在openresty 使用 lua-resty-auto-ssl 自动申请和续期Let's Encrypt 证书

自动摘要

正在生成中……

安装luarocks

首先安装luarocks, 这是一个类似php的composer ，nodejs的npm 第三方包管理工具。

wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz //下载，为了保持兼容性使用这个版本
tar -xzvf luarocks-2.0.13.tar.gz //解压
cd luarocks-2.0.13/
//这里需要注意prefix 路径跟自己的openresty安装路径是否匹配
./configure --prefix=/usr/local/openresty/luajit \
    --with-lua=/usr/local/openresty/luajit/ \
    --lua-suffix=jit \
    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make
sudo make install

注意，安装完之后 luarocks 命令位于 /usr/local/openresty/luajit/bin ，不在PATH变量里，需要请自行在 ~/.profile 加入。

export PATH="/usr/local/openresty/luajit/bin:$PATH"

注意：openresty官方不推荐使用luarocks

请注意！LuaRocks 并不是 OpenResty 官方推荐的装包方式。LuaRocks 上绝大部分的 Lua 库都可能会阻塞 OpenResty 的事件循环，而让性能急剧下降。推荐使用 OPM。

安装lua-resty-auto-ssl

luarocks install lua-resty-auto-ssl
sudo mkdir /etc/resty-auto-ssl
sudo chown nobody /etc/resty-auto-ssl #这个权限名称基于nginx worker, openresty 默认使用nobody

生成自签名的 fallback SSL证书，绕过 nginx 启动时的限制

    sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
   -subj '/CN=sni-support-required-for-valid-ssl' \
   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
   -out /etc/ssl/resty-auto-ssl-fallback.crt

修改 openresty 配置

在 /etc/openresty 加入配置文件 resty-http.conf 给后面在nginx.conf中include

# The "auto_ssl" shared dict should be defined with enough storage space to
# hold your certificate data. 1MB of storage holds certificates for
# approximately 100 separate domains.
lua_shared_dict auto_ssl 1m;
 
# The "auto_ssl" shared dict is used to temporarily store various settings
# like the secret used by the hook server on port 8999. Do not change or
# omit it.
lua_shared_dict auto_ssl_settings 64k;
 
# A DNS resolver must be defined for OCSP stapling to function.
#
# This example uses Google's DNS server. You may want to use your system's
# default DNS servers, which can be found in /etc/resolv.conf. If your network
# is not IPv6 compatible, you may wish to disable IPv6 results by using the
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
resolver 8.8.8.8;
 
# Initial setup tasks.
init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()
    auto_ssl:set("allow_domain", function(domain)
      return true
    end)
 
    auto_ssl:init()
}
 
init_worker_by_lua_block {
    auto_ssl:init_worker()
}
 
server {
    listen 127.0.0.1:8999;
 
    client_body_buffer_size 128k;
    client_max_body_size 128k;
 
    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
}

定义个文件用来给Let's Encrypt用来域名验证（resty-server-http.conf）：

location /.well-known/acme-challenge/ {
    auth_basic off;
    content_by_lua_block {
        auto_ssl:challenge_server()
    }
}

将上面两个文件嵌入到nginx.conf对应的位置

#user  nobody;
worker_processes  2;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

   include resty-http.conf;#引入上文文件

    server {
        listen       80;
        server_name  _;

	include resty-server-http.conf; #用于申请证书
    

    location / {
        return 301 https://$host$request_uri;
    }

        #charset koi8-r;

        #access_log  logs/host.access.log  main;



        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
	server {
		listen       443 ssl;
		server_name  你的域名;
		# 若当前还没有证书或已过期则自动申请
		ssl_certificate_by_lua_block {
			auto_ssl:ssl_certificate()
		}

		# 这里配上之前我们生成的自签名证书，否则会报错
		ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
		ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

	}

}