use it for registering new accounts.

Apache 2.4.41 included a preparing change for callbacks in mod_ssl that would allow OCSP stapling from other providers like mod_md. But mod_md was included still in version 2.0.8 which was the best available version at the moment. This version is available in buster-backports, although I don't know if that build enabled this module. It wouldn't support OCSP stapling however. https://packages.debian.org/buster-backports/apache2-bin

Current versions of mod_md: https://github.com/icing/mod_md

Please also upvote this bug if you can, I have voted for it also and for the one you referred: https://bz.apache.org/bugzilla/show_bug.cgi?id=60182

Gerrit
  • 1,552
  • 8
  • 8
  • Thanks. This is confusing because the current [mod_md documentation from Apache 2.4](http://httpd.apache.org/docs/2.4/en/mod/mod_md.html) says "Available in version 2.4.30 and later". But it does not say that some directives need a more recent version than 2.4.30. – vinc17 Mar 17 '20 at 15:51
  • My mistake also. I edited the chronology of my answer to correct it. It was included in 2.4.30 base upstream, but in 2.4.41 they made a preparing change that is used in mod_md 2.2+ for OCSP stapling other domains. – Gerrit Mar 17 '20 at 16:24
  • Any idea how to find out what version of `mod_md` I'm using? I'm currently checking strings in mod_md.so to try to find somehting... – EML Jun 26 '22 at 09:48
  • That info is not a stripped binary. What does `readelf -s` give you? Does it show a `md_ocsp_get_stapling_status` entry? – Gerrit Jun 27 '22 at 21:33