diff --git a/changes-entries/alias-preserve-path.txt b/changes-entries/alias-preserve-path.txt
new file mode 100644
index 00000000000..30eb4df3816
--- /dev/null
+++ b/changes-entries/alias-preserve-path.txt
@@ -0,0 +1,3 @@
+  *) mod_alias: Add AliasPreservePath directive to map the full
+     path after the alias in a location. [Graham Leggett]
+
diff --git a/changes-entries/md_v2.4.23.txt b/changes-entries/md_v2.4.23.txt
new file mode 100644
index 00000000000..736e0c5c684
--- /dev/null
+++ b/changes-entries/md_v2.4.23.txt
@@ -0,0 +1,14 @@
+ * mod_md:
+   - New directive `MDMatchNames all|servernames` to allow more control over how
+     MDomains are matched to VirtualHosts.
+   - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
+     the command also with the challenge value on `teardown` invocation. In version
+     1, the default, only the `setup` invocation gets this parameter.
+     Refs #312. Thanks to @domrim for the idea.
+   - For Managed Domain in "manual" mode, the checks if all used ServerName and
+     ServerAlias are part of the MDomain now reports a warning instead of an error
+     (AH10040) when not all names are present.
+   - MDChallengeDns01 can now be configured for individual domains.
+     Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
+   - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
+     teardown not being invoked as it should.
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index ab2acdaf2df..6cea8e27cd7 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10473
+10474
diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml
index 3ca3a7f0495..463c1eddf8c 100644
--- a/docs/manual/mod/mod_alias.xml
+++ b/docs/manual/mod/mod_alias.xml
@@ -194,6 +194,24 @@ Alias "/image" "/ftp/pub/image"
 </LocationMatch>
     </highlight>
 
+    <p>Note that when the <directive>AliasPreservePath</directive>
+    directive is on, the full path is mapped to the destination. When
+    the directive is off, all URLs are mapped to the single target
+    URL.</p>
+
+    <highlight language="config">
+# /files/foo and /files/bar mapped to /ftp/pub/files/foo and /ftp/pub/files/bar
+&lt;Location "/files"&gt;
+    AliasPreservePath on
+    Alias "/ftp/pub/files"
+&lt;/Location&gt;
+# /errors/foo and /errors/bar mapped to /var/www/errors.html
+&lt;Location "/errors"&gt;
+    AliasPreservePath off
+    Alias "/var/www/errors.html"
+&lt;/Location&gt;
+    </highlight>
+
 </usage>
 </directivesynopsis>
 
@@ -641,5 +659,30 @@ ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/usr/local/apache/cgi-bin$1"
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>AliasPreservePath</name>
+<description>Map the full path after the alias in a location.</description>
+<syntax>AliasPreservePath OFF|ON</syntax>
+<default>AliasPreservePath OFF</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context>
+</contextlist>
+<compatibility>2.5.1 and later</compatibility>
+
+<usage>
+    <p>When using the two parameter version of the
+    <directive>Alias</directive> directive, the full path after the alias
+    is preserved. When using the one parameter version of the
+    <directive>Alias</directive> directive inside a
+    <directive>Location</directive> directive, the full path is dropped,
+    and all URLs are mapped to the target expression.</p>
+
+    <p>To make the one parameter version of the
+    <directive>Alias</directive> directive preserve paths in the same way
+    that the two parameter version of the <directive>Alias</directive>
+    directive, enable this setting.</p>
+
+</usage>
+</directivesynopsis>
 
 </modulesynopsis>
diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml
index 454cb7fff4e..3a6014bcf11 100644
--- a/docs/manual/mod/mod_md.xml
+++ b/docs/manual/mod/mod_md.xml
@@ -1033,7 +1033,9 @@ MDRequireHttps permanent
             <p>
                 Define a program to be called when the `dns-01` challenge needs to be setup/torn down. 
                 The program is given the argument `setup` or `teardown` followed by the domain name. 
-                For `setup` the challenge content is additionally given.
+                For `setup` the challenge content is additionally given. When
+                <directive module="mod_md">MDChallengeDns01Version</directive> is set to 2,
+                the `teardown` also gets the challenge content as argument.
             </p><p>
                 You do not need to specify this, as long as a 'http:' or 'https:' challenge
                 method is possible. However, Let's Encrypt makes 'dns-01' the only
@@ -1462,4 +1464,52 @@ MDMessageCmd /etc/apache/md-message
         </usage>
     </directivesynopsis>
 
+    <directivesynopsis>
+        <name>MDChallengeDns01Version</name>
+        <description></description>
+        <syntax>MDChallengeDns01Version 1|2</syntax>
+        <default>MDChallengeDns01Version 1</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.58 and later</compatibility>
+        <usage>
+            <p>
+                Set the way MDChallengeDns01 command is invoked, e.g the number and
+                types of arguments. See <directive module="mod_md">MDChallengeDns01</directive>
+                for the differences.
+                This setting is global and cannot be varied per domain.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDMatchNames</name>
+        <description></description>
+        <syntax>MDMatchNames all|servernames</syntax>
+        <default>MDMatchNames all</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.58 and later</compatibility>
+        <usage>
+            <p>
+                The mode `all` is the behaviour as in all previous versions. Both ServerName
+                and ServerAlias are inspected to find the MDomain matching a VirtualHost.
+                This automatically detects coverage, even when you only have added
+                one of the names to an MDomain.
+            </p><p>
+                However, this auto-magic has drawbacks in more complex setups. If you set
+                this directive to `servernames`, only the ServerName of a virtual host is
+                used for matching. ServerAliases are disregarded then, for matching.
+                Aliases will still be added to the certificate obtained, unless you also
+                run `MDMembers manual`.
+            </p><p>
+                Another advantage of `servernames` is that it gives you more flexibility
+                with sub-domains and wildcards. You can define one MDomain with a wildcard
+                and have other MDomains for specific sub-domain names.
+            </p>
+        </usage>
+    </directivesynopsis>
+
 </modulesynopsis>
diff --git a/docs/manual/mod/mod_md.xml.fr b/docs/manual/mod/mod_md.xml.fr
index 9217e5ed681..98d76c15773 100644
--- a/docs/manual/mod/mod_md.xml.fr
+++ b/docs/manual/mod/mod_md.xml.fr
@@ -2,7 +2,7 @@
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
 <!-- French translation : Lucien GENTIS -->
-<!-- English Revision: 1908080 -->
+<!-- English Revision: 1910996 -->
 
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
@@ -1218,7 +1218,10 @@ MDRequireHttps permanent
 		programme prend respectivement comme arguments "setup" ou
 		"teardown" suivi du nom de domaine. Pour "setup", le programme
 		prend comme argument supplémentaire les données de vérification
-		"dns-01".
+		"dns-01". Lorsque <directive
+		module="mod_md">MDChallengeDns01Version</directive> est définie
+		à 2, `teardown` prend aussi comme argument le contenu de la
+		vérification.
             </p><p>
                 Tant que la méthode de vérification "http:" ou "https:" est
 		valable, vous n'avez pas besoin de définir cette directive.
@@ -1736,4 +1739,61 @@ MDMessageCmd /etc/apache/md-message
         </usage>
     </directivesynopsis>
 
+    <directivesynopsis>
+        <name>MDChallengeDns01Version</name>
+        <description></description>
+        <syntax>MDChallengeDns01Version 1|2</syntax>
+        <default>MDChallengeDns01Version 1</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Disponible à partir de la version 2.4.58 du serveur HTTP
+	Apache</compatibility>
+        <usage>
+            <p>
+                Cette directive permet de définir de quelle manière est invoquée
+		la commande MDChallengeDns01, à savoir le nombre et le type de
+		ses arguments. Voir <directive
+		module="mod_md">MDChallengeDns01</directive> pour les
+		différences.
+		Cette définition est globale et ne peut pas s'appliquer
+		différemment pour chaque domaine.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDMatchNames</name>
+        <description></description>
+        <syntax>MDMatchNames all|servernames</syntax>
+        <default>MDMatchNames all</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Disponible à partir de la version 2.4.58 du serveur HTTP
+	Apache</compatibility>
+        <usage>
+            <p>
+                Le mode `all` correspond au comportement de toutes les versions
+		précédentes. ServerName et ServerAlias sont inspectés pour
+		trouver le MDomain qui correspond à un serveur virtuel. Les
+		recouvrements sont automatiquement détectés, même si vous n'avez
+		ajouté qu'un des noms à un MDomain.
+            </p><p>
+                Cet automatisme présente cependant des inconvénients avec les
+		configurations plus complexes. Si vous définissez cette
+		directive à `servernames`, seul le ServerName d'un serveur
+		virtuel est inspecté pour la correspondance et les ServerAliases
+		sont donc ignorés. Les Aliases seront tout de même ajoutés au
+		certificat obtenu, à moins que vous ne spécifiiez aussi `MDMembers manual`.
+            </p><p>
+                `servernames` possède un autre avantage : il vous confère plus
+		de souplesse avec les sous-domaines et les caractères
+		génériques. Vous pouvez ainsi définir un MDomain avec un
+		caractère générique et avoir d'autres MDomains pour des noms de
+		sous-domaines spécifiques.
+            </p>
+        </usage>
+    </directivesynopsis>    
+
 </modulesynopsis>
diff --git a/modules/mappers/mod_alias.c b/modules/mappers/mod_alias.c
index b1638a34e42..cd9db1f8400 100644
--- a/modules/mappers/mod_alias.c
+++ b/modules/mappers/mod_alias.c
@@ -41,6 +41,8 @@
 #define ALIAS_FLAG_OFF 0
 #define ALIAS_FLAG_ON  1
 
