On the fly (and free) SSL registration and renewal

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let’s Encrypt.

This OpenResty plugin automatically and transparently issues SSL certificates from Let’s Encrypt (a free certificate authority) as requests are received. It works like:

  • A SSL request for a SNI hostname is received.
  • If the system already has a SSL certificate for that domain, it is immediately returned (with OCSP stapling).
  • If the system does not yet have an SSL certificate for this domain, it issues a new SSL certificate from Let’s Encrypt. Domain validation is handled for you. After receiving the new certificate (usually within a few seconds), the new certificate is saved, cached, and returned to the client (without dropping the original request).

This uses the ssl_certificate_by_lua functionality in OpenResty


OpenResty (Nginx) with dynamically generated certificates

“Dynamically generated certificates can be used as a solution for web inspection (on both url and content) and blocking (for example deny executable downloads, deny uploads, deny certain urls, or specific content) secured connections. Each connection will be proxied through Nginx, and such the default nginx content filtering capabilities can be used.

On each https request the lua code will check if the certificate has been generated before already. If not, it will generate a new private key, create a certificate signing request, and sign the certificate with the defined certificate authority. The certificate authority needs to be trusted by the client browser. The generation of the certificate is guarded by a lock on the commonname, to prevent conditions when generating multiple certificates for the same commonname at the same time.

This solution builds on the work of @agentzh, one of the developers of OpenResty. The ssl-cert-by-lua branch of the lua-nginx-module enables you to use SSL functions from lua…”