Use acme instead of letsencrypt for variable conventions
#26
Comments
|
Related dehydrated-io/dehydrated#653 The gui/lua-resty-autossl uses dehydrated to obtain the certificates. So in theory that issue is something to watch for. Anyway, the new naming conventions could still be more flexible. And this may even help a lot if someone get in trouble with letsencrypt limits and need to quick obtain other certificates |
fititnt
added a commit
that referenced
this issue
Nov 28, 2019
fititnt
added a commit
to fititnt/ansible-linux-ha-cluster
that referenced
this issue
Nov 29, 2019
|
The old rule was this one -- Fail first if domain seems to be an IP.
-- @see https://github.com/GUI/lua-resty-auto-ssl/issues/26#issuecomment-366919522
if string.match(domain, "(%d+).(%d+).(%d+).(%d+)") or string.find(domain, ":", 1, true) then
-- These domains can be used for testing. Comment out this if to not allow even these ones
-- https://nip.io/
-- https://xip.io/
-- https://sslip.io/
if not (string.find(domain, "nip.io", 1, true) or string.find(domain, "xip.io", 1, true) or string.find(domain, "sslip.io", 1, true)) then
ngx.log(ngx.ERR, "allow_domain do not allow HTTPS for IPs ", domain)
return false
end
endI will have to somewhat replace this rule to allow nip.io, xip.io and sslip.io domains |
fititnt
added a commit
that referenced
this issue
Dec 2, 2019
Example from v0.8.6-alpha### AP-ALB ACME ________________________________________________________________
# BY USING Let's Encrypt, even if automated for you, you AGREE with
# Let’s Encrypt Subscriber Agreement at https://letsencrypt.org/repository/
alb_acme_production: true
alb_acme_rule_ips_allowed: false # ACME (Let's Encript at least) will HTTPS for IPs, so don't even try
# Exact match
alb_acme_rule_whitelist: []
alb_acme_rule_whitelist_file: '' # not implemented... yet
alb_acme_rule_blacklist: []
alb_acme_rule_blacklist_file: '' # not implemented... yet
# Suffix match (e.g. for subdomains) and prefix match (e.g. if any full domain, if start with these values)
alb_acme_rule_whitelist_suffix: []
alb_acme_rule_whitelist_prefix: []
alb_acme_rule_blacklist_suffix: []
alb_acme_rule_blacklist_prefix: []
# alb_acme_rule_lua inject custom lua inside GUI/lua-resty-auto-ssl allow_domain function.
alb_acme_rule_lua: |
-- FILE: /usr/local/openresty/nginx/conf/nginx.conf
-- NGINX CONTEXT: http/init_by_lua_block/auto_ssl:set("allow_domain", function(domain)
-- See https://github.com/GUI/lua-resty-auto-ssl
-- Note 1: Inside lua blocks (like this one) "--" is used for start comments
-- and not "#"
-- Note 2: your custom code should 'return true' or 'return false'
# alb_acme_rule_last define your "default" behavior for what was not explicitly
# whitelisted/blacklisted
alb_acme_rule_last: true
# This value is infered from alb_acme_production. But you can customize yourself
alb_acme_url: "{{ 'https://acme-v02.api.letsencrypt.org/directory' if alb_acme_production else 'https://acme-staging-v02.api.letsencrypt.org/directory' }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We already have some variables with
letsencrypt, but in fact we're dealing with a standard protocol that more vendors could implement (and actually, there is at least other alternative to letsencrypt, the buypass.This issue is mostly about rename (or not create new variables) using hardcoded naming of letsencrypt.
The text was updated successfully, but these errors were encountered: