We switched from nginx to openresty just so we could use the lua-resty-auto-ssl plugin to generate SSL certs on the fly for user-owned domains they can plug into our system.

Our main site was still using certs generated by certbot but it seems this depends on having nginx installed (you run certbot --nginx to get the certificate) which is leading to issues with our openresty server, so we want to get rid of our dead nginx installation altogether.

Our main server block looks like this:

server {
    server_name example.org;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate_by_lua_block {

    # Managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;

And to stop depending on certbot certificates I tried deleting those two last lines, hoping the ssl_certificate_by_lua_block would do, just like it does for other domains.

However, this results in openresty -t failing:

nginx: [emerg] no ssl configured for the server
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test failed

I tried using a self-signed certificate:

ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

But it results in the server using the self-signed certificate instead of the valid, real one generated by lua-resty-auto-ssl.

How can I do this then?

  • 101
  • 3
  • 1
    The [`lua-resty-auto-ssl`](https://github.com/auto-ssl/lua-resty-auto-ssl) documentation explicitly states that you must still define a static ssl_certificate file for nginx to start (you may generate a self-signed fallback). – Ivan Shatsky Nov 23 '20 at 17:06
  • @IvanShatsky right, I forgot to mention that I tried that but then the server would serve that certificate instead of the automatically generated one and the request would fail. – dabadaba Nov 23 '20 at 17:59

0 Answers0