+#define ALIAS_PRESERVE_PATH_DEFAULT 0
+
 typedef struct {
     const char *real;
     const char *fake;
@@ -64,6 +66,7 @@ typedef struct {
     const ap_expr_info_t *redirect;
     int redirect_status;                /* 301, 302, 303, 410, etc */
     int allow_relative;                 /* skip ap_construct_url() */
+    int alias_preserve_path;            /* map full path */
 } alias_dir_conf;
 
 module AP_MODULE_DECLARE_DATA alias_module;
@@ -89,6 +92,7 @@ static void *create_alias_dir_config(apr_pool_t *p, char *d)
     (alias_dir_conf *) apr_pcalloc(p, sizeof(alias_dir_conf));
     a->redirects = apr_array_make(p, 2, sizeof(alias_entry));
     a->allow_relative = ALIAS_FLAG_DEFAULT;
+    a->alias_preserve_path = ALIAS_FLAG_DEFAULT;
     return a;
 }
 
@@ -124,6 +128,10 @@ static void *merge_alias_dir_config(apr_pool_t *p, void *basev, void *overridesv
     a->allow_relative = (overrides->allow_relative != ALIAS_FLAG_DEFAULT)
                                   ? overrides->allow_relative 
                                   : base->allow_relative;
+    a->alias_preserve_path = (overrides->alias_preserve_path != ALIAS_FLAG_DEFAULT)
+                                  ? overrides->alias_preserve_path
+                                  : base->alias_preserve_path;
+
     return a;
 }
 
@@ -443,7 +451,7 @@ static char *try_alias(request_rec *r)
             return PREGSUB_ERROR;
         }
 
-        if (dirconf->alias_fake) {
+        if (dirconf->alias_fake && dirconf->alias_preserve_path == ALIAS_FLAG_ON) {
             int l;
 
             l = alias_matches(r->uri, dirconf->alias_fake);
@@ -764,6 +772,9 @@ static const command_rec alias_cmds[] =
     AP_INIT_FLAG("RedirectRelative", ap_set_flag_slot,
                   (void*)APR_OFFSETOF(alias_dir_conf, allow_relative), OR_FILEINFO,
                   "Set to ON to allow relative redirect targets to be issued as-is"),
+    AP_INIT_FLAG("AliasPreservePath", ap_set_flag_slot,
+                  (void*)APR_OFFSETOF(alias_dir_conf, alias_preserve_path), OR_FILEINFO,
+                  "Set to ON to map the full path after the fakename to the realname."),
 
     {NULL}
 };
diff --git a/modules/md/md.h b/modules/md/md.h
index 1d75d102c85..035ccba7837 100644
--- a/modules/md/md.h
+++ b/modules/md/md.h
@@ -78,12 +78,7 @@ struct md_t {
     struct apr_array_header_t *domains; /* all DNS names this MD includes */
     struct apr_array_header_t *contacts;   /* list of contact uris, e.g. mailto:xxx */
 
-    int transitive;                 /* != 0 iff VirtualHost names/aliases are auto-added */
-    md_require_t require_https;     /* Iff https: is required for this MD */
-    
-    int renew_mode;                 /* mode of obtaining credentials */
     struct md_pkeys_spec_t *pks;    /* specification for generating private keys */
-    int must_staple;                /* certificates should set the OCSP Must Staple extension */
     md_timeslice_t *renew_window;   /* time before expiration that starts renewal */
     md_timeslice_t *warn_window;    /* time before expiration that warnings are sent out */
     
@@ -98,19 +93,23 @@ struct md_t {
     const char *ca_eab_kid;         /* optional KEYID for external account binding */
     const char *ca_eab_hmac;        /* optional HMAC for external account binding */
 
-    md_state_t state;               /* state of this MD */
     const char *state_descr;        /* description of state of NULL */
     
     struct apr_array_header_t *acme_tls_1_domains; /* domains supporting "acme-tls/1" protocol */
-    int stapling;                   /* if OCSP stapling is enabled */
     const char *dns01_cmd;          /* DNS challenge command, override global command */
 
-    int watched;               /* if certificate is supervised (renew or expiration warning) */
     const struct md_srv_conf_t *sc; /* server config where it was defined or NULL */
     const char *defn_name;          /* config file this MD was defined */
     unsigned defn_line_number;      /* line number of definition */
-    
     const char *configured_name;    /* name this MD was configured with, if different */
+
+    int renew_mode;                 /* mode of obtaining credentials */
+    md_require_t require_https;     /* Iff https: is required for this MD */
+    md_state_t state;               /* state of this MD */
+    int transitive;                 /* != 0 iff VirtualHost names/aliases are auto-added */
+    int must_staple;                /* certificates should set the OCSP Must Staple extension */
+    int stapling;                   /* if OCSP stapling is enabled */
+    int watched;                    /* if certificate is supervised (renew or expiration warning) */
 };
 
 #define MD_KEY_ACCOUNT          "account"
@@ -128,6 +127,7 @@ struct md_t {
 #define MD_KEY_CHALLENGE        "challenge"
 #define MD_KEY_CHALLENGES       "challenges"
 #define MD_KEY_CMD_DNS01        "cmd-dns-01"
+#define MD_KEY_DNS01_VERSION    "cmd-dns-01-version"
 #define MD_KEY_COMPLETE         "complete"
 #define MD_KEY_CONTACT          "contact"
 #define MD_KEY_CONTACTS         "contacts"
diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c
index a55804e4686..83e0bf153e5 100644
--- a/modules/md/md_acme_authz.c
+++ b/modules/md/md_acme_authz.c
@@ -244,7 +244,8 @@ static apr_status_t cha_http_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t
                                       md_acme_t *acme, md_store_t *store, 
                                       md_pkeys_spec_t *key_specs,
                                       apr_array_header_t *acme_tls_1_domains, const md_t *md,
-                                      apr_table_t *env, md_result_t *result, apr_pool_t *p)
+                                      apr_table_t *env, md_result_t *result,
+                                      const char **psetup_token, apr_pool_t *p)
 {
     const char *data;
     apr_status_t rv;
@@ -289,6 +290,8 @@ static apr_status_t cha_http_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t
         rv = md_acme_POST(acme, cha->uri, on_init_authz_resp, authz_http_set, NULL, NULL, &ctx);
     }
 out:
+    *psetup_token = (APR_SUCCESS == rv)?
+        apr_psprintf(p, "%s:%s", MD_AUTHZ_TYPE_HTTP01, authz->domain) : NULL;
     return rv;
 }
 
@@ -302,7 +305,8 @@ static apr_status_t cha_tls_alpn_01_setup(md_acme_authz_cha_t *cha, md_acme_auth
                                           md_acme_t *acme, md_store_t *store, 
                                           md_pkeys_spec_t *key_specs,
                                           apr_array_header_t *acme_tls_1_domains, const md_t *md,
-                                          apr_table_t *env, md_result_t *result, apr_pool_t *p)
+                                          apr_table_t *env, md_result_t *result,
+                                          const char **psetup_token, apr_pool_t *p)
 {
     const char *acme_id, *token;
     apr_status_t rv;
@@ -407,6 +411,8 @@ static apr_status_t cha_tls_alpn_01_setup(md_acme_authz_cha_t *cha, md_acme_auth
         rv = md_acme_POST(acme, cha->uri, on_init_authz_resp, authz_http_set, NULL, NULL, &ctx);
     }
 out:    
+    *psetup_token = (APR_SUCCESS == rv)?
+        apr_psprintf(p, "%s:%s", MD_AUTHZ_TYPE_TLSALPN01, authz->domain) : NULL;
     return rv;
 }
 
