Implementing an auto SSL feature

[adammakowskidev]

Hi! First of all I would like to thank you for creating Angie, it's a very good project, much friendlier and easier to use than nginx. I've been testing it for some time and it works flawlessly. My question is whether it is possible to implement auto SSL, such as it works in Caddy? https://caddyserver.com/docs/automatic-https

This would be a real game changer in the NGINX environment and a big plus for Angie. Do you have any plans for such a feature?

Greetings PS - Sorry if this is not the right place to report such ideas

[a-sor]

Hi Adam, thank you for your interest. I'm an Angie developer, and I can tell you that we're working on this feature right now. No specific dates yet though :) Cheers

[adammakowskidev]

Amazing! Looking forward to this feature!

[adammakowskidev]

Hi. Any updates?

[a-sor]

Hi. Work is underway, but I still can't promise this feature will be released any time soon (probably not until new year :)) The ACME protocol implementation is basically up and running, but there's more to be done.

If you're interested, I can share some details :) This may all still change, but at the moment we've added several new directives to the config syntax. The most important one is acme <identifier>;. It switches on an ACME client for the server configured in the current server block. Basically, every server can have its own ACME client configured to renew its certificates, so we need to distinguish them somehow, hence the <identifier>. It also gives the name for the subdirectory where the client will keep all its keys, certificates, etc.

At startup, the client checks the expiration dates of its certificates, and launches a renewal procedure, if necessary, or schedules renewal for an appropriate time. I wouldn't like to go deeper and tell you what's going on under the hood, particularly as we haven't solved a couple of design problems yet :) But I will appreciate any suggestions, wishes, ideas, etc. Can't promise to fulfil them all, but they will all be carefully reviewed and taken into account.

Cheers

[adrian5]

Yes, take your time to think this through and to sufficiently test the implementation. Once this lands it'll solve a decade old shortcoming (imo) of Nginx.

[adammakowskidev]

@a-sor Hi. sorry for asking again. What is the progress of the work?

[a-sor]

Hi @adammakowskidev ,

I was just going to write a little update on this. We will be releasing Angie 1.5.0 soon, and we plan to include this ACME feature in it. It will come with some limitations though (e.g. only http-01 challenge, no wildcard domains, etc). We are going to further develop ACME support and overcome some of these limitations in future versions.

We have changed the syntax of the new directives, now they are acme_client (defines a client, gives it an ID, sets parameters, etc.) and acme (links a client to a server to update the certificate for). There are also two new variables added: $acme_cert_ID and $acme_cert_key_ID. They are used to activate the renewed certificate and certificate key in the SSL layer by specifying them in the ssl_certificate and ssl_certificate_key directive correspondingly. This is best explained by the following example configuration:

http {
    map $acme_cert_example $cert_example {
        ''       original.crt;
        default  $acme_cert_example;
    }

    map $acme_cert_example $cert_key_example {
        ''       original.key;
        default  $acme_cert_key_example;
    }

    acme_client example;

    server {

        listen               443 ssl;
        server_name          example.com www.example.com;

        ssl_certificate      $cert_example;
        ssl_certificate_key  $cert_key_example;

        acme                 example;
    }

    server {
        listen               80;
        server_name          localhost;

        location / {
            return           200 \"HELLO\\n\";
        }
    }
}

I hope this gives you an idea :)

Cheers

[a-sor]

Forgot to say that by default the client tries to acquire a certificate from Let's Encrypt. The ACME server's URL can be specified in the server parameter of the acme_client directive.

[VBart]

Initial support for Automatic Certificate Management Environment (ACME) released with Angie 1.5.0. See the docs: https://angie.software/en/configuration/modules/http_acme/

[adammakowskidev]

Amazing! Today I will start testing.

[adrian5]

I'll second that, nice work guys! :clap: And neat to have the $acme_cert_[_key_]<name> variables.

[adammakowskidev]

Ok so I tried it now, it looks like the certificates were generated because there are 3 files in the /var/lib/angie/acme/domain folder

But the site does not support connection via https

My config, maybe I'm doing something wrong?

resolver 127.0.0.1:53;
acme_client domain https://acme-staging-v02.api.letsencrypt.org/directory;

server {
    listen       80;
    listen       443 ssl;
    server_name  domain.net;
    acme  domain;

    ssl_certificate      $acme_cert_domain;
    ssl_certificate_key  $acme_cert_key_domain;

    location / {
        root   /usr/share/angie/html;
        index  index.html index.htm;
    }
}

[VBart]

Please check error log. Also, make sure that 127.0.0.1:53 is a valid address of the DNS server.

Note, that system-resolved usually listens on 127.0.0.53 (not 127.0.0.1).

[adammakowskidev]

Hi If anyone has problems configuring SSL, here is an example of mine that works :) PS - When is the implementation of wildcard SSL planned? @VBart @a-sor

resolver 127.0.0.53;
acme_client domain_com https://acme-v02.api.letsencrypt.org/directory key_bits=2048 key_type=rsa renew_before_expiry=3d;

server {
    listen 80;
    listen 443 quic;
    listen 443 ssl;
    server_name  domain_com;
    acme  domain_com;

    ssl_certificate      $acme_cert_domain_com;
    ssl_certificate_key  $acme_cert_key_domain_com;

    location / {
        add_header Alt-Svc 'h3=":443"; ma=86400';
        root   /usr/share/angie/html;
        index  index.html index.htm;
    }

    location /status/ {
        api     /status/;
        allow   127.0.0.1;
        deny    all;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/angie/html;
    }
}

[VBart]

@adammakowskidev it's planned for Q2-Q3 this year.

[adammakowskidev]

@VBart Will wildcard SSL support be available in version 1.6.0? I'm looking forward to it :)

[VBart]

@VBart Will wildcard SSL support be available in version 1.6.0? I'm looking forward to it :)

Unfortunately it won't be ready by 1.6.0, which is expected by the end of this month. Currently we were busy on refactoring of some approaches with ACME requests implementation in order to resolve reported issues with the current one. So, in 1.6 the module will become just more robust, and there will be an ability to configure requests for different types of certificates (both RSA and ECDSA) for the same server block at the same time.

[adammakowskidev]

@VBart Thank you for your response. So I'll keep waiting.