Today I’d like to show how to automatically issue free SSL certificates via Let’s Encrypt in OpenResty Edge.

Embeded image

As always, let’s go to the OpenResty Edge’s Admin web console. This is our sample deployment of the console. Every user has her own local deployment.

This time we use our continuing sample application for the test-edge.com domain.

Screenshot

We can see that it already listens on the 443 port for SSL.

Screenshot

Let’s enter this application.

Screenshot

Here we need to demo sub-domain names, so we need to adjust the application’s settings first.

Screenshot

Let’s add a new wildcard domain name to this application.

Screenshot

Screenshot Save it.

Screenshot

Let’s push out this change to our gateway servers. Because Let’s Encrypt servers will need to verify our domains’ ownership shortly.

Screenshot

Release our pending changes.

Screenshot

Ship it!

Screenshot

Goto the SSL page.

Screenshot

We can see that there are no SSL certificates defined yet.

Screenshot

Let’s add a new certificate.

Screenshot

We support various different ways to issue new SSL certificates.

Screenshot

Here we’d just demonstrate the Let’s Encrypt way.

Screenshot

Add the apex domain name test-edge.com to this certificate.

Screenshot

Add more sub-domain names.

Screenshot

Enter our api subdomain. It could be anything.

Screenshot

We could add even more.

Screenshot

We could use the batch input mode if we have many domains.

Screenshot

We can enter many domains here, line by line.

Screenshot

Quit the batch input mode.

Screenshot

All the domain names here must be resolved to the gateway servers of this OpenResty Edge deployment.

Screenshot

This requirement is also mentioned here.

Screenshot

On the terminal, we can use the dig command to test if the domain has already resolved to our gateway servers.

1
dig test-edge.com

We can see the valid DNS answer here.

screenshot 1

And also test the other api subdomain.

1
dig api.test-edge.com

Again, the DNS answer is good.

screenshot 3

The Let’s Encrypt servers need to access our gateway servers through these domains. This is because they must make sure that we indeed own these domains.

Embeded image

For wildcard domains, you must also use OpenResty Edge as the authoritative DNS name servers for the domains.

Embeded image

Agree to the Lets’ Encrypt Subscriber Agreement.

Screenshot

Save it.

Screenshot

We can see the new row for the Let’s Encrypt certificate.

Screenshot

The certificate source is Let’s Encrypt.

Screenshot

It has two domain names, as expected.

Screenshot

We can view the real time status here.

Screenshot

We can check the detailed progress by clicking on this status icon.

We can observe the detailed logs regarding the Let’s Encrypt certificate issuing process here.

Screenshot

We can see now the certificate has been issued.

Screenshot

Let’s quit this status page.

Screenshot

We can view the expiration time of the new certificate in this column.

Screenshot

We can see that the certificate will expire in 3 months.

Screenshot

And OpenResty Edge will automatically update the certificate when it is about to expire in the future.

Screenshot

We can see the scheduled next update time will be in 2 months. That is, one month before it expires.

Screenshot

We can also edit an existing Let’s Encrypt certificate.

Screenshot

We don’t make any changes here.

Screenshot

Or we can delete this certificate.

Screenshot

We don’t want to delete it now.

Screenshot

We can also disable a certificate without removing it.

Screenshot

It can then be re-enabled again.

Screenshot

We need to make a new release to push out our new certificate, as always.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

It is done now!

Screenshot

Now the new certificate has been pushed to all the gateway clusters and servers.

Screenshot

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Embeded image

OpenResty Edge will then automatically update these certificates from Let’s Encrypt again before they expire.

Embeded image

If for some reason, some certificates fail to update, the user will get global notifications like this.

Embeded image

Let’s open a new browser tab to access the test-edge.com site via https.

Screenshot

It works!

Also test the api subdomain.

Screenshot

It works too!

We can also pick up a gateway cluster server to test our new certificate on the terminal.

Screenshot

We choose a gateway server here near San Francisco.

Screenshot

Copy its public IP address ending with 133.

Screenshot

On the terminal, we can send an HTTPS request to this gateway server.

1
curl -I --resolve 'test-edge.com:443:138.68.231.133' https://test-edge.com/

screenshot

It works!

We can check more details like the certificate information by passing the -v option.

1
curl -I --resolve 'test-edge.com:443:138.68.231.133' https://test-edge.com/ -v

Run this command.

screenshot 4

We can indeed see our server certificate here. We can also see the certificate is indeed issued by Let’s Encrypt.

screenshot 4

If you like this tutorial, please subscribe to this blog site and/or our Vimeo account and/or our YouTube channel. Thank you!

About This Article and Associated Video

This article and its associated video are both generated automatically from a simple screenplay file.

About The Author

Yichun Zhang is the creator of the OpenResty® open source project. He is also the founder and CEO of the OpenResty Inc. company. He contributed a dozen open source Nginx 3rd-party modules, quite some Nginx and LuaJIT core patches, and designed products like OpenResty XRay and OpenResty Edge.

Translations

We provide the Chinese translation for this article on blog.openresty.com.cn. We welcome interested readers to contribute translations in other natural languages as long as the full article is translated without any omissions. We thank them in advance.

We are hiring

We always welcome talented and enthusiastic engineers to join our team at OpenResty Inc. to explore various open source software’s internals and build powerful analyzers and visualizers for real world applications built atop the open source software. If you are interested, please send your resume to talents@openresty.com . Thank you!