In an era where HTTPS has become standard, managing SSL/TLS certificates remains a pain point for many teams. The process involves application, upload, renewal, and verification, and a single misstep can lead to site-wide access issues. Previously, we have covered two common approaches: using Let’s Encrypt for automatic certificate issuance or manually uploading SSL certificates via the Edge console. This article introduces a new method for certificate management in OpenResty Edge using the ACME protocol. OpenResty Edge has, in fact, always supported the ACME protocol, allowing integration with various CA providers such as Google Trust Services, ZeroSSL, DigiCert, and Sectigo (via EAB extensions). This enables one-click configuration for the automatic issuance and renewal of certificates, including wildcard and multi-domain certificates, eliminating the tedious manual processes of application, upload, and renewal.

What is the ACME protocol?

In modern website architectures, the application, renewal, and management of SSL/TLS certificates are crucial for ensuring business security. However, for operations teams, this process is often both cumbersome and prone to errors.

OpenResty Edge implements the core functionalities of the ACME protocol. It supports automated certificate management and issuance, empowering users to manage the certificate lifecycle of large-scale sites in a more flexible and secure manner.

In OpenResty Edge you could:

• Automated Certificate Application and Renewal: Fully automates the entire process of certificate application, validation, and renewal via the ACME protocol.
• Domain Ownership Validation: Supports both HTTP-01 and DNS-01 validation methods.
• ACME Server Interaction and Task Scheduling: Centralized management of certificate issuance tasks, including automatic retries and renewal polling.
• Certificate Storage, Retrieval, and Distribution: The Edge platform features a built-in certificate storage and distribution mechanism, eliminating the need for additional clients.

Why we need the ACME protocol?

Historically, OpenResty Edge users typically configured SSL/TLS certificates in two ways: manually uploading them, or relying on Let’s Encrypt (LE) for automatic issuance. Both approaches presented significant limitations:

• Let’s Encrypt Rate Limits: Issuance frequency is restricted per account or per domain.
• Limited Certificate Sources: Inability to support the requirements of multiple issuers or internal enterprise CAs.
• Complex Management: Certificate updates were often error-prone in multi-tenant, multi-domain environments.

The ACME protocol for certificate management offers a powerful solution:

• Overcome LE Limitations: Supports multiple issuers and multi-account configurations, easily handling issuance frequency restrictions.
• Flexible CA Selection: Beyond Let’s Encrypt, choose from ZeroSSL, Buypass, or even your own self-hosted ACME services.
• Integrated Management: Centralized certificate viewing, distribution, and updates directly within the Edge platform, significantly reducing operational burden.

How to automatically provision certificates in OpenResty Edge via ACME protocol

First, in the certificate issuer settings on the global configuration page, add the certificate issuer information.

Then, on the application’s SSL page, choose to apply a global certificate for the entire application, or add a specific SSL certificate for the application by clicking the “Add Certificate” button.

After clicking the “Add Certificate” button, generate certificates using other ACME-compliant certificate issuers.

You can also automatically issue certificates using other ACME issuers. Before issuing certificates, please ensure that your domain’s DNS has been correctly resolved and points to your Edge Node gateway server.

You can also learn how to configure multiple ACME certificates for the same domain name. For specific steps, please refer to: In-app Certificates

If you want to upload certificates using other methods, you can refer to:

1. Automatically issue certificates using the Let’s Encrypt client
2. Manually upload SSL certificates in the Edge console

Best Practices and Frequently Asked Questions

Q1. Does it support wildcard certificates?

Yes, this is achieved through DNS-01 verification.

Q2. Can it coexist with manually uploaded certificates?

Yes, it can be managed alongside manually uploaded certificates without affecting existing deployments.

Q3. What happens if an update fails?

It has the retry and rollback mechanisms. A re-issuance attempt can also be triggered manually.

What is OpenResty Edge

OpenResty Edge is our all-in-one gateway software for microservices and distributed traffic architectures. It combines traffic management, private CDN construction, API gateway, security, and more to help you easily build, manage, and protect modern applications. OpenResty Edge delivers industry-leading performance and scalability to meet the demanding needs of high concurrency, high load scenarios. It supports scheduling containerized application traffic such as K8s and manages massive domains, making it easy to meet the needs of large websites and complex applications.

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty^® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty^®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.