lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard

Published 20 hours ago verified publisher icon auto-ssl

Migrating previous letsencrypt certs to resty-auto-ssl

Open joshnabbott opened this issue 6 years ago • 8 comments

Hi there,

We’ve been using a cron’d letsencrypt/certbot script for the last few years and are preparing to move to resty-auto-ssl. We currently have about 1200 certs from our previous implementation. I’m a little nervous about switching to auto-ssl in our production environment given that it can take 2-3 seconds for auto-ssl to provision the cert. My concern is that requests will queue and nginx will crash (we get about 1000 requests per minute).

So my question is if it’s possible to manually “migrate” the existing certs into auto-ssl. We’ll be using the redis store. Would that work and prevent the initial provisioning time for the existing ones?

Any ideas or suggestions?

Thank you!

joshnabbott avatar Jun 16 '18 02:06 joshnabbott

So my question is if it’s possible to manually “migrate” the existing certs into auto-ssl. We’ll be using the redis store. Would that work and prevent the initial provisioning time for the existing ones?

Sadly I do not know of any ready-made solution for this. The certificates and keys are stored in a quite simple JSON string. A small script should be able to fill redis with entries auto-ssl can understand.. but as I said, I don't know of any finished scripts or even "native" auto-ssl features to accomplish that goal.

Such a thing would be a very welcome addition for the readme! If you have any further questions, please just let me know here.

Any ideas or suggestions?

If it turns out that there isn't a sane way to get existing certificates into auto-ssl, you could try enabling it in packs of like 10 or 50 domains, while configuring the other ones statically as before.

luto avatar Jun 17 '18 20:06 luto

@luto thanks again for the quick response. I've looked at the json string being stored in redis, and that seems simple enough. However, I also noticed there are some certs in /etc/resty-auto-ssl/letsecrypt/certs and some other ones in /etc/resty-auto-ssl/storage/file and wasn't sure if I need to also copy existing certs into either of these two locations? Are there any other locations an existing cert would need to be copied to when using redis storage?

joshnabbott avatar Jun 17 '18 23:06 joshnabbott

I haven't used the redis storage much, but I expect redis to be the only permanent location for certificates, if it's enabled. There may be multiple temporary locations during renewal or issuance, but it shouldn't rely it these for normal requests. If it does, that's a bug for me.

luto avatar Jun 18 '18 07:06 luto

Well that makes it easier! Thanks, I’ll give a migration script a try.

On Jun 18, 2018, at 1:24 AM, luto [email protected] wrote:

I haven't used the redis storage much, but I expect redis to be the only permanent location for certificates, if it's enabled. There may be multiple temporary locations during renewal or issuance, but it shouldn't rely it these for normal requests. If it does, that's a bug for me.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

joshnabbott avatar Jun 18 '18 15:06 joshnabbott

@joshnabbott This seems very similar to what we're doing. Did you manage to get a migration script working?

atishb avatar Jun 26 '19 06:06 atishb

@atishb yes, we were able to easily migrate from files on the file system to redis with a script that reads the file contents and then dumps the needed file elements into the store as json. As far as I can tell, no physical files on the file system are needed once you migrate to a redis store so I eventually just deleted those after things were running smoothly for a couple of days. Let me know if I can be of more help!

joshnabbott avatar Jun 26 '19 13:06 joshnabbott

That's awesome @joshnabbott . I'm trying to migrate about 500 Let's Encrypt certificates generated via Certbot (on disk) to lua-resty-auto-ssl (on disk). The folder structure isn't really an exact match. It'd be great if you could share your script or the exact files that needed to be copied (key, crt, anything else?) and in what format. Thanks!

atishb avatar Jun 26 '19 14:06 atishb

Hi Guys, I used this simple script in python. You must change directory and host of redis.

#!/usr/bin/python

import redis import os

directory = 'CERTs DIR' r = redis.Redis( host='YOUR REDIS SERVER', port=6379, db=0)

for file in os.listdir(directory): os.rename(directory+"/"+file, directory+"/"+file.replace('%3A', ':').replace('%3A', ':'))

for filename in os.listdir(directory): f = open(directory+"/"+filename) r.set(filename, f.read())

romariohornburg avatar Mar 27 '20 13:03 romariohornburg