@@ -414,7 +420,8 @@ static apr_status_t cha_dns_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t *
                                      md_acme_t *acme, md_store_t *store, 
                                      md_pkeys_spec_t *key_specs,
                                      apr_array_header_t *acme_tls_1_domains, const md_t *md,
-                                     apr_table_t *env, md_result_t *result, apr_pool_t *p)
+                                     apr_table_t *env, md_result_t *result,
+                                     const char **psetup_token, apr_pool_t *p)
 {
     const char *token;
     const char * const *argv;
@@ -486,6 +493,8 @@ static apr_status_t cha_dns_01_setup(md_acme_authz_cha_t *cha, md_acme_authz_t *
     rv = md_acme_POST(acme, cha->uri, on_init_authz_resp, authz_http_set, NULL, NULL, &ctx);
     
 out:    
+    *psetup_token = (APR_SUCCESS == rv)?
+        apr_psprintf(p, "%s:%s %s", MD_AUTHZ_TYPE_DNS01, authz->domain, token) : NULL;
     return rv;
 }
 
@@ -493,7 +502,8 @@ static apr_status_t cha_dns_01_teardown(md_store_t *store, const char *domain, c
                                         apr_table_t *env, apr_pool_t *p)
 {
     const char * const *argv;
-    const char *cmdline, *dns01_cmd;
+    const char *cmdline, *dns01_cmd, *dns01v;
+    char *tmp, *s;
     apr_status_t rv;
     int exit_code;
     
@@ -508,7 +518,17 @@ static apr_status_t cha_dns_01_teardown(md_store_t *store, const char *domain, c
             md->name, domain);
         goto out;
     }
-    
+    dns01v = apr_table_get(env, MD_KEY_DNS01_VERSION);
+    if (!dns01v || strcmp(dns01v, "2")) {
+        /* use older version of teardown args with only domain, remove token */
+        tmp = apr_pstrdup(p, domain);
+        s = strchr(tmp, ' ');
+        if (s) {
+            *s = '\0';
+            domain = tmp;
+        }
+    }
+
     cmdline = apr_psprintf(p, "%s teardown %s", dns01_cmd, domain); 
     apr_tokenize_to_argv(cmdline, (char***)&argv, p);
     if (APR_SUCCESS != (rv = md_util_exec(p, argv[0], argv, NULL, &exit_code)) || exit_code) {
@@ -532,7 +552,8 @@ typedef apr_status_t cha_setup(md_acme_authz_cha_t *cha, md_acme_authz_t *authz,
                                md_acme_t *acme, md_store_t *store, 
                                md_pkeys_spec_t *key_specs,
                                apr_array_header_t *acme_tls_1_domains, const md_t *md,
-                               apr_table_t *env, md_result_t *result, apr_pool_t *p);
+                               apr_table_t *env, md_result_t *result,
+                               const char **psetup_token, apr_pool_t *p);
                                
 typedef apr_status_t cha_teardown(md_store_t *store, const char *domain, const md_t *md,
                                   apr_table_t *env, apr_pool_t *p);
@@ -590,8 +611,7 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
     apr_status_t rv;
     int i, j;
     cha_find_ctx fctx;
-    const char *challenge_setup;
-    
+
     assert(acme);
     assert(authz);
     assert(authz->resource);
@@ -613,7 +633,7 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
                       "type, this domain supports %s",
                       authz->domain, apr_array_pstrcat(p, challenges, ' '));
     rv = APR_ENOTIMPL;
-    challenge_setup = NULL;
+    *psetup_token = NULL;
     for (i = 0; i < challenges->nelts; ++i) {
         fctx.type = APR_ARRAY_IDX(challenges, i, const char *);
         fctx.accepted = NULL;
@@ -629,12 +649,12 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
                     md_result_activity_printf(result, "Setting up challenge '%s' for domain %s", 
                                               fctx.accepted->type, authz->domain);
                     rv = CHA_TYPES[j].setup(fctx.accepted, authz, acme, store, key_specs,
-                                            acme_tls_1_domains, md, env, result, p);
+                                            acme_tls_1_domains, md, env, result,
+                                            psetup_token, p);
                     if (APR_SUCCESS == rv) {
                         md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, 
                                       "%s: set up challenge '%s' for %s", 
                                       authz->domain, fctx.accepted->type, md->name);
-                        challenge_setup = CHA_TYPES[j].name;
                         goto out;
                     }
                     md_result_printf(result, rv, "error setting up challenge '%s' for %s, "
@@ -647,7 +667,6 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s
     }
     
 out:
-    *psetup_token = (APR_SUCCESS == rv)? apr_psprintf(p, "%s:%s", challenge_setup, authz->domain) : NULL;
     if (!fctx.accepted || APR_ENOTIMPL == rv) {
         rv = APR_EINVAL;
         fctx.offered = apr_array_make(p, 5, sizeof(const char*));
diff --git a/modules/md/md_http.c b/modules/md/md_http.c
index d10bf0d3ace..0d21e7b14c6 100644
--- a/modules/md/md_http.c
+++ b/modules/md/md_http.c
@@ -212,7 +212,7 @@ static apr_status_t req_create(md_http_request_t **preq, md_http_t *http,
                                const char *method, const char *url, 
                                struct apr_table_t *headers)
 {
-    md_http_request_t *req = NULL;
+    md_http_request_t *req;
     apr_pool_t *pool;
     apr_status_t rv;
     
diff --git a/modules/md/md_util.c b/modules/md/md_util.c
index 884c0bb91e8..126fb782dce 100644
--- a/modules/md/md_util.c
+++ b/modules/md/md_util.c
@@ -916,6 +916,19 @@ int md_dns_domains_match(const apr_array_header_t *domains, const char *name)
     return 0;
 }
 
+int md_is_wild_match(const apr_array_header_t *domains, const char *name)
+{
+    const char *domain;
+    int i;
+
+    for (i = 0; i < domains->nelts; ++i) {
+        domain = APR_ARRAY_IDX(domains, i, const char*);
+        if (md_dns_matches(domain, name))
+            return (domain[0] == '*' && domain[1] == '.');
+    }
+    return 0;
+}
+
 const char *md_util_schemify(apr_pool_t *p, const char *s, const char *def_scheme)
 {
     const char *cp = s;
diff --git a/modules/md/md_util.h b/modules/md/md_util.h
index e430655fca5..311997e4032 100644
--- a/modules/md/md_util.h
+++ b/modules/md/md_util.h
@@ -174,6 +174,11 @@ struct apr_array_header_t *md_dns_make_minimal(apr_pool_t *p,
  */
 int md_dns_domains_match(const apr_array_header_t *domains, const char *name);
 
+/**
+ * @return != 0 iff `name` is matched by a wildcard pattern in `domains`
+ */
+int md_is_wild_match(const apr_array_header_t *domains, const char *name);
+
 /**************************************************************************************************/
 /* file system related */
 
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index a8f3ef22f77..53702d15b04 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.4.21"
+#define MOD_MD_VERSION "2.4.23"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020415
+#define MOD_MD_VERSION_NUM 0x020417
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"
 #define MD_TAILSCALE_DEF_URL    "file://localhost/var/run/tailscale/tailscaled.sock"
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 00ed4baa95b..d9ebe836bcd 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -377,12 +377,12 @@ static apr_status_t check_coverage(md_t *md, const char *domain, server_rec *s,
         return APR_SUCCESS;
     }
     else {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10040)
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10040)
                      "Virtual Host %s:%d matches Managed Domain '%s', but the "
                      "name/alias %s itself is not managed. A requested MD certificate "
                      "will not match ServerName.",
                      s->server_hostname, s->port, md->name, domain);
-        return APR_EINVAL;
+        return APR_SUCCESS;
     }
 }
 
@@ -586,18 +586,30 @@ static apr_status_t link_md_to_servers(md_mod_conf_t *mc, md_t *md, server_rec *
         for (i = 0; i < md->domains->nelts; ++i) {
             domain = APR_ARRAY_IDX(md->domains, i, const char*);
 
