Proof of Concept: NGINX ACME Dynamic Module

zoracon · June 19, 2024, 5:06am

A major contributor to the Certbot project over the years brought to fruition a proof of concept that accomplishes establishing an ACME (RFC8555) dynamic module for NGINX. This is not currently under active development but any feedback/comments would be appreciated in case this can be picked up again in the near future. Also feel free to fork and play with this.

The README has an extensive overview of architecture, reproducibility, feature checklist, and memory safety. But I will give a short synopsis here as well.

It utilizes the dynamic module to remain an external process and not disrupt the request cycle by working with the Event loop API in NGINX.

Capabilities Listed and Desired Features:

ACME client
- Account registration
- Obtaining certificates
- Retrying failed orders
- Renewing certificates
- Pushing updates to workers
- Receiving worker configuration
nginx module
- nginx master process launches ACME client
- ACME HTTP challenge response
- Pushes config to ACME client
- Recurringly pulls certificates from ACME client
- Dynamically uses certificates from ACME client
- Handles reloads.
- Allows configuring the ACME client via acme_* directives.
Build
- Makefile anyone can use
- Build dynamic module binaries against nginx.org source distributions
- Build dynamic module binaries against Debian/Ubuntu/EPEL source distributions.

orangepizza · June 19, 2024, 3:47pm

Feels like throwing water at you but may want to look at that

Osiris · June 19, 2024, 3:48pm

But that's JavaScript

jvanasco · June 19, 2024, 5:07pm

Is that written by @_az ?

I open-sourced a very similar internal tool a few years ago. Our design goals were to have scalable domains/nodes, so there is a tiered external caching system for certificates with a fallback to a centralized external client. I was very happy with the caching system, as it supports: i) both shared memory regions in nginx, ii) failover to redis, iii) failover to internal client via http endpoint.

The nginx integration is done in Lua via OpenResty - GitHub - aptise/lua-resty-peter_sslers: OpenResty/Lua support for https://github.com/aptise/peter_sslers Certificate Manager

The backing ACME client is a Python server: GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate

I haven't touched it in a while, but we've been using it for a few years. I need to build ARI into the client and support some of the ECDSA stuff.

Nummer378 · June 19, 2024, 7:08pm

Yes, as a PoC.

Nekit · June 28, 2024, 5:32pm

I feel this might be somewhat relevant. There's a fork of nginx called Angie, they got their own acme implementation, for anyone curious:

github.com

webserver-llc/angie/blob/5707d583fdf6b8267358d57e92ba7de524af29d8/src/http/modules/ngx_http_acme_module.c


/*
 * Copyright (C) 2024 Web Server LLC
 */


#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <ngx_fiber.h>


/* Some timeout constants */

/*
 * How long the ACME client will wait for the ACME server to complete
 * authorization (sec)
 */
#define NGX_ACME_AUTHORIZATION_TIMEOUT  60

This file has been truncated. show original

system · July 28, 2024, 5:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Thank you all for helping me iron out my client for ACMEv2 Client dev	6	713	September 5, 2020
PowerShell ACMEv2 client: Posh-ACME Client dev	14	11362	June 28, 2018
[Feature Request?] predetermine the acme-challenges on multiple domain certificates Issuance Tech	2	2986	April 21, 2016
Certificate issue error Help	6	862	May 5, 2021
ACME v2 and Wildcard Certificate Support is Live Issuance Policy	12	328833	March 13, 2018

Proof of Concept: NGINX ACME Dynamic Module

Related topics