Completely automated SSL certificate generation


(Dean Taylor) #1

A recent tweet by llya Grigorik highlights an interesting NGINX module:

lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let’s Encrypt.

This OpenResty plugin automatically and transparently issues SSL certificates from Let’s Encrypt (a free certificate authority) as requests are received. It works like:

  • A SSL request for a SNI hostname is received.
  • If the system already has a SSL certificate for that domain, it is immediately returned (with OCSP stapling).
  • If the system does not yet have an SSL certificate for this domain, it issues a new SSL certificate from Let’s Encrypt. Domain validation is handled for you. After receiving the new certificate (usually within a few seconds), the new certificate is saved, cached, and returned to the client (without dropping the original request).

This uses the ssl_certificate_by_lua functionality in OpenResty 1.9.7.2+.

Requirements

  • OpenResty 1.9.7.2 or higher
    • Or nginx built with ngx_lua 0.10.0 or higher
  • OpenSSL 1.0.2e or higher
  • LuaRocks
  • make (for initial install via LuaRocks)
  • bash, curl, diff, grep, mktemp, sed (these are generally pre-installed on most systems, but may not be included in some minimal containers)

This could potentially avoid the need for confusing steps and some support requests in the current setup process for Let’s Encrypt and Discourse:

The one obvious complication might be specifying an email address for the Let’s Encrypt account, which I’m sure can be handled as part of the Discourse build process.

I’m unsure if the requirements here have an additional memory impact which might need to be considered.

However - I’m just sharing for the Discourse Team to consider.


(Rafael dos Santos Silva) #2

I’m a huge fan of agentzh OpenResty, so I’m biased, but this looks cool. Maybe it’s getting easier and will use the new opm package manager soon.

This is not as stable as using an entire new docker image just for LE as proposed in the official thread, but looks easier to use with multisite environments, and doing the www redirect thing.