-            if (ap_matches_request_vhost(&r, domain, s->port)
-                || (md_dns_is_wildcard(p, domain) && md_dns_matches(domain, s->server_hostname))) {
+            if ((mc->match_mode == MD_MATCH_ALL &&
+                 ap_matches_request_vhost(&r, domain, s->port))
+                || (((mc->match_mode == MD_MATCH_SERVERNAMES) || md_dns_is_wildcard(p, domain)) &&
+                    md_dns_matches(domain, s->server_hostname))) {
                 /* Create a unique md_srv_conf_t record for this server, if there is none yet */
                 sc = md_config_get_unique(s, p);
                 if (!sc->assigned) sc->assigned = apr_array_make(p, 2, sizeof(md_t*));
-
+                if (sc->assigned->nelts == 1 && mc->match_mode == MD_MATCH_SERVERNAMES) {
+                    /* there is already an MD assigned for this server. But in
+                     * this match mode, wildcard matches are pre-empted by non-wildcards */
+                    int existing_wild = md_is_wild_match(
+                          APR_ARRAY_IDX(sc->assigned, 0, const md_t*)->domains,
+                          s->server_hostname);
+                    if (!existing_wild && md_dns_is_wildcard(p, domain))
+                        continue;  /* do not add */
+                    if (existing_wild && !md_dns_is_wildcard(p, domain))
+                        sc->assigned->nelts = 0;  /* overwrite existing */
+                }
                 APR_ARRAY_PUSH(sc->assigned, md_t*) = md;
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10041)
-                             "Server %s:%d matches md %s (config %s) for domain %s, "
-                             "has now %d MDs",
+                             "Server %s:%d matches md %s (config %s, match-mode=%d) "
+                             "for domain %s, has now %d MDs",
                              s->server_hostname, s->port, md->name, sc->name,
-                             domain, (int)sc->assigned->nelts);
+                             mc->match_mode, domain, (int)sc->assigned->nelts);
 
                 if (md->contacts && md->contacts->nelts > 0) {
                     /* set explicitly */
@@ -670,17 +682,19 @@ static apr_status_t merge_mds_with_conf(md_mod_conf_t *mc, apr_pool_t *p,
         md = APR_ARRAY_IDX(mc->mds, i, md_t*);
         merge_srv_config(md, base_conf, p);
 
-        /* Check that we have no overlap with the MDs already completed */
-        for (j = 0; j < i; ++j) {
-            omd = APR_ARRAY_IDX(mc->mds, j, md_t*);
-            if ((domain = md_common_name(md, omd)) != NULL) {
-                ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, APLOGNO(10038)
-                             "two Managed Domains have an overlap in domain '%s'"
-                             ", first definition in %s(line %d), second in %s(line %d)",
-                             domain, md->defn_name, md->defn_line_number,
-                             omd->defn_name, omd->defn_line_number);
-                return APR_EINVAL;
-            }
+        if (mc->match_mode == MD_MATCH_ALL) {
+          /* Check that we have no overlap with the MDs already completed */
+          for (j = 0; j < i; ++j) {
+              omd = APR_ARRAY_IDX(mc->mds, j, md_t*);
+              if ((domain = md_common_name(md, omd)) != NULL) {
+                  ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, APLOGNO(10038)
+                               "two Managed Domains have an overlap in domain '%s'"
+                               ", first definition in %s(line %d), second in %s(line %d)",
+                               domain, md->defn_name, md->defn_line_number,
+                               omd->defn_name, omd->defn_line_number);
+                  return APR_EINVAL;
+              }
+          }
         }
 
         if (md->cert_files && md->cert_files->nelts) {
diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c
index e117b160097..31d06b4bc5b 100644
--- a/modules/md/mod_md_config.c
+++ b/modules/md/mod_md_config.c
@@ -88,6 +88,7 @@ static md_mod_conf_t defmc = {
     13,                        /* retry_failover after 14 errors, with 5s delay ~ half a day */
     0,                         /* store locks, disabled by default */
     apr_time_from_sec(5),      /* max time to wait to obaint a store lock */
+    MD_MATCH_ALL,              /* match vhost severname and aliases */
 };
 
 static md_timeslice_t def_renew_window = {
@@ -684,6 +685,27 @@ static const char *md_config_set_store_locks(cmd_parms *cmd, void *dc, const cha
     return NULL;
 }
 
+static const char *md_config_set_match_mode(cmd_parms *cmd, void *dc, const char *s)
+{
+    md_srv_conf_t *config = md_config_get(cmd->server);
+    const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD);
+
+    (void)dc;
+    if (err) {
+        return err;
+    }
+    else if (!apr_strnatcasecmp("all", s)) {
+        config->mc->match_mode = MD_MATCH_ALL;
+    }
+    else if (!apr_strnatcasecmp("servernames", s)) {
+        config->mc->match_mode = MD_MATCH_SERVERNAMES;
+    }
+    else {
+        return "invalid argument, must be a 'all' or 'servernames'";
+    }
+    return NULL;
+}
+
 static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const char *value)
 {
     md_srv_conf_t *config = md_config_get(cmd->server);
@@ -985,6 +1007,24 @@ static const char *md_config_set_dns01_cmd(cmd_parms *cmd, void *mconfig, const
     return NULL;
 }
 
+static const char *md_config_set_dns01_version(cmd_parms *cmd, void *mconfig, const char *value)
+{
+    md_srv_conf_t *sc = md_config_get(cmd->server);
+    const char *err;
+
+    (void)mconfig;
+    if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
+        return err;
+    }
+    if (!strcmp("1", value) || !strcmp("2", value)) {
+        apr_table_set(sc->mc->env, MD_KEY_DNS01_VERSION, value);
+    }
+    else {
+        return "Only versions `1` and `2` are supported";
+    }
+    return NULL;
+}
+
 static const char *md_config_add_cert_file(cmd_parms *cmd, void *mconfig, const char *arg)
 {
     md_srv_conf_t *sc = md_config_get(cmd->server);
@@ -1226,7 +1266,9 @@ const command_rec md_cmds[] = {
                   "Allow managing of base server outside virtual hosts."),
     AP_INIT_RAW_ARGS("MDChallengeDns01", md_config_set_dns01_cmd, NULL, RSRC_CONF, 
                   "Set the command for setup/teardown of dns-01 challenges"),
-    AP_INIT_TAKE1("MDCertificateFile", md_config_add_cert_file, NULL, RSRC_CONF, 
+    AP_INIT_TAKE1("MDChallengeDns01Version", md_config_set_dns01_version, NULL, RSRC_CONF,
+                  "Set the type of arguments to call `MDChallengeDns01` with"),
+    AP_INIT_TAKE1("MDCertificateFile", md_config_add_cert_file, NULL, RSRC_CONF,
                   "set the static certificate (chain) file to use for this domain."),
     AP_INIT_TAKE1("MDCertificateKeyFile", md_config_add_key_file, NULL, RSRC_CONF, 
                   "set the static private key file to use for this domain."),
@@ -1260,6 +1302,8 @@ const command_rec md_cmds[] = {
                   "The number of errors before a failover to another CA is triggered."),
     AP_INIT_TAKE1("MDStoreLocks", md_config_set_store_locks, NULL, RSRC_CONF,
                   "Configure locking of store for updates."),
+    AP_INIT_TAKE1("MDMatchNames", md_config_set_match_mode, NULL, RSRC_CONF,
+                  "Determines how DNS names are matched to vhosts."),
 
     AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL)
 };
diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h
index de42169c97d..7e87440ed18 100644
--- a/modules/md/mod_md_config.h
+++ b/modules/md/mod_md_config.h
@@ -41,6 +41,11 @@ typedef enum {
     MD_CONFIG_STAPLE_OTHERS,
 } md_config_var_t;
 
