OpenResty lua-resty-auto-ssl 无法颁发证书问题
OpenResty HTTPS Let's Encrypt About 2,977 words开启 debug 日志
error_log logs/error.log debug;
错误日志
2021/02/17 11:13:47 [notice] 19382#0: *25 [lua] ssl_certificate.lua:289: auto-ssl: domain not allowed - using fallback
定位问题
nginx.conf
中配置的初始化auto_ssl
时设置的allow_domain
匹配规则^(a|b)$
是完全匹配,所以无法匹配二级域名。
http {
# 初始化设置任务
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("dir", "/usr/local/openresty/ssl/resty-auto-ssl")
auto_ssl:set("hook_server_port", 8999)
auto_ssl:set("renew_check_interval", 172800)
auto_ssl:set("allow_domain", function(domain)
return ngx.re.match(domain, "^(example.com|example.net)$", "ijo")
end)
auto_ssl:init()
}
}
解决办法
改为(a|b)$
匹配。
http {
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("dir", "/usr/local/openresty/ssl/resty-auto-ssl")
auto_ssl:set("hook_server_port", 8999)
auto_ssl:set("renew_check_interval", 172800)
-- 定义一个函数用于决定哪个域名自动处理和注册新证书。默认是不允许任务域名。所以该配置也是必须项。
-- 替换 example.com 为自己的域名,直接返回 true 表示所有请求进来的域名都颁发证书
auto_ssl:set("allow_domain", function(domain)
return ngx.re.match(domain, "(example.com|example.net)$", "ijo")
-- ^()& 是只能指定的域名,无法为二级域名颁发证书
-- return ngx.re.match(domain, "^(example.com|example.net)$", "ijo")
-- example.com$ 可以为所有 example.com 子域名颁发证书
-- return ngx.re.match(domain, "example.com$", "ijo")
-- return true
end)
auto_ssl:init()
}
}
成功日志
2021/02/17 11:14:18 [debug] 19453#0: *41 [lua] lets_encrypt.lua:44: issue_cert(): auto-ssl: dehydrated output: # INFO: Using main config file /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
startup_hook
+ Creating chain cache directory /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/chains
Processing www.example.com
+ Creating new directory /usr/local/openresty/ssl/resty-auto-ssl/letsencrypt/certs/www.example.com ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for www.example.com
+ 1 pending challenge(s)
+ Deploying challenge tokens...
deploy_challenge
+ Responding to challenge for www.example.com authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
clean_challenge
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
deploy_cert
+ Done!
exit_hook
2021/02/17 11:14:18 [notice] 19453#0: *54 [lua] renewal.lua:73: renew_check_cert(): auto-ssl: checking certificate renewals for www.example.com, context: ngx.timer
2021/02/17 11:14:18 [notice] 19453#0: *54 [lua] renewal.lua:131: renew_check_cert(): auto-ssl: expiry date is more than 30 days out, skipping renewal: www.example.com, context: ngx.timer
Views: 2,736 · Posted: 2021-05-09
————        END        ————
Give me a Star, Thanks:)
https://github.com/fendoudebb/LiteNote扫描下方二维码关注公众号和小程序↓↓↓
Loading...