Today I’d like to show how to automatically issue free SSL certificates via Let’s Encrypt in OpenResty Edge.

Embeded image

Add wildcard domains to the sample application

As always, let’s go to the OpenResty Edge’s Admin web console. This is our sample deployment of the console. Every user has her own local deployment.

This time we use our continuing sample application for the test-edge.com domain.

Screenshot

We can see that it already listens on the 443 port for SSL.

Screenshot

Let’s enter this application.

Screenshot

Here we need to demo sub-domain names, so we need to adjust the application’s settings first.

Screenshot

Let’s add a new wildcard domain name to this application.

Screenshot

Screenshot

Save it.

Screenshot

Let’s push out this change to our gateway servers. Because Let’s Encrypt servers will need to verify our domains' ownership shortly.

Screenshot

Release our pending changes.

Screenshot

Ship it!

Screenshot

Add SSL certificates

Goto the SSL page.

Screenshot

We can see that there are no SSL certificates defined yet.

Screenshot

Let’s add a new certificate.

Screenshot

We support various different ways to issue new SSL certificates.

Screenshot

Here we’d just demonstrate the Let’s Encrypt way.

Screenshot

Add the apex domain name test-edge.com to this certificate.

Screenshot

Add more sub-domain names.

Screenshot

Enter our api subdomain. It could be anything.

Screenshot

We could add even more.

Screenshot

We could use the batch input mode if we have many domains.

Screenshot

We can enter many domains here, line by line.

Screenshot

Quit the batch input mode.

Screenshot

All the domain names here must be resolved to the gateway servers of this OpenResty Edge deployment.

Screenshot

This requirement is also mentioned here.

Screenshot

On the terminal, we can use the dig command to test if the domain has already resolved to our gateway servers.

dig test-edge.com

We can see the valid DNS answer here.

screenshot 1

And also test the other api subdomain.

dig api.test-edge.com

Again, the DNS answer is good.

screenshot 3

The Let’s Encrypt servers need to access our gateway servers through these domains. This is because they must make sure that we indeed own these domains.

Embeded image

For wildcard domains, you must also use OpenResty Edge as the authoritative DNS name servers for the domains.

Embeded image

Agree to the Lets' Encrypt Subscriber Agreement.

Screenshot

Save it.

Screenshot

We can see the new row for the Let’s Encrypt certificate.

Screenshot

The certificate source is Let’s Encrypt.

Screenshot

It has two domain names, as expected.

Screenshot

We can view the real time status here.

Screenshot

We can check the detailed progress by clicking on this status icon.

We can observe the detailed logs regarding the Let’s Encrypt certificate issuing process here.

Screenshot

We can see now the certificate has been issued.

Screenshot

Let’s quit this status page.

Screenshot

We can view the expiration time of the new certificate in this column.

Screenshot

We can see that the certificate will expire in 3 months.

Screenshot

And OpenResty Edge will automatically update the certificate when it is about to expire in the future.

Screenshot

We can see the scheduled next update time will be in 2 months. That is, one month before it expires.

Screenshot

We can also edit an existing Let’s Encrypt certificate.

Screenshot

We don’t make any changes here.

Screenshot

Or we can delete this certificate.

Screenshot

We don’t want to delete it now.

Screenshot

We can also disable a certificate without removing it.

Screenshot

It can then be re-enabled again.

Screenshot

We need to make a new release to push out our new certificate, as always.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

It is done now!

Screenshot

Now the new certificate has been pushed to all the gateway clusters and servers.

Screenshot

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Embeded image

OpenResty Edge will then automatically update these certificates from Let’s Encrypt again before they expire.

Embeded image

If for some reason, some certificates fail to update, the user will get global notifications like this.

Embeded image

Test

Let’s open a new browser tab to access the test-edge.com site via https.

Screenshot

It works!

Also test the api subdomain.

Screenshot

It works too!

We can also pick up a gateway cluster server to test our new certificate on the terminal.

Screenshot

We choose a gateway server here near San Francisco.

Screenshot

Copy its public IP address ending with 133.

Screenshot

On the terminal, we can send an HTTPS request to this gateway server.

curl -I --resolve 'test-edge.com:443:138.68.231.133' https://test-edge.com/

screenshot

It works!

We can check more details like the certificate information by passing the -v option.

curl -I --resolve 'test-edge.com:443:138.68.231.133' https://test-edge.com/ -v

Run this command.

screenshot 4

We can indeed see our server certificate here. We can also see the certificate is indeed issued by Let’s Encrypt.

screenshot 4

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.