+typedef enum {
+    MD_MATCH_ALL,
+    MD_MATCH_SERVERNAMES,
+} md_match_mode_t;
+
 typedef struct md_mod_conf_t md_mod_conf_t;
 struct md_mod_conf_t {
     apr_array_header_t *mds;           /* all md_t* defined in the config, shared */
@@ -74,6 +79,7 @@ struct md_mod_conf_t {
     int retry_failover;                /* number of errors to trigger CA failover */
     int use_store_locks;               /* use locks when updating store */
     apr_time_t lock_wait_timeout;      /* fail after this time when unable to obtain lock */
+    md_match_mode_t match_mode;        /* how dns names are match to vhosts */
 };
 
 typedef struct md_srv_conf_t {
diff --git a/support/ab.c b/support/ab.c
index 318eea6d21e..6a617edca19 100644
--- a/support/ab.c
+++ b/support/ab.c
@@ -270,7 +270,7 @@ static int test_started = 0,
  * visiting set_conn_state()
  */
 typedef enum {
-    STATE_UNCONNECTED = 0,
+    STATE_DISCONNECTED = 0,
     STATE_CONNECTING,           /* TCP connect initiated, but we don't
                                  * know if it worked yet
                                  */
@@ -278,8 +278,20 @@ typedef enum {
     STATE_HANDSHAKE,            /* in the handshake phase */
 #endif
     STATE_WRITE,                /* in the write phase */
-    STATE_READ                  /* in the read phase */
-} connect_state_e;
+    STATE_READ,                 /* in the read phase */
+
+    STATE_COUNT
+} conn_state_e;
+
+const char *conn_state_str[STATE_COUNT] = {
+    "DISCONNECTED",
+    "CONNECTING",
+#ifdef USE_SSL
+    "HANDSHAKE",
+#endif
+    "WRITE",
+    "READ"
+};
 
 #define CBUFFSIZE (8192)
 
@@ -292,6 +304,7 @@ struct connection {
     apr_pool_t *ctx;
     apr_socket_t *aprsock;
     apr_pollfd_t pollfd;
+    apr_int16_t events;
     int state;
     apr_time_t delay;
     apr_size_t read;            /* amount of bytes read */
@@ -360,7 +373,7 @@ struct worker {
     int slot;
     int requests;
     int concurrency;
-    int polled;
+    int polls;           /* number of connections polled */
     int bind_rr;         /* next address to bind (round robin) */
     int succeeded_once;  /* response header received once */
     apr_int64_t started; /* number of requests started, so no excess */
@@ -370,6 +383,8 @@ struct worker {
     struct delayed_ring_t delayed_ring;
 
     struct metrics metrics;
+    int counters[STATE_COUNT][2];
+    char tmp[1024];
 
     char buffer[CBUFFSIZE];  /* throw-away buffer to read stuff into */
 };
@@ -431,6 +446,9 @@ apr_interval_time_t aprtimeout = apr_time_from_sec(30); /* timeout value */
 apr_interval_time_t ramp = apr_time_from_msec(0); /* ramp delay */
 int pollset_wakeable = 0;
 
+int watchdog = 0;
+#define WATCHDOG_TIMEOUT apr_time_from_sec(5)
+
 /* overrides for ab-generated common headers */
 const char *opt_host;   /* which optional "Host:" header specified, if any */
 int opt_useragent = 0;  /* was an optional "User-Agent:" header specified? */
@@ -483,7 +501,7 @@ static apr_thread_mutex_t *workers_mutex;
 static apr_thread_cond_t *workers_can_start;
 #endif
 
-static APR_INLINE int worker_can_stop(struct worker *worker)
+static APR_INLINE int worker_should_stop(struct worker *worker)
 {
     return (stoptime <= lasttime
             || (rlimited && worker->metrics.done >= worker->requests));
@@ -623,8 +641,8 @@ static int set_polled_events(struct connection *c, apr_int16_t new_reqevents)
                 graceful_strerror("apr_pollset_remove()", rv);
                 return 0;
             }
-            assert(c->worker->polled > 0);
-            c->worker->polled--;
+            assert(c->worker->polls > 0);
+            c->worker->polls--;
          }
 
         c->pollfd.reqevents = new_reqevents;
@@ -634,20 +652,28 @@ static int set_polled_events(struct connection *c, apr_int16_t new_reqevents)
                 graceful_strerror("apr_pollset_add()", rv);
                 return 0;
             }
-            c->worker->polled++;
+            c->worker->polls++;
         }
     }
     return 1;
 }
 
-static void set_conn_state(struct connection *c, connect_state_e new_state,
+static void set_conn_state(struct connection *c, conn_state_e state,
                            apr_int16_t events)
 {
-    c->state = new_state;
+    struct worker *worker = c->worker;
+
+    assert(worker->counters[c->state][(c->events & APR_POLLOUT) != 0] > 0);
+    worker->counters[c->state][(c->events & APR_POLLOUT) != 0]--;
 
-    if (!set_polled_events(c, events) && new_state != STATE_UNCONNECTED) {
+    c->state = state;
+    c->events = events;
+    if (!set_polled_events(c, events) && state != STATE_DISCONNECTED) {
         close_connection(c);
+        c->events = 0;
     }
+
+    worker->counters[c->state][(c->events & APR_POLLOUT) != 0]++;
 }
 
 /* --------------------------------------------------------- */
@@ -1594,9 +1620,11 @@ static void start_connection(struct connection * c)
         return;
     }
 
+    assert(c->state == STATE_DISCONNECTED);
     if (!c->ctx) {
         apr_pool_create(&c->ctx, worker->pool);
         APR_RING_ELEM_INIT(c, delay_list);
+        worker->counters[STATE_DISCONNECTED][0]++;
         worker->metrics.concurrent++;
     }
 
@@ -1606,7 +1634,6 @@ static void start_connection(struct connection * c)
         return;
     }
 
-    c->state = STATE_UNCONNECTED;
     c->pollfd.desc.s = c->aprsock;
     c->pollfd.desc_type = APR_POLL_SOCKET;
     c->pollfd.reqevents = c->pollfd.rtnevents = 0;
@@ -1710,11 +1737,15 @@ static void start_connection(struct connection * c)
     /* connected first time */
 #ifdef USE_SSL
     if (c->ssl) {
+        set_conn_state(c, STATE_HANDSHAKE, 0);
         ssl_proceed_handshake(c);
     }
     else
 #endif
-    write_request(c);
+    {
+        set_conn_state(c, STATE_WRITE, 0);
+        write_request(c);
+    }
 }
 
 /* --------------------------------------------------------- */
@@ -1723,7 +1754,7 @@ static void start_connection(struct connection * c)
 
 static void close_connection(struct connection *c)
 {
-    set_conn_state(c, STATE_UNCONNECTED, 0);
+    set_conn_state(c, STATE_DISCONNECTED, 0);
 #ifdef USE_SSL
     if (c->ssl) {
         SSL_shutdown(c->ssl);
@@ -2444,6 +2475,8 @@ static int test(void)
 static void worker_test(struct worker *worker)
 {
     apr_status_t rv;
+    apr_time_t poll_expiry = 0;
+    apr_time_t watchdog_expiry = 0;
     struct connection *c;
     apr_int16_t rtnev;
     int i;
@@ -2456,10 +2489,43 @@ static void worker_test(struct worker *worker)
         apr_int32_t n;
         const apr_pollfd_t *pollresults, *pollfd;
         apr_interval_time_t t = aprtimeout;
-
-        if (!APR_RING_EMPTY(&worker->delayed_ring, connection, delay_list)) {
-            apr_time_t now = apr_time_now();
-            do {
+        apr_time_t now = 0;
+ 
+        if (watchdog || !APR_RING_EMPTY(&worker->delayed_ring, connection, delay_list)) {
+            now = apr_time_now();
+            if (poll_expiry == 0) {
+                poll_expiry = now + aprtimeout;
+            }
+            else if (t > poll_expiry - now) {
+                t = poll_expiry > now ? poll_expiry - now : 0;
+            }
+            if (watchdog) {
+                if (watchdog_expiry && watchdog_expiry <= now) {
+                    int state;
+                    apr_size_t len = 0;
+                    len += apr_snprintf(worker->tmp + len, sizeof(worker->tmp) - len,
+                                   "Worker %d: requests %" APR_INT64_T_FMT "/%d, polls %d",
+                                   worker->slot,
+                                   worker->metrics.done, worker->requests,
+                                   worker->polls);
+                    for (state = 0; state < STATE_COUNT; ++state) {
+                        len += apr_snprintf(worker->tmp + len, sizeof(worker->tmp) - len,
+                                      ", %s %d/%d",
+                                      conn_state_str[state],
+                                      worker->counters[state][0],
+                                      worker->counters[state][1]);
+                    }
+                    fprintf(stderr, "%s\n", worker->tmp);
+                    fflush(stderr);
+                }
+                if (watchdog_expiry <= now) {
+                    watchdog_expiry = now + WATCHDOG_TIMEOUT;
+                }
+                if (t > WATCHDOG_TIMEOUT) {
+                    t = WATCHDOG_TIMEOUT;
+                }
+            }
+            while (!APR_RING_EMPTY(&worker->delayed_ring, connection, delay_list)) {
                 c = APR_RING_FIRST(&worker->delayed_ring);
                 if (c->delay <= now) {
                     APR_RING_REMOVE(c, delay_list);
@@ -2473,40 +2539,62 @@ static void worker_test(struct worker *worker)
                     }
                     break;
                 }
-            } while (!APR_RING_EMPTY(&worker->delayed_ring, connection, delay_list));
+            }
         }
 
