jxskiss / simplessl Goto Github PK
View Code? Open in Web Editor NEWOn the fly SSL certificate issue and renewal inside OpenResty with Let's Encrypt
License: MIT License
On the fly SSL certificate issue and renewal inside OpenResty with Let's Encrypt
License: MIT License
openresty-ssl-server-1 | 2022-09-15T11:26:55.775Z ERROR server server/server.go:94 failed get certificate, typ= ACME_ON_DEMAND, name= *******.info {"error": "dial tcp 127.0.0.1:6379: connect: connection refused"}
but it defined as
storage:
type: "redis" # or redis
dir_cache: "/app/storage"
redis:
addr: "redis:6379"
prefix: ""
please also add DB in struct to make possible choose db index, and may some more options like password and etc able in default lib of redis
I have 3 docker container running website and listen unix sock instead of 80 port.but after run nginx ,still could not access https url in the browser,522 error
./ssl-cert-server_0.2.0_linux_amd64 --listen=127.0.0.1:8999 \ --email=[email protected] \ --domain="bbs.antivte.com,ytb.antivte.com,cp.antivte.com,antivte.com" \ -force-rsa true
conf is like this
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
lua_shared_dict ssl_certs_cache 1m;
init_by_lua_block {
-- Define a funcction to determine which SNI domains to automatically
-- handle and register new certificates for. Defaults to not allowing
-- any domain, so this must be configured.
function allow_domain(domain)
if ngx.re.match(domain, "(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)", "ijo") then
return true
end
return false
end
-- Initialize backend certificate server instance.
cert_server = (require "resty.ssl-cert-server").new({
backend = '127.0.0.1:8999',
allow_domain = allow_domain
})
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name bbs.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name bbs.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name ytb.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name ytb.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name cp.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name cp.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
}
I see that dns key is used to authenticate domain names in the example.com. yaml configuration file. Can I support the WEB directory file method (/. well know/acme challenge) to authenticate domain names? How to configure it?
There's an error when ssl server returns nil instead of certificate. Fixed it this way:
(ssl-cert-server/lib/resty/ssl-cert-server.lua:369):
if cert then
-- Since certificate renewal happens far before expired on backend server,
-- most probably the previous certificate is valid, we use it if it is available.
-- This avoids further requests within next cache period triggering certificate
-- requests to backend, which may slow down nginx and rise up pressure on busy site.
-- Also we consider an recently-expired certificate is more friendly to our users
-- than fallback to self-signed certificate.
if cert.expire_at <= ngx_time() then
is_expired = true
ngx_log(ngx_ERR, domain, ": fallback to expired certificate")
end
else
is_expired = true
ngx_log(ngx_ERR, domain, ": fallback to expired certificate (no cert)")
end
i want it for local development and will be running my own certificate authority so can i use that?
Such errors are flooding our logs (appearing every second).
Hello
Experience some issue, can you help to resolve this?
Works in docker container, may be need some params?
openresty-ssl-server-1 | 2022-09-15T09:36:13.531Z INFO http/server.go:3197 http: panic serving 172.22.0.4:49688: runtime error: invalid memory address or nil pointer dereference
openresty-ssl-server-1 | goroutine 20 [running]:
openresty-ssl-server-1 | net/http.(*conn).serve.func1()
openresty-ssl-server-1 | /usr/local/go/src/net/http/server.go:1825 +0xbf
openresty-ssl-server-1 | panic({0x17c0780, 0x2befda0})
openresty-ssl-server-1 | /usr/local/go/src/runtime/panic.go:844 +0x258
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).newACMEClient(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0x0?, 0x0?})
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme_client.go:62 +0x55d
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).issueCertificate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0x0, 0x0}, {0xc000476d10, 0x1, 0x1})
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme_client.go:77 +0x9c
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).loadOnDemandCertificateFromStorageOrCreate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, 0xc000458ec0, 0x1)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:206 +0x33c
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl)._getOnDemandCertificate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0xc000453d4a, 0xd}, 0xea?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:172 +0x125
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).GetOnDemandCertificate(0xc0004690e0, {0x1e1dd70?, 0xc000459080}, {0xc000453d4a, 0xd}, 0x0?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:147 +0x4a
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*Server).GetCertificate(0xc00007d260, {0x1e1dd70, 0xc000459080}, 0x4?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/server.go:90 +0x469
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*v1APIImpl).HandleCertificate(0xc00041ea80, {0x1e1d3d8, 0xc0000f2700}, 0xc000172800?)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.