79 likes
·
6.2K reads
13 comments
Thanks for this article, i was able to generate SSL for all custom domains using this tutorial
gateclose.org (a custom domain that now has SSL in it)
nbstgloballtd.com.ng (the main server)
But i have a little problem, custom domains do not redirect to https by default, and for a custom domain to get data from the main server, it needs to include https, so i do have to enter https manually, pls is there anyway i can go about redirecting all custom domains to https in openresty
Dude, this is not merely a wonderful story of ingenuity, but a master class in how-to-investigate-and-optimize-design-for-all-stakeholders. Huzzah, HUZZAH, HUZZAH (three cheers)!
We are also using the same lua-resty-auto-ssl it works great:). By the way, there are few rate limits imposed by letsencrypt like you can create 50 certificates per week. Here you can check it out letsencrypt.org/docs/rate-limits. Just curious How you gonna tackle this thing?
Hey Sivaram! The 50 certs/week limit is per registered domain. For example, sandeep.dev and blog.sandeep.dev — in this case the registered domain is sandeep.dev and hence is subject to 50 certs/week limit. Normally, you can create 300 new orders per 3 hours — it is highly unlikely that we will hit that limit.
Can you clarify what you mean by create 300 new orders per 3 hours? What is the context?
Oh, I just read the LE rate limit link above. So, if I understand correctly, 300 new orders (300 registered domains) per account (hashnode account) per 3 hours translates to every 3 hours you can create 300 custom domain registration SSL certs.
If you're running in Kubernetes (or at some point decide to move this), Bitnami recently released a runtime that automates this by using NGINX's Ingress Controller, External-DNS and Cert-Manager.
How do you guys force a redirect to https for an arbitrary domain? Am stuck in it Facing too many redirects
server {
listen 443 ssl;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
location / {
proxy_pass http://localhost:4444;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
#try_files $uri $uri/ /;
}
location @rewrites {
rewrite ^(.+)$ / last;
}
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
}
server {
listen 80;
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location / {
return 301 https://$host$request_uri;
}
}
Hi, very useful. I am looking for some alternatives I could use with Kubernetes in an automated way, but haven't had much success so far. Perhaps I could have the app create an ingress whenever a user adds a custom domain, and let cert-manager handle the certificate for me, but I am not sure yet if this is the best approach with Kubernetes. Anyway, what I wanted to ask you is if you have run into any limits not just with LetsEncrypt, but with the OpenResty solution. How many certificates can be handled with the Lua thing and by OpenResty/Nginx itself? Would this scale to thousands or 100s of thousands users if the app is successful? If scalability is not a huge issue with this solution I might try to adapt it to Kubernetes by using SSL passthrough from ingress controller to a customised instance of OpenResty. Thanks in advance!
Thanks for such useful article.
I would appreciate if you'd look into some issues i have regarding this... stackoverflow.com/questions/61349531/confi…
How do I check if a cert was indeed generated for an arbitrary domain? I followed this guide but it doesn't seem to be working. Also, what are the last two server blocks for? (the one with auto_ssl:challenge_server() and the one with auto_ssl:hook_server()? Are they necessary for the auto ssl certs to be generated?
Would love to read more articles like this, Thank you fro writing Sandeep. Sandeep Panda
I have one small doubt here, I guess you are using vercel for deployments and adding domains to vercel right? Then why do you need to generate SSL certs on your own?