+        assert(worker->polls > 0);
         n = worker->metrics.concurrent;
         rv = apr_pollset_poll(worker->pollset, t, &n, &pollresults);
         if (rv != APR_SUCCESS) {
             if (APR_STATUS_IS_EINTR(rv)
-                || (APR_STATUS_IS_TIMEUP(rv) &&
-                    !APR_RING_EMPTY(&worker->delayed_ring, connection,
-                                    delay_list))) {
+                || (APR_STATUS_IS_TIMEUP(rv)
+                    && poll_expiry && poll_expiry > apr_time_now())) {
                 continue;
             }
             graceful_strerror("apr_pollset_poll", rv);
             return;
         }
+        poll_expiry = 0;
 
         for (i = 0, pollfd = pollresults; i < n; i++, pollfd++) {
             c = pollfd->client_data;
 
-            /*
-             * If the connection isn't connected how can we check it?
-             */
-            if (c->state == STATE_UNCONNECTED)
-                continue;
+            rtnev = pollfd->rtnevents;
 
-#if 0
-            /*
-             * Remove from the pollset while being handled.
-             */
-            if (!set_polled_events(c, 0))
-                continue;
+            if (rtnev & APR_POLLOUT) {
+                if (c->state == STATE_CONNECTING) {
+                    /* call connect() again to detect errors */
+                    rv = apr_socket_connect(c->aprsock, worker->destsa);
+                    if (rv != APR_SUCCESS) {
+                        try_reconnect(c, rv);
+                        continue;
+                    }
+#ifdef USE_SSL
+                    if (c->ssl)
+                        set_conn_state(c, STATE_HANDSHAKE, 0);
+                    else
 #endif
+                    set_conn_state(c, STATE_WRITE, 0);
+                }
+                switch (c->state) {
+#ifdef USE_SSL
+                case STATE_HANDSHAKE:
+                    ssl_proceed_handshake(c);
+                    break;
+#endif
+                case STATE_WRITE:
+                    write_request(c);
+                    break;
+                case STATE_READ:
+                    read_response(c);
+                    break;
+                default:
+                    assert(0);
+                    break;
+                }
 
-            rtnev = pollfd->rtnevents;
+                continue;
+            }
 
             /*
              * Notes: APR_POLLHUP is set after FIN is received on some
@@ -2521,7 +2609,6 @@ static void worker_test(struct worker *worker)
              * apr_poll().
              */
             if (rtnev & (APR_POLLIN | APR_POLLHUP | APR_POLLPRI)) {
-
                 switch (c->state) {
 #ifdef USE_SSL
                 case STATE_HANDSHAKE:
@@ -2534,42 +2621,9 @@ static void worker_test(struct worker *worker)
                 case STATE_READ:
                     read_response(c);
                     break;
-                }
-
-                continue;
-            }
-
-            if (rtnev & APR_POLLOUT) {
-                if (c->state == STATE_CONNECTING) {
-                    /* call connect() again to detect errors */
-                    rv = apr_socket_connect(c->aprsock, worker->destsa);
-                    if (rv != APR_SUCCESS) {
-                        try_reconnect(c, rv);
-                        continue;
-                    }
-#ifdef USE_SSL
-                    if (c->ssl)
-                        ssl_proceed_handshake(c);
-                    else
-#endif
-                    write_request(c);
-                }
-                else {
-
-                    switch (c->state) {
-#ifdef USE_SSL
-                    case STATE_HANDSHAKE:
-                        ssl_proceed_handshake(c);
-                        break;
-#endif
-                    case STATE_WRITE:
-                        write_request(c);
-                        break;
-                    case STATE_READ:
-                        read_response(c);
-                        break;
-                    }
-
+                default:
+                    assert(0);
+                    break;
                 }
 
                 continue;
@@ -2586,9 +2640,7 @@ static void worker_test(struct worker *worker)
                 continue;
             }
         }
-    } while (worker->polled > 0 && stoptime > lasttime);
-
-    assert(worker_can_stop(worker));
+    } while (!worker_should_stop(worker));
 }
 
 #if APR_HAS_THREADS
@@ -2745,6 +2797,7 @@ static void usage(const char *progname)
     fprintf(stderr, "    -e filename     Output CSV file with percentages served\n");
     fprintf(stderr, "    -r              Don't exit on socket receive errors.\n");
     fprintf(stderr, "    -m method       Method name\n");
+    fprintf(stderr, "    -D              Debug watchdog to show some counters during runtime\n");
     fprintf(stderr, "    -h              Display usage information (this message)\n");
 #ifdef USE_SSL
 
@@ -2973,7 +3026,7 @@ int main(int argc, const char * const argv[])
 #endif
 
     apr_getopt_init(&opt, cntxt, argc, argv);
-    while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqQB:m:R:"
+    while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqQDB:m:R:"
 #if APR_HAS_THREADS
             "W:"
 #endif
@@ -3005,6 +3058,9 @@ int main(int argc, const char * const argv[])
             case 'Q':
                 no_banner = 1;
                 break;
+            case 'D':
+                watchdog = 1;
+                break;
             case 'c':
                 concurrency = atoi(opt_arg);
                 if (concurrency < 0) {
diff --git a/test/modules/http2/test_008_ranges.py b/test/modules/http2/test_008_ranges.py
index 8bf8a3f161b..339df1a0cc8 100644
--- a/test/modules/http2/test_008_ranges.py
+++ b/test/modules/http2/test_008_ranges.py
@@ -1,11 +1,15 @@
 import inspect
 import json
+import logging
 import os
 import pytest
 
 from .env import H2Conf, H2TestEnv
 
 
+log = logging.getLogger(__name__)
+
+
 @pytest.mark.skipif(condition=H2TestEnv.is_unsupported, reason="mod_http2 not supported here")
 class TestRanges:
 
