webserver-llc
Implementing an auto SSL feature
Hi! First of all I would like to thank you for creating Angie, it's a very good project, much friendlier and easier to use than nginx. I've been testing it for some time and it works flawlessly. My question is whether it is possible to implement auto SSL, such as it works in Caddy? https://caddyserver.com/docs/automatic-https
This would be a real game changer in the NGINX environment and a big plus for Angie. Do you have any plans for such a feature?
Greetings PS - Sorry if this is not the right place to report such ideas
Hi Adam, thank you for your interest. I'm an Angie developer, and I can tell you that we're working on this feature right now. No specific dates yet though :) Cheers
Hi. Work is underway, but I still can't promise this feature will be released any time soon (probably not until new year :)) The ACME protocol implementation is basically up and running, but there's more to be done.
If you're interested, I can share some details :) This may all still change, but at the moment we've added several new directives to the config syntax. The most important one is acme <identifier>;. It switches on an ACME client for the server configured in the current server block. Basically, every server can have its own ACME client configured to renew its certificates, so we need to distinguish them somehow, hence the <identifier>. It also gives the name for the subdirectory where the client will keep all its keys, certificates, etc.
At startup, the client checks the expiration dates of its certificates, and launches a renewal procedure, if necessary, or schedules renewal for an appropriate time. I wouldn't like to go deeper and tell you what's going on under the hood, particularly as we haven't solved a couple of design problems yet :) But I will appreciate any suggestions, wishes, ideas, etc. Can't promise to fulfil them all, but they will all be carefully reviewed and taken into account.
Cheers
Yes, take your time to think this through and to sufficiently test the implementation. Once this lands it'll solve a decade old shortcoming (imo) of Nginx.
@a-sor Hi. sorry for asking again. What is the progress of the work?
Hi @adammakowskidev ,
I was just going to write a little update on this. We will be releasing Angie 1.5.0 soon, and we plan to include this ACME feature in it. It will come with some limitations though (e.g. only http-01 challenge, no wildcard domains, etc). We are going to further develop ACME support and overcome some of these limitations in future versions.
We have changed the syntax of the new directives, now they are acme_client (defines a client, gives it an ID, sets parameters, etc.) and acme (links a client to a server to update the certificate for). There are also two new variables added: $acme_cert_ID and $acme_cert_key_ID. They are used to activate the renewed certificate and certificate key in the SSL layer by specifying them in the ssl_certificate and ssl_certificate_key directive correspondingly. This is best explained by the following example configuration:
http {
map $acme_cert_example $cert_example {
'' original.crt;
default $acme_cert_example;
}
map $acme_cert_example $cert_key_example {
'' original.key;
default $acme_cert_key_example;
}
acme_client example;
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate $cert_example;
ssl_certificate_key $cert_key_example;
acme example;
}
server {
listen 80;
server_name localhost;
location / {
return 200 \"HELLO\\n\";
}
}
}
I hope this gives you an idea :)
Cheers
Forgot to say that by default the client tries to acquire a certificate from Let's Encrypt. The ACME server's URL can be specified in the server parameter of the acme_client directive.
Initial support for Automatic Certificate Management Environment (ACME) released with Angie 1.5.0. See the docs: https://angie.software/en/configuration/modules/http_acme/
I'll second that, nice work guys! :clap:
And neat to have the $acme_cert_[_key_]<name> variables.
Ok so I tried it now, it looks like the certificates were generated because there are 3 files in the /var/lib/angie/acme/domain folder
But the site does not support connection via https
My config, maybe I'm doing something wrong?
resolver 127.0.0.1:53;
acme_client domain https://acme-staging-v02.api.letsencrypt.org/directory;
server {
listen 80;
listen 443 ssl;
server_name domain.net;
acme domain;
ssl_certificate $acme_cert_domain;
ssl_certificate_key $acme_cert_key_domain;
location / {
root /usr/share/angie/html;
index index.html index.htm;
}
}
Please check error log. Also, make sure that 127.0.0.1:53 is a valid address of the DNS server.
Note, that system-resolved usually listens on 127.0.0.53 (not 127.0.0.1).
Hi If anyone has problems configuring SSL, here is an example of mine that works :) PS - When is the implementation of wildcard SSL planned? @VBart @a-sor
resolver 127.0.0.53;
acme_client domain_com https://acme-v02.api.letsencrypt.org/directory key_bits=2048 key_type=rsa renew_before_expiry=3d;
server {
listen 80;
listen 443 quic;
listen 443 ssl;
server_name domain_com;
acme domain_com;
ssl_certificate $acme_cert_domain_com;
ssl_certificate_key $acme_cert_key_domain_com;
location / {
add_header Alt-Svc 'h3=":443"; ma=86400';
root /usr/share/angie/html;
index index.html index.htm;
}
location /status/ {
api /status/;
allow 127.0.0.1;
deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/angie/html;
}
}
@VBart Will wildcard SSL support be available in version 1.6.0? I'm looking forward to it :)
@VBart Will wildcard SSL support be available in version 1.6.0? I'm looking forward to it :)
Unfortunately it won't be ready by 1.6.0, which is expected by the end of this month. Currently we were busy on refactoring of some approaches with ACME requests implementation in order to resolve reported issues with the current one. So, in 1.6 the module will become just more robust, and there will be an ability to configure requests for different types of certificates (both RSA and ECDSA) for the same server block at the same time.