Generating certificates for arbitrary domain names

[brendon]

Hi there, I'm currently using Openresty and a Lua package for automatic generation of SSL certificates for our customers domain names. We currently check our database to see if the requested host is on our list of customer domains before processing the SSL certificate creation or renewal.

Does Itsi support the creation of cert's for arbitrary domain names? As in if you bind a server to respond to any hostname, will it still attempt to generate a cert or do we need to be specific about which domain names are allowed in the bind call? We have hundreds of domains to maintain SSL certs for so any kind of manual configuration would be impractical.

[wouterken]

I suspect that unfortunately Itsi cannot quite do what you are looking for today.

The closest you can get, is to dynamically add domains to the bind string
E.g.

bind "https://0.0.0.0?cert=acme&cert_email=admin@example.com&domains=#{load_customer_domains.join(",")}"

and then to trigger a reload each time your list of customers changes.

E.g. Unsafe Toy example of a _restart endpoint that you can hit to trigger a server restart

location "_restart" do
  # admin:admin
  auth_basic credential_pairs: {admin: "$5$rounds=1000$JLrY65ZHUsAUmKN9$uvIDKS6Kj2pR5e7J10rtBn7A7B6shPPcCM/XwHxvTn8"}

  get do |req|
    req.ok
    Process.kill(:SIGUSR1, IO.read(".itsi.pid").to_i)
  end
end

 curl -u admin:admin  -k https://localhost:3000/_restart

However if your list of customers is large and/or changes frequently this won't scale particularly well, as you'll quickly run into let's encrypt rate limits or performance issues, as during reboot phase, the listener won'tt respond to any requests (including those for previously valid certs) until the new certs are completely issued.

Reworking the certificate system to support the HTTP-01 challenge type is currently planned, and alongside this I intend to support the ability to amend the list of live certificates, without requiring a reboot.

[brendon]

Thanks @wouterken, that's an interesting approach :)

I'll think I'll keep an eye on your repo and if you implement live certificate updates I'll give it a go.

Kamal-proxy is looking at this too. Someone there proposed the idea of an internal endpoint (similar to /up) that the server could hit to see if a domain name is valid for certificate generation.