@@ -115,14 +119,17 @@ def test_h2_008_03(self, env, repeat):
             '--limit-rate', '2k', '-m', '2'
         ])
         assert r.exit_code != 0, f'{r}'
+        # Restart for logs to be flushed out
+        assert env.apache_restart() == 0
         found = False
         for line in open(TestRanges.LOGFILE).readlines():
             e = json.loads(line)
+            log.info(f'inspecting logged request: {e["request"]}')
             if e['request'] == f'GET {path}?03broken HTTP/2.0':
                 assert e['bytes_rx_I'] > 0
                 assert e['bytes_resp_B'] == 100*1024*1024
                 assert e['bytes_tx_O'] > 1024
-                assert e['bytes_tx_O'] < 10*1024*1024  # curl buffers, but not that much
+                assert e['bytes_tx_O'] < 100*1024*1024  # curl buffers, but not that much
                 found = True
                 break
         assert found, f'request not found in {self.LOGFILE}'
diff --git a/test/modules/md/dns01_v2.py b/test/modules/md/dns01_v2.py
new file mode 100755
index 00000000000..908b4f8fbea
--- /dev/null
+++ b/test/modules/md/dns01_v2.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+import subprocess
+import sys
+
+curl = "curl"
+challtestsrv = "localhost:8055"
+
+
+def run(args):
+    sys.stderr.write(f"run: {' '.join(args)}\n")
+    p = subprocess.Popen(args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, errput = p.communicate(None)
+    rv = p.wait()
+    if rv != 0:
+        sys.stderr.write(errput.decode())
+    sys.stdout.write(output.decode())
+    return rv
+
+
+def teardown(domain):
+    rv = run([curl, '-s', '-d', f'{{"host":"_acme-challenge.{domain}"}}',
+              f'{challtestsrv}/clear-txt'])
+    if rv == 0:
+        rv = run([curl, '-s', '-d', f'{{"host":"{domain}"}}',
+                  f'{challtestsrv}/set-txt'])
+    return rv
+
+
+def setup(domain, challenge):
+    teardown(domain)
+    rv = run([curl, '-s', '-d', f'{{"host":"{domain}", "addresses":["127.0.0.1"]}}',
+              f'{challtestsrv}/set-txt'])
+    if rv == 0:
+        rv = run([curl, '-s', '-d', f'{{"host":"_acme-challenge.{domain}.", "value":"{challenge}"}}',
+                  f'{challtestsrv}/set-txt'])
+    return rv
+
+
+def main(argv):
+    if len(argv) > 1:
+        if argv[1] == 'setup':
+            if len(argv) != 4:
+                sys.stderr.write("wrong number of arguments: dns01.py setup <domain> <challenge>\n")
+                sys.exit(2)
+            rv = setup(argv[2], argv[3])
+        elif argv[1] == 'teardown':
+            if len(argv) != 4:
+                sys.stderr.write("wrong number of arguments: dns01.py teardown <domain> <challenge>\n")
+                sys.exit(1)
+            rv = teardown(argv[2])
+        else:
+            sys.stderr.write(f"unknown option {argv[1]}\n")
+            rv = 2
+    else:
+        sys.stderr.write("dns01.py wrong number of arguments\n")
+        rv = 2
+    sys.exit(rv)
+
+
+if __name__ == "__main__":
+    main(sys.argv)
diff --git a/test/modules/md/test_300_conf_validate.py b/test/modules/md/test_300_conf_validate.py
index f348f5f1789..f73bf67999d 100644
--- a/test/modules/md/test_300_conf_validate.py
+++ b/test/modules/md/test_300_conf_validate.py
@@ -455,3 +455,80 @@ def test_md_300_027(self, env, cas, should_work):
             assert len(md['ca']['urls']) == len(cas)
         else:
             assert rv != 0, "Server should not have accepted CAs '{}'".format(cas)
+
+    # messy ServerAliases, see #301
+    def test_md_300_028(self, env):
+        assert env.apache_stop() == 0
+        conf = MDConf(env)
+        domaina = f"t300_028a.{env.http_tld}"
+        domainb = f"t300_028b.{env.http_tld}"
+        dalias = f"t300_028alias.{env.http_tld}"
+        conf.add_vhost(port=env.http_port, domains=[domaina, domainb, dalias], with_ssl=False)
+        conf.add(f"""
+            MDomain {domaina} 
+            MDomain {domainb} {dalias}
+            """)
+        conf.add(f"""
+            <VirtualHost 10.0.0.1:{env.https_port}>
+              ServerName {domaina}
+              ServerAlias {dalias}
+              SSLEngine on
+            </VirtualHost>
+            <VirtualHost 10.0.0.1:{env.https_port}>
+              ServerName {domainb}
+              ServerAlias {dalias}
+              SSLEngine on
+            </VirtualHost>
+            """)
+        conf.install()
+        # This does not work as we have both MDs match domaina's vhost
+        assert env.apache_fail() == 0
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10238"   # 2 MDs match the same vhost
+            ]
+        )
+        # It works, if we only match on ServerNames
+        conf.add("MDMatchNames servernames")
+        conf.install()
+        assert env.apache_restart() == 0
+
+    # wildcard and specfic MD overlaps
+    def test_md_300_029(self, env):
+        assert env.apache_stop() == 0
+        conf = MDConf(env)
+        domain = f"t300_029.{env.http_tld}"
+        subdomain = f"sub.{domain}"
+        conf.add_vhost(port=env.http_port, domains=[domain, subdomain], with_ssl=False)
+        conf.add(f"""
+            MDMembers manual
+            MDomain {domain} *.{domain} 
+            MDomain {subdomain}
+            """)
+        conf.add(f"""
+            <VirtualHost 10.0.0.1:{env.https_port}>
+              ServerName {domain}
+              SSLEngine on
+            </VirtualHost>
+            <VirtualHost 10.0.0.1:{env.https_port}>
+              ServerName another.{domain}
+              SSLEngine on
+            </VirtualHost>
+            <VirtualHost 10.0.0.1:{env.https_port}>
+              ServerName {subdomain}
+              SSLEngine on
+            </VirtualHost>
+            """)
+        conf.install()
+        # This does not work as we have overlapping names in MDs
+        assert env.apache_fail() == 0
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10038"   # 2 MDs overlap
+            ]
+        )
+        # It works, if we only match on ServerNames
+        conf.add("MDMatchNames servernames")
+        conf.install()
+        assert env.apache_restart() == 0
+
diff --git a/test/modules/md/test_310_conf_store.py b/test/modules/md/test_310_conf_store.py
index f2bb9c723ac..d56790bb1fb 100644
--- a/test/modules/md/test_310_conf_store.py
+++ b/test/modules/md/test_310_conf_store.py
@@ -48,6 +48,11 @@ def test_md_310_100(self, env, confline, dns_lists, md_count):
         assert env.apache_restart() == 0
         for i in range(0, len(dns_lists)):
             env.check_md(dns_lists[i], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add managed domains as separate steps
     def test_md_310_101(self, env):
@@ -63,6 +68,11 @@ def test_md_310_101(self, env):
         assert env.apache_restart() == 0
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
         env.check_md(["testdomain2.org", "www.testdomain2.org", "mail.testdomain2.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add dns to existing md
     def test_md_310_102(self, env):
@@ -72,6 +82,11 @@ def test_md_310_102(self, env):
             """).install()
         assert env.apache_restart() == 0
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add new md definition with acme url, acme protocol, acme agreement
     def test_md_310_103(self, env):
@@ -87,6 +102,11 @@ def test_md_310_103(self, env):
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      ca="http://acme.test.org:4000/directory", protocol="ACME",
                      agreement="http://acme.test.org:4000/terms/v1")
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add to existing md: acme url, acme protocol
     def test_md_310_104(self, env):
@@ -108,6 +128,11 @@ def test_md_310_104(self, env):
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      ca="http://acme.test.org:4000/directory", protocol="ACME",
                      agreement="http://acme.test.org:4000/terms/v1")
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add new md definition with server admin
     def test_md_310_105(self, env):
@@ -118,6 +143,11 @@ def test_md_310_105(self, env):
         name = "testdomain.org"
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      contacts=["mailto:admin@testdomain.org"])
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: add to existing md: server admin
     def test_md_310_106(self, env):
@@ -129,6 +159,11 @@ def test_md_310_106(self, env):
         assert env.apache_restart() == 0
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      contacts=["mailto:admin@testdomain.org"])
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: assign separate contact info based on VirtualHost
     def test_md_310_107(self, env):
@@ -161,6 +196,11 @@ def test_md_310_108(self, env):
             """).install()
         assert env.apache_restart() == 0
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: default drive mode - auto
     def test_md_310_109(self, env):
@@ -169,6 +209,11 @@ def test_md_310_109(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-mode'] == 1
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: drive mode manual
     def test_md_310_110(self, env):
@@ -178,6 +223,11 @@ def test_md_310_110(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-mode'] == 0
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: drive mode auto
     def test_md_310_111(self, env):
@@ -187,6 +237,11 @@ def test_md_310_111(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-mode'] == 1
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: drive mode always
     def test_md_310_112(self, env):
@@ -205,6 +260,11 @@ def test_md_310_113a(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-window'] == '14d'
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: renew window - 10 percent
     def test_md_310_113b(self, env):
@@ -214,7 +274,12 @@ def test_md_310_113b(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-window'] == '10%'
-        
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
+
     # test case: ca challenge type - http-01
     def test_md_310_114(self, env):
         MDConf(env, text="""
@@ -223,6 +288,11 @@ def test_md_310_114(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['ca']['challenges'] == ['http-01']
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: ca challenge type - http-01
     def test_md_310_115(self, env):
@@ -232,6 +302,11 @@ def test_md_310_115(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['ca']['challenges'] == ['tls-alpn-01']
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: ca challenge type - all
     def test_md_310_116(self, env):
@@ -241,6 +316,11 @@ def test_md_310_116(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['ca']['challenges'] == ['http-01', 'tls-alpn-01']
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: automatically collect md names from vhost config
     def test_md_310_117(self, env):
@@ -269,6 +349,11 @@ def test_md_310_118(self, env):
         assert env.apache_restart() == 0
         stat = env.get_md_status("testdomain.org")
         assert stat['renew-window'] == '14d'
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: set RSA key length 2048
     def test_md_310_119(self, env):
@@ -281,6 +366,11 @@ def test_md_310_119(self, env):
             "type": "RSA",
             "bits": 2048
         }
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: set RSA key length 4096
     def test_md_310_120(self, env):
@@ -293,6 +383,11 @@ def test_md_310_120(self, env):
             "type": "RSA",
             "bits": 4096
         }
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: require HTTPS
     def test_md_310_121(self, env):
@@ -302,6 +397,12 @@ def test_md_310_121(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['require-https'] == "temporary"
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045",  # No VirtualHost matches Managed Domain
+                "AH10105"   # no domain match
+            ]
+        )
 
