jxskiss / simplessl Goto Github PK
View Code? Open in Web Editor NEWOn the fly SSL certificate issue and renewal inside OpenResty with Let's Encrypt
License: MIT License
simplessl's Issues
RedisConfig uses default value
openresty-ssl-server-1 | 2022-09-15T11:26:55.775Z ERROR server server/server.go:94 failed get certificate, typ= ACME_ON_DEMAND, name= *******.info {"error": "dial tcp 127.0.0.1:6379: connect: connection refused"}
but it defined as
storage:
type: "redis" # or redis
dir_cache: "/app/storage"
redis:
addr: "redis:6379"
prefix: ""
please also add DB in struct to make possible choose db index, and may some more options like password and etc able in default lib of redis
help needed
I have 3 docker container running website and listen unix sock instead of 80 port.but after run nginx ,still could not access https url in the browser,522 error
./ssl-cert-server_0.2.0_linux_amd64 --listen=127.0.0.1:8999 \ --email=[email protected] \ --domain="bbs.antivte.com,ytb.antivte.com,cp.antivte.com,antivte.com" \ -force-rsa true
conf is like this
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
lua_shared_dict ssl_certs_cache 1m;
init_by_lua_block {
-- Define a funcction to determine which SNI domains to automatically
-- handle and register new certificates for. Defaults to not allowing
-- any domain, so this must be configured.
function allow_domain(domain)
if ngx.re.match(domain, "(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)", "ijo") then
return true
end
return false
end
-- Initialize backend certificate server instance.
cert_server = (require "resty.ssl-cert-server").new({
backend = '127.0.0.1:8999',
allow_domain = allow_domain
})
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name bbs.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name bbs.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name ytb.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name ytb.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name cp.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name cp.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
}
about the method of authenticating domain names
I see that dns key is used to authenticate domain names in the example.com. yaml configuration file. Can I support the WEB directory file method (/. well know/acme challenge) to authenticate domain names? How to configure it?
Error in ssl-cert-server.lua:375 when SSL server returns no certificate
There's an error when ssl server returns nil instead of certificate. Fixed it this way:
(ssl-cert-server/lib/resty/ssl-cert-server.lua:369):
if cert then
-- Since certificate renewal happens far before expired on backend server,
-- most probably the previous certificate is valid, we use it if it is available.
-- This avoids further requests within next cache period triggering certificate
-- requests to backend, which may slow down nginx and rise up pressure on busy site.
-- Also we consider an recently-expired certificate is more friendly to our users
-- than fallback to self-signed certificate.
if cert.expire_at <= ngx_time() then
is_expired = true
ngx_log(ngx_ERR, domain, ": fallback to expired certificate")
end
else
is_expired = true
ngx_log(ngx_ERR, domain, ": fallback to expired certificate (no cert)")
end
can i tell it to use a certificate authority key file instead of letsencrypt api?
i want it for local development and will be running my own certificate authority so can i use that?
[ERROR] ocsp manager: failed request OCSP stapling: key_name= autocert|domain.com, err= ocsp: error from server: unauthorized
Such errors are flooding our logs (appearing every second).
runtime error: invalid memory address or nil pointer dereference
Hello
Experience some issue, can you help to resolve this?
Works in docker container, may be need some params?
openresty-ssl-server-1 | 2022-09-15T09:36:13.531Z INFO http/server.go:3197 http: panic serving 172.22.0.4:49688: runtime error: invalid memory address or nil pointer dereference
openresty-ssl-server-1 | goroutine 20 [running]:
openresty-ssl-server-1 | net/http.(*conn).serve.func1()
openresty-ssl-server-1 | /usr/local/go/src/net/http/server.go:1825 +0xbf
openresty-ssl-server-1 | panic({0x17c0780, 0x2befda0})
openresty-ssl-server-1 | /usr/local/go/src/runtime/panic.go:844 +0x258
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).newACMEClient(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0x0?, 0x0?})
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme_client.go:62 +0x55d
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).issueCertificate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0x0, 0x0}, {0xc000476d10, 0x1, 0x1})
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme_client.go:77 +0x9c
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).loadOnDemandCertificateFromStorageOrCreate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, 0xc000458ec0, 0x1)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:206 +0x33c
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl)._getOnDemandCertificate(0xc0004690e0, {0x1e1dd70, 0xc000459080}, {0xc000453d4a, 0xd}, 0xea?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:172 +0x125
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*acmeImpl).GetOnDemandCertificate(0xc0004690e0, {0x1e1dd70?, 0xc000459080}, {0xc000453d4a, 0xd}, 0x0?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/acme.go:147 +0x4a
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*Server).GetCertificate(0xc00007d260, {0x1e1dd70, 0xc000459080}, 0x4?)
openresty-ssl-server-1 | /go/pkg/mod/github.com/jxskiss/[email protected]/server/server.go:90 +0x469
openresty-ssl-server-1 | github.com/jxskiss/ssl-cert-server/server.(*v1APIImpl).HandleCertificate(0xc00041ea80, {0x1e1d3d8, 0xc0000f2700}, 0xc000172800?)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.