Merge pull request #92 from mklauber/issue-#91

GUI · web-flow · commit f80daf7b03b0 · 2018-01-28T07:47:34.000-07:00
Generate a new certificate unless ssl_options["generate_certs"] == false
diff --git a/README.md b/README.md
@@ -133,7 +133,7 @@ http {
 }
 ```
 
-## Configuration
+## `auto_ssl` Configuration
 
 Additional configuration options can be set on the `auto_ssl` instance that is created:
 
@@ -271,6 +271,20 @@ Additional configuration options can be set on the `auto_ssl` instance that is c
   auto_ssl:set("hook_server_port", 90)
   ```
 
+### `ssl_certificate` Configuration
+
+- **`generate_certs`**
+  *Default:* true
+
+  This variable can be used to disable generating certs on a per server block location.
+
+  *Example:*
+
+  ```lua
+  auto_ssl:ssl_certificate({ generate_certs=false })
+  ```
+
+
 ### Advanced Let's Encrypt Configuration
 
 Internally, lua-resty-auto-ssl uses [dehydrated](https://github.com/lukas2511/dehydrated) as it's Let's Encrypt client. If you'd like to adjust lower-level settings, like the private key size, public key algorithm, or your registration e-mail, these settings can be configured in a custom dehydrated configuration file.
diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua
@@ -96,7 +96,7 @@ local function issue_cert(auto_ssl_instance, storage, domain)
   return fullchain_pem, privkey_pem, err
 end
 
-local function get_cert(auto_ssl_instance, domain)
+local function get_cert(auto_ssl_instance, domain, ssl_options)
   -- Look for the certificate in shared memory first.
   local fullchain_der = ngx.shared.auto_ssl:get("domain:fullchain_der:" .. domain)
   local privkey_der = ngx.shared.auto_ssl:get("domain:privkey_der:" .. domain)
@@ -113,9 +113,13 @@ local function get_cert(auto_ssl_instance, domain)
   end
 
   -- Finally, issue a new certificate if one hasn't been found yet.
-  fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain)
-  if fullchain_pem and privkey_pem then
-    return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, true)
+  if not ssl_options or ssl_options["generate_certs"] ~= false then
+    fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain)
+    if fullchain_pem and privkey_pem then
+      return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, true)
+    end
+  else
+    return nil, nil, nil, "did not issue certificate, because the generate_certs setting is false"
   end
 
   -- Return an error if issuing the certificate failed.
@@ -251,7 +255,7 @@ local function do_ssl(auto_ssl_instance, ssl_options)
   end
 
   -- Get or issue the certificate for this domain.
-  local fullchain_der, privkey_der, newly_issued, get_cert_err = get_cert(auto_ssl_instance, domain)
+  local fullchain_der, privkey_der, newly_issued, get_cert_err = get_cert(auto_ssl_instance, domain, ssl_options)
   if get_cert_err then
     ngx.log(ngx.ERR, "auto-ssl: could not get certificate for ", domain, " - using fallback - ", get_cert_err)
     return
