Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/torhve/lua-resty-letsencrypt

Lua script for Nginx to automatically get certificates from LetsEncrypt CA
https://github.com/torhve/lua-resty-letsencrypt

Last synced: 7 days ago
JSON representation

Lua script for Nginx to automatically get certificates from LetsEncrypt CA

Awesome Lists containing this project

README

        

Name
====

lua-resty-letsencrypt - Automatically fetch and renew TLS certificates on the fly using LetsEncrypt CA.

Table of Contents
=================

* [Name](#name)
* [Status](#status)
* [Description](#description)
* [Installation](#installation)
* [Configuration](#configuration)
* [Todo](#todo)
* [Copyright and License](#copyright-and-license)
* [See Also](#see-also)

Status
======

This software is considered experimental and still under active development.

Description
===========

On the fly SSL registration and renewal inside [OpenResty/nginx](http://openresty.org) using [Let's Encrypt](https://letsencrypt.org).

In practice this means that on first HTTPS connection from a web client to the web server, this software will:
- Make an account for LetsEncrypt
- Create CSR and send to LetsEncrypt
- Put challenges on a well known URL and serve that
- Get signed cert from LetsEncrypt and store it on the filesystem
- Continue SSL handshake with client using the newly issued cert

On subsequent requests the certs will be loaded from filesystem and cached in nginx mem, and if expiry date is less than a week a new certificate will be requested from LetsEncrypt.

This software uses the ssl_certificate_by_lua functionality in OpenResty 1.9.7.2+.
This software requires an nginx build with OpenSSL version at least 1.0.2e.
the [ngx_lua module](http://wiki.nginx.org/HttpLuaModule), and [LuaJIT 2.0](http://luajit.org/luajit.html).

It is built using Kim Alvefur's ACME implementation for Lua, and the only dependency for that is luaopenssl http://25thandclement.com/~william/projects/luaossl.html which can be installed using [LuaRocks](http://openresty.org/#UsingLuaRocks)

Installation
=============

Requirements:

- [OpenResty](http://openresty.org/#Download) 1.9.7.2 or higher
- OpenSSL 1.0.2e or higher
- [LuaRocks](http://openresty.org/#UsingLuaRocks)

Install OpenResty, and Luarocks.
Install lua-openssl:

```
sudo luarocks install luaossl
```

Create directory for storing certificates and letsencrypt data.

```
mkdir -p /etc/nginx/letsencrypt/
# Make it writable by nginx user (often www-data)
chown www-data /etc/nginx/letsencrypt/
```

Put `letsencrypt.lua` somewhere in the lua_package_path.

[Back to TOC](#table-of-contents)

Configuration
=============

Example `nginx.conf`

```
# HTTP client needs a resolver. Use google as an example:

resolver 8.8.8.8;
# Storage for challenge token and cert cache
lua_shared_dict acme 1m;
server {
# Non-HTTPS server for serving challenges
listen 80;
listen [::]:80;

location /.well-known {
content_by_lua_block {
letsencrypt:challenge()
}
}
}
init_by_lua_block {
-- Using staging dir by default, please test by using that first.
-- Once you feel ready you can uncomment the second line
local conf = {
domains = {'www.example.com', 'example.com'}, -- domains that we should fetch certs for
root = '/etc/nginx/letsencrypt/', -- Trailing slash is important. Must be included.
directory_url = "https://acme-staging.api.letsencrypt.org/directory",
--directory_url ="https://acme-v01.api.letsencrypt.org/directory"
contact = 'mailto:[email protected]',
agreement = 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf',
}
letsencrypt = (require 'letsencrypt').new(conf)
}

server {
listen 443 http2 ssl;

# Fallback, needs to be a valid file, can be self signed.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=resty-auto-ssl-fallback' \
# -keyout /etc/ssl/letsencrypt-fallback.key \
# -out /etc/ssl/letsencrypt-fallback.crt
ssl_certificate /etc/ssl/letsencrypt-fallback.crt;
ssl_certificate_key /etc/ssl/letsencrypt-falllback.key;
ssl_certificate_by_lua_block {
letsencrypt:ssl()
}

... more conf here ...
}

```

Start nginx and pay attention to error.log for any messages.

[Back to TOC](#table-of-contents)

TODO
====

- Request multiple domains in certs.
- Alternative storage for certs/account (i.e. redis)
- Extensible caching
- Rate limits so we ensure we don't send too many requests to LetsEncrypt
- Cache cert conversion
- Configurable logging
- Use Squish to generate one big file: http://matthewwild.co.uk/projects/squish/readme.html or https://code.zash.se/luaunbound/file/tip/squish.sh
- Write FFI to openssl to have one less dependency?

[Back to TOC](#table-of-contents)

Copyright and License
=====================

This module is licensed under the MIT license.

Copyright (c) 2016 Tor Hveem

Copyright (c) 2016 Kim Alvefur

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[Back to TOC](#table-of-contents)

See Also
========

* the ngx_lua module: http://wiki.nginx.org/HttpLuaModule
* lua-acme readme https://www.zash.se/lua-acme.html
* lua-acme repo https://code.zash.se/lua-acme/
* lua-jwc repo https://code.zash.se/lua-jwc/
* Alternative implementation, lua-resty-auto-ssl https://github.com/GUI/lua-resty-auto-ssl

[Back to TOC](#table-of-contents)