All the Things Promised [to MOSS]
A status report.
With the release of version v2.2.2 the project sponsored by the beautiful people at MOSS, Mozilla's Open Source Support, has been concluded. You will soon see the result appear in various releases, such as Fedora and Debian unstable. What can you expect? How does this benefit you? Three things: Real ACME, Safer Stapling and Easy Monitoring.
Real ACME
The ACME standard (rfc 8555), which Let's Encrypt (LE) uses and initiated, is replacing its proprietary predecessor. There is no gently nudging, LE has started to shut down new accounts on its old API. New accounts can no longer be registered. In 2020, expect this API to fade away.
You nowadays need at least Apache 2.4.41 to use its built-in (real) ACME support. In that release, you find a modern mod_md. You may also install newer versions from github into such an Apache. Some distributions, such as Fedora, are already integrating these.
Expect the ACME standard to enjoy more long-term support than the proprietary predecessor. Other CAs are picking it up, also. But development of the security infrastructure of the internet will never stop, of course.
Safer Stapling (OCSP)
If you use https: certificates in your server (and according to Firefox telemetries, that are more than 80% of the requests today), your server needs to provide Stapling information to clients.
Or at least should. It is good for site performance. Apache provides support
for this for a long time already with the SSLStapling*
directives
in the mod_ssl
module.
This stapling support works, but has drawbacks. The main one is that it ties "live" to the servers where you got your certificates from. A downtime of those servers might take yours offline as well. This is either a nuisance or a security/financial risk, depending on your site.
With the new mod_md
you are offered an alternative. It provides
a second OCSP stapling implementation which is resilient against such outages.
In case of Let's Encrypt certificates, it will protect your site for outages
that last more than a day. You may configure more.
It persists OCSP Stapling information, making it available again after a server restart and refreshes it ahead of time. By default, it retrieves new OCSP data when 33% of the lifetime is left. This is configurable.
Easy Monitoring
The new mod_md offers you different ways to supervise your certificates and stapling: HTML page, JSON views and notifications.
Apache's "server-status" page now gives you sections about certificates and stapling as well. Two HTML tables where all the things managed by mod_md can be seen at a glance in your browser. You'll know what is valid, when renewals are planned and observe the status of ongoing activities.
If you want to write scripts processing this, there are now a JSON views
with all details. This should make it ease to integrate information into any
control panel for your server/network (see md-status
handler).
In addition, the module will run a configurable command of yours on certain
events: a certificate was renewed, stapling was refreshed, an error was
encountered, etc. See MDMessageCmd
for details.
If you have only a few domains to manage, you may do as myself and let Apache send you a mail about it. If you have a larger host/network, you probably already have a monitoring framework which you could feed these into.
Conclusions
I am very grateful to the people at MOSS for sponsoring this project. They are a pleasure to work with. Should you have an idea on how to improve internet security or accessibility, do not hesitate to ask them for support!
Last, but not least of all I'd like to thank all the people that helped testing and developing mod_md over the years: Alvaro Octal, Bernard Spil, Daniel Caminada, Jacob Hoffman-Andrews, Joe Orton, Josh Soref, Lubos Uhliarik, Michael Kaufmann, Michael KoĢller, Michal Karm Babacek and Steffen from Apache Lounge.
Cheers,
Stefan Eissing