lua-resty-auto-ssl is extremely useful in development environment as well as in production. However while LE is great and free, it's not flexible enough for all scenarios. OpenSSL bridges this gap giving ultimate control over the process.
What this does?
In essence this PR adds a (pretty feature-complete) proof-of-concept of local OpenSSL integration in lua-resty-auto-ssl. By default compatibility is not broken in any way and the code behaves as before, so it can be deployed without any changes to the configuration.
Scope of changes
New SSL provider is added which implements standard OpenSSL flow:
Create CSR for a domain
Create private key
Sign CSR with intermediate CA key (if available), or main CA key
Bundle everything into chained PEM
New binaries/shell scripts are shipped:
openssl_manager implements the logic of lua-resty-auto-ssl <=> OpenSSL interaction
openssl_hooks mirrors letsencrypt_hooks mimicking flow of dehydrated calling hooks script which then calls internal web server to deploy certs
OCSP stapling is made optional: as of now if certificate passed had no OCSP it was treated as an error since LE certs should always have it. Local ones obviously don't and thus the information is persisted in logs but degraded down from an error
New config option ssl_provider is added:
By default assumes resty.auto-ssl.ssl_providers.lets_encrypt (BC)
Can be set to resty.auto-ssl.ssl_providers.openssl to enable OpenSSL provider
New config option openssl_config is added which accepts a path to POSIX shell script which can override options present in openssl_manager
Logic of renewal, previously hardcoded, is moved to each ssl provider to implement; current LE logic is preserved in LE provider
Current state
It works for initial certificate issuance, as well as for renewal
Motives
lua-resty-auto-sslis extremely useful in development environment as well as in production. However while LE is great and free, it's not flexible enough for all scenarios. OpenSSL bridges this gap giving ultimate control over the process.What this does?
In essence this PR adds a (pretty feature-complete) proof-of-concept of local OpenSSL integration in
lua-resty-auto-ssl. By default compatibility is not broken in any way and the code behaves as before, so it can be deployed without any changes to the configuration.Scope of changes
openssl_managerimplements the logic oflua-resty-auto-ssl<=> OpenSSL interactionopenssl_hooksmirrorsletsencrypt_hooksmimicking flow ofdehydratedcalling hooks script which then calls internal web server to deploy certsssl_provideris added:resty.auto-ssl.ssl_providers.lets_encrypt(BC)resty.auto-ssl.ssl_providers.opensslto enable OpenSSL provideropenssl_configis added which accepts a path to POSIX shell script which can override options present inopenssl_managerCurrent state
WDYT?
Is that something you will like merged? cc: @GUI