I am using lua-resty-auto-ssl package with openresty to dynamically generate certificates for my clients (tenants). I got reports that generation of new certificates stopped working, and I was checking the logs and I found this.
2022/12/26 13:08:48 [error] 3722673#0: 97 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for codedesign.network - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua, client: 157.46.154.48, server: 0.0.0.0:443
A curl(35) is not the typical response when your IP is blocked. This is more likely on your end.
Testing connections to codedesign.network results in a couple problems. One is that connections from various locations often take 30 seconds or more. I think it likely you also have issues on outbound connections.
More importantly, the cert returned is wrong. The cert being used names *.codedesign.app (not codedesign.network).
The only certs in the history for codedesign.network are wildcards (link here). Yet, the dehydrated request uses the http challenge. An http challenge does not support a wildcard cert. You must use DNS challenge instead for that.
As for the curl, do these succeed and how long do they take?
Thank you for the reply. The wildcard certs are configured to *.codedesign.app as a fallback so that the nginx doesn't complain when starting up. Our configuration is similar to that of https://github.com/auto-ssl/lua-resty-auto-ssl. This used to work for the last 5 months.
The certs are generated on the fly and codedesign.network doesn't have any prior certificates.
Both the commands return data. However, I found a suggestion to run
$curl https://acme-v02.api.letsencrypt.org/directory
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443
and as you can see, that's what I get. On my local machine, it doesn't throw the error.
