Sign in
Log inSign up
Sandeep Panda Test

79 likes

·

5.6K reads

13 comments

Olohundare kayode
Olohundare kayode
Jul 13, 2020

Thanks for this article, i was able to generate SSL for all custom domains using this tutorial

gateclose.org (a custom domain that now has SSL in it)

nbstgloballtd.com.ng (the main server)

But i have a little problem, custom domains do not redirect to https by default, and for a custom domain to get data from the main server, it needs to include https, so i do have to enter https manually, pls is there anyway i can go about redirecting all custom domains to https in openresty

10
·
Richard Uie
Richard Uie
Mar 24, 2019

Dude, this is not merely a wonderful story of ingenuity, but a master class in how-to-investigate-and-optimize-design-for-all-stakeholders. Huzzah, HUZZAH, HUZZAH (three cheers)!

8
·
sivaram
sivaram
Mar 22, 2019

We are also using the same lua-resty-auto-ssl it works great:). By the way, there are few rate limits imposed by letsencrypt like you can create 50 certificates per week. Here you can check it out letsencrypt.org/docs/rate-limits. Just curious How you gonna tackle this thing?

2
·
·3 replies
Sandeep Panda Test
Sandeep Panda Test
Author
·Mar 22, 2019

Hey Sivaram! The 50 certs/week limit is per registered domain. For example, sandeep.dev and blog.sandeep.dev — in this case the registered domain is sandeep.dev and hence is subject to 50 certs/week limit. Normally, you can create 300 new orders per 3 hours — it is highly unlikely that we will hit that limit.

4
·
Amit Lamba
Amit Lamba
May 31, 2019

Can you clarify what you mean by create 300 new orders per 3 hours? What is the context?

·
Amit Lamba
Amit Lamba
May 31, 2019

Oh, I just read the LE rate limit link above. So, if I understand correctly, 300 new orders (300 registered domains) per account (hashnode account) per 3 hours translates to every 3 hours you can create 300 custom domain registration SSL certs.

·
Ramiro Berrelleza
Ramiro Berrelleza
Mar 24, 2019

If you're running in Kubernetes (or at some point decide to move this), Bitnami recently released a runtime that automates this by using NGINX's Ingress Controller, External-DNS and Cert-Manager.

·
sivaram
sivaram
May 6, 2019

How do you guys force a redirect to https for an arbitrary domain? Am stuck in it Facing too many redirects

  server {
    listen 443 ssl;
    ssl_certificate_by_lua_block {
      auto_ssl:ssl_certificate()
    }

  location / {

        proxy_pass http://localhost:4444;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
        #try_files $uri $uri/ /;        
    }
         location @rewrites {
         rewrite ^(.+)$ / last;
  }
    ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
  }
  server {
    listen 80;
    location /.well-known/acme-challenge/ {
      content_by_lua_block {
        auto_ssl:challenge_server()
      }
    }
      location / {
         return 301 https://$host$request_uri; 
   }    
}
·
Vito Botta
Vito Botta
Jun 15, 2019

Hi, very useful. I am looking for some alternatives I could use with Kubernetes in an automated way, but haven't had much success so far. Perhaps I could have the app create an ingress whenever a user adds a custom domain, and let cert-manager handle the certificate for me, but I am not sure yet if this is the best approach with Kubernetes. Anyway, what I wanted to ask you is if you have run into any limits not just with LetsEncrypt, but with the OpenResty solution. How many certificates can be handled with the Lua thing and by OpenResty/Nginx itself? Would this scale to thousands or 100s of thousands users if the app is successful? If scalability is not a huge issue with this solution I might try to adapt it to Kubernetes by using SSL passthrough from ingress controller to a customised instance of OpenResty. Thanks in advance!

·
R Gadhiya
R Gadhiya
Apr 21, 2020

Thanks for such useful article.

I would appreciate if you'd look into some issues i have regarding this... stackoverflow.com/questions/61349531/confi…

·
Pablo García
Pablo García
Jun 23, 2020

How do I check if a cert was indeed generated for an arbitrary domain? I followed this guide but it doesn't seem to be working. Also, what are the last two server blocks for? (the one with auto_ssl:challenge_server() and the one with auto_ssl:hook_server()? Are they necessary for the auto ssl certs to be generated?

·
Shrikar
Shrikar
Jun 30, 2020

Would love to read more articles like this, Thank you fro writing Sandeep. Sandeep Panda

·
Piyush Garg
Piyush Garg
Mar 29, 2023

I have one small doubt here, I guess you are using vercel for deployments and adding domains to vercel right? Then why do you need to generate SSL certs on your own?

·