Skip to content

Generate a new certificate unless ssl_options["generate_certs"] == false #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
GUI merged 4 commits into from
Jan 28, 2018
Merged

Generate a new certificate unless ssl_options["generate_certs"] == false #92

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
04ee33c
Generate a new certificate unless ssl_options[generate_certs] == false
mklauber Sep 26, 2017
e5667a0
issue certs defaults, error message
mklauber Dec 26, 2017
2fd0d8f
Update README.md
mklauber Dec 26, 2017
620bf07
Update README.md
mklauber Dec 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions lib/resty/auto-ssl/ssl_certificate.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ local function issue_cert(auto_ssl_instance, storage, domain)
return fullchain_pem, privkey_pem, err
end

local function get_cert(auto_ssl_instance, domain)
local function get_cert(auto_ssl_instance, domain, ssl_options)
-- Look for the certificate in shared memory first.
local fullchain_der = ngx.shared.auto_ssl:get("domain:fullchain_der:" .. domain)
local privkey_der = ngx.shared.auto_ssl:get("domain:privkey_der:" .. domain)
Expand All @@ -113,9 +113,11 @@ local function get_cert(auto_ssl_instance, domain)
end

-- Finally, issue a new certificate if one hasn't been found yet.
fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain)
if fullchain_pem and privkey_pem then
return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, true)
if ssl_options and ssl_options["generate_certs"] ~= false then
Copy link
Collaborator

@luto luto Dec 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, this defaults to not issuing any certificates when ssl_options is not there or the value is not specified. When users update to a version containing this change, their setup will stop working for new domains.

As to not break existing setups without need, I suggest to change the default for this to true.

fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain)
if fullchain_pem and privkey_pem then
return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, true)
end
end
Copy link
Collaborator

@luto luto Dec 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get_cert returns an error message as the very last parameter. Please add a appropriate message telling the users what is going on, in case certificates are not being generated because of this setting:

return nil, nil, nil, "did not issue certificate, because the generate_certs setting is false"


-- Return an error if issuing the certificate failed.
Expand Down Expand Up @@ -251,7 +253,7 @@ local function do_ssl(auto_ssl_instance, ssl_options)
end

-- Get or issue the certificate for this domain.
local fullchain_der, privkey_der, newly_issued, get_cert_err = get_cert(auto_ssl_instance, domain)
local fullchain_der, privkey_der, newly_issued, get_cert_err = get_cert(auto_ssl_instance, domain, ssl_options)
if get_cert_err then
ngx.log(ngx.ERR, "auto-ssl: could not get certificate for ", domain, " - using fallback - ", get_cert_err)
return
Expand Down