     # test case: require OCSP stapling
     def test_md_310_122(self, env):
@@ -311,6 +412,11 @@ def test_md_310_122(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['must-staple'] is True
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove managed domain from config
     def test_md_310_200(self, env):
@@ -334,6 +440,11 @@ def test_md_310_201(self, env):
         assert env.apache_restart() == 0
         # check: DNS has been removed from md in store
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove primary name from managed domain
     def test_md_310_202(self, env):
@@ -347,6 +458,11 @@ def test_md_310_202(self, env):
         # check: md overwrite previous name and changes name
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"],
                      md="testdomain.org", state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove one md, keep another
     def test_md_310_203(self, env):
@@ -363,6 +479,11 @@ def test_md_310_203(self, env):
         # all mds stay in store
         env.check_md(dns_list1, state=1)
         env.check_md(dns_list2, state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove ca info from md, should switch over to new defaults
     def test_md_310_204(self, env):
@@ -382,6 +503,11 @@ def test_md_310_204(self, env):
         assert env.apache_restart() == 0
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      ca="https://acme-v02.api.letsencrypt.org/directory", protocol="ACME")
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove server admin from md
     def test_md_310_205(self, env):
@@ -398,6 +524,11 @@ def test_md_310_205(self, env):
         # check: md stays the same with previous admin info
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      contacts=["mailto:admin@testdomain.org"])
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove renew window from conf -> fallback to default
     def test_md_310_206(self, env):
@@ -413,6 +544,11 @@ def test_md_310_206(self, env):
         assert env.apache_restart() == 0
         # check: renew window not set
         assert env.a2md(["list"]).json['output'][0]['renew-window'] == '33%'
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove drive mode from conf -> fallback to default (auto)
     @pytest.mark.parametrize("renew_mode,exp_code", [
@@ -433,6 +569,11 @@ def test_md_310_207(self, env, renew_mode, exp_code):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-mode'] == 1
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: remove challenges from conf -> fallback to default (not set)
     def test_md_310_208(self, env):
@@ -448,6 +589,11 @@ def test_md_310_208(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert 'challenges' not in env.a2md(["list"]).json['output'][0]['ca']
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: specify RSA key
     @pytest.mark.parametrize("key_size", ["2048", "4096"])
@@ -464,6 +610,11 @@ def test_md_310_209(self, env, key_size):
             """).install()
         assert env.apache_restart() == 0
         assert "privkey" not in env.a2md(["list"]).json['output'][0]
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: require HTTPS
     @pytest.mark.parametrize("mode", ["temporary", "permanent"])
@@ -484,6 +635,12 @@ def test_md_310_210(self, env, mode):
         assert env.apache_restart() == 0
         assert "require-https" not in env.a2md(["list"]).json['output'][0], \
             "HTTPS require still persisted in store. config: {}".format(mode)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045",  # No VirtualHost matches Managed Domain
+                "AH10105",  # MDomain does not match any vhost
+            ]
+        )
 
     # test case: require OCSP stapling
     def test_md_310_211(self, env):
@@ -499,6 +656,11 @@ def test_md_310_211(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['must-staple'] is False
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: reorder DNS names in md definition
     def test_md_310_300(self, env):
@@ -511,6 +673,11 @@ def test_md_310_300(self, env):
         assert env.apache_restart() == 0
         # check: dns list changes
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: move DNS from one md to another
     def test_md_310_301(self, env):
@@ -526,6 +693,11 @@ def test_md_310_301(self, env):
         assert env.apache_restart() == 0
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
         env.check_md(["testdomain2.org", "www.testdomain2.org", "mail.testdomain2.org"], state=1)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change ca info
     def test_md_310_302(self, env):
@@ -552,6 +724,11 @@ def test_md_310_302(self, env):
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      ca="http://somewhere.com:6666/directory", protocol="ACME",
                      agreement="http://somewhere.com:6666/terms/v1")
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change server admin
     def test_md_310_303(self, env):
@@ -572,6 +749,11 @@ def test_md_310_303(self, env):
         # check: md stays the same with previous admin info
         env.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1,
                      contacts=["mailto:webmaster@testdomain.org"])
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change drive mode - manual -> auto -> always
     def test_md_310_304(self, env):
@@ -595,6 +777,11 @@ def test_md_310_304(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['renew-mode'] == 2
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change config value for renew window, use various syntax alternatives
     def test_md_310_305(self, env):
@@ -619,6 +806,11 @@ def test_md_310_305(self, env):
         assert env.apache_restart() == 0
         md = env.a2md(["list"]).json['output'][0]
         assert md['renew-window'] == '10%'
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change challenge types - http -> tls-sni -> all
     def test_md_310_306(self, env):
@@ -642,6 +834,11 @@ def test_md_310_306(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['ca']['challenges'] == ['http-01', 'tls-alpn-01']
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case:  RSA key length: 4096 -> 2048 -> 4096
     def test_md_310_307(self, env):
@@ -672,6 +869,11 @@ def test_md_310_307(self, env):
             "type": "RSA",
             "bits": 4096
         }
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change HTTPS require settings on existing md
     def test_md_310_308(self, env):
@@ -697,6 +899,12 @@ def test_md_310_308(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['require-https'] == "permanent"
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045",  # No VirtualHost matches Managed Domain
+                "AH10105",  # MDomain matches no vhost
+            ]
+        )
 
     # test case: change OCSP stapling settings on existing md
     def test_md_310_309(self, env):
@@ -720,6 +928,11 @@ def test_md_310_309(self, env):
             """).install()
         assert env.apache_restart() == 0
         assert env.a2md(["list"]).json['output'][0]['must-staple'] is False
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: change renew window parameter
     @pytest.mark.parametrize("window", [
@@ -792,6 +1005,11 @@ def test_md_310_500(self, env):
         env.check_md(["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
         env.clear_store()
         env.set_store_dir_default()
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test case: place an unexpected file into the store, check startup survival, see #218
     def test_md_310_501(self, env):
diff --git a/test/modules/md/test_502_acmev2_drive.py b/test/modules/md/test_502_acmev2_drive.py
index eb754f25eff..a98e4ad97c7 100644
--- a/test/modules/md/test_502_acmev2_drive.py
+++ b/test/modules/md/test_502_acmev2_drive.py
@@ -436,6 +436,11 @@ def test_md_502_201(self, env, renew_window, test_data_list):
             md = env.a2md(["list", name]).json['output'][0]
             assert md["renew"] == tc["renew"], \
                 "Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     @pytest.mark.parametrize("key_type,key_params,exp_key_length", [
         ("RSA", [2048], 2048),
@@ -462,6 +467,11 @@ def test_md_502_202(self, env, key_type, key_params, exp_key_length):
         # check cert key length
         cert = MDCertUtil(env.store_domain_file(name, 'pubcert.pem'))
         assert cert.get_key_length() == exp_key_length
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # test_502_203 removed, as ToS agreement is not really checked in ACMEv2
 
diff --git a/test/modules/md/test_602_roundtrip.py b/test/modules/md/test_602_roundtrip.py
index 9ff87e5df7e..e2e74c7d81b 100644
--- a/test/modules/md/test_602_roundtrip.py
+++ b/test/modules/md/test_602_roundtrip.py
@@ -52,9 +52,13 @@ def test_md_602_000(self, env):
         # check: SSL is running OK
         cert = env.get_cert(domain)
         assert domain in cert.get_san_list()
-
         # check file system permissions:
         env.check_file_permissions(domain)
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     def test_md_602_001(self, env):
         # test case: same as test_600_000, but with two parallel managed domains
@@ -93,6 +97,11 @@ def test_md_602_001(self, env):
         assert domains_a == cert_a.get_san_list()
         cert_b = env.get_cert(domain_b)
         assert domains_b == cert_b.get_san_list()
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     def test_md_602_002(self, env):
         # test case: one md, that covers two vhosts
@@ -134,6 +143,11 @@ def test_md_602_002(self, env):
         assert cert_a.same_serial_as(cert_b)
         assert env.get_content(name_a, "/name.txt") == name_a
         assert env.get_content(name_b, "/name.txt") == name_b
+        env.httpd_error_log.ignore_recent(
+            lognos = [
+                "AH10045"   # No VirtualHost matches Managed Domain
+            ]
+        )
 
     # --------- _utils_ ---------