A recent tweet by llya Grigorik highlights an interesting NGINX module:
lua-resty-auto-ssl
On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let’s Encrypt.
This OpenResty plugin automatically and transparently issues SSL certificates from Let’s Encrypt (a free certificate authority) as requests are received. It works like:
- A SSL request for a SNI hostname is received.
- If the system already has a SSL certificate for that domain, it is immediately returned (with OCSP stapling).
- If the system does not yet have an SSL certificate for this domain, it issues a new SSL certificate from Let’s Encrypt. Domain validation is handled for you. After receiving the new certificate (usually within a few seconds), the new certificate is saved, cached, and returned to the client (without dropping the original request).
This uses the
ssl_certificate_by_lua
functionality in OpenResty 1.9.7.2+.
Requirements
This could potentially avoid the need for confusing steps and some support requests in the current setup process for Let’s Encrypt and Discourse:
The one obvious complication might be specifying an email address for the Let’s Encrypt account, which I’m sure can be handled as part of the Discourse build process.
I’m unsure if the requirements here have an additional memory impact which might need to be considered.
However - I’m just sharing for the Discourse Team to consider.