search

auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.94k stars 181 forks source link

Test against newer versions of OpenResty #273

Open thenewguy opened 2 years ago

thenewguy commented 2 years ago

https://github.com/auto-ssl/lua-resty-auto-ssl/blob/master/Dockerfile-test seems to be the latest version of OpenResty at 1.15

Per the OpenResty site, OpenResty 1.21.4.1 RC1 is out

bryanus commented 1 year ago

I'm currently running Openresty v1.15.8.2. Is anyone running a newer version without issues? Wondering if I should upgrade or not.

Their github repo seems to be outdated? Last release there is 1.15.8.3:

https://github.com/openresty/openresty/releases

Brawl345 commented 1 year ago

I'm running OpenResty 1.21.4.1 and using lua-resty-auto-ssl without problems. Shame that it seems unsupported though, better to migrate to something else.

bryanus commented 1 year ago

I'm running OpenResty 1.21.4.1 and using lua-resty-auto-ssl without problems. Shame that it seems unsupported though, better to migrate to something else.

I wonder how much time I (we) have before something breaks and certs stop issuing. I'm loath to set up another solution (Caddy seems to be the recommended route?). Have you moved on already?

Brawl345 commented 1 year ago

Have you moved on already?

Yes, shortly after I posted this I switched to Caddy. I set OpenResty to another port, disabled TLS/moved every site to the HTTP port and everything that has to do with lua-resty-auto-ssl and in my Caddfile for every domain I first set up a reverse_proxy that points to OpenResty (need to use the OpenResty HTTP port!). Then I migrated one site after another. Took me a whole day but in the end it was worth it. Many configs are now just a few lines vs two whole server blocks.

bryanus commented 1 year ago

Yes, shortly after I posted this I switched to Caddy. I set OpenResty to another port, disabled TLS/moved every site to the HTTP port and everything that has to do with lua-resty-auto-ssl and in my Caddfile for every domain I first set up a reverse_proxy that points to OpenResty (need to use the OpenResty HTTP port!). Then I migrated one site after another. Took me a whole day but in the end it was worth it. Many configs are now just a few lines vs two whole server blocks.

Phew! Took me a bit of work over a few weeks, but I finally put my Caddy server into production today! I had to flip flop between my AutoSSL server and Caddy as to not hit the 300certs/3hr rate limit; I wasn't able to copy my old certs over as I didn't want to risk something breaking. Caddy seems to be doing great so far, and the certificate issuance is superfast in comparison. I probably spent the most time tweaking my Caddyfile as it was all new to me.

Edit: Perhaps I didnt need to be concerned with the rate limits. It seems that Caddy has its own internal rate limiter as to avoid hitting the LE rate limits:

ACME challenges take at least a few seconds, and internal rate limiting helps mitigate accidental abuse. Caddy uses internal rate limiting in addition to what you or the CA configure so that you can hand Caddy a platter with a million domain names and it will gradually -- but as fast as it can -- obtain certificates for all of them. Caddy's internal rate limit is currently 10 attempts per ACME account per 10 seconds. read more