OpenResty lua-resty-auto-ssl 无法颁发证书问题

开启 debug 日志

error_log  logs/error.log debug;

错误日志

2021/02/17 11:13:47 [notice] 19382#0: *25 [lua] ssl_certificate.lua:289: auto-ssl: domain not allowed - using fallback

定位问题

nginx.conf中配置的初始化auto_ssl时设置的allow_domain匹配规则^(a|b)$是完全匹配，所以无法匹配二级域名。

http {
    # 初始化设置任务
    init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()

        auto_ssl:set("dir", "/usr/local/openresty/ssl/resty-auto-ssl")

        auto_ssl:set("hook_server_port", 8999)

        auto_ssl:set("renew_check_interval", 172800)

        auto_ssl:set("allow_domain", function(domain)
          return ngx.re.match(domain, "^(example.com|example.net)$", "ijo")
        end)

        auto_ssl:init()
    }
}

解决办法

改为(a|b)$匹配。

http {
    init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()

        auto_ssl:set("dir", "/usr/local/openresty/ssl/resty-auto-ssl")

        auto_ssl:set("hook_server_port", 8999)

        auto_ssl:set("renew_check_interval", 172800)

        -- 定义一个函数用于决定哪个域名自动处理和注册新证书。默认是不允许任务域名。所以该配置也是必须项。
        -- 替换 example.com 为自己的域名，直接返回 true 表示所有请求进来的域名都颁发证书
        auto_ssl:set("allow_domain", function(domain)
          return ngx.re.match(domain, "(example.com|example.net)$", "ijo")
          -- ^()& 是只能指定的域名，无法为二级域名颁发证书
          -- return ngx.re.match(domain, "^(example.com|example.net)$", "ijo")
          -- example.com$ 可以为所有 example.com 子域名颁发证书
          -- return ngx.re.match(domain, "example.com$", "ijo")
          -- return true
        end)

        auto_ssl:init()
    }
}

成功日志

2021/02/17 11:14:18 [debug] 19453#0: *41 [lua] lets_encrypt.lua:44: issue_cert(): auto-ssl: dehydrated output: # INFO: Using main config file /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
startup_hook
 + Creating chain cache directory /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/chains
Processing www.example.com
 + Creating new directory /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/certs/www.example.com ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for www.example.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
 + Responding to challenge for www.example.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
clean_challenge
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
deploy_cert
 + Done!
exit_hook

2021/02/17 11:14:18 [notice] 19453#0: *54 [lua] renewal.lua:73: renew_check_cert(): auto-ssl: checking certificate renewals for www.example.com, context: ngx.timer
2021/02/17 11:14:18 [notice] 19453#0: *54 [lua] renewal.lua:131: renew_check_cert(): auto-ssl: expiry date is more than 30 days out, skipping renewal: www.example.com, context: ngx.timer