Proof of Concept: NGINX ACME Dynamic Module

zoracon · June 19, 2024, 5:06am

A major contributor to the Certbot project over the years brought to fruition a proof of concept that accomplishes establishing an ACME (RFC8555) dynamic module for NGINX. This is not currently under active development but any feedback/comments would be appreciated in case this can be picked up again in the near future. Also feel free to fork and play with this.

The README has an extensive overview of architecture, reproducibility, feature checklist, and memory safety. But I will give a short synopsis here as well.

It utilizes the dynamic module to remain an external process and not disrupt the request cycle by working with the Event loop API in NGINX.

Capabilities Listed and Desired Features:

ACME client
- Account registration
- Obtaining certificates
- Retrying failed orders
- Renewing certificates
- Pushing updates to workers
- Receiving worker configuration
nginx module
- nginx master process launches ACME client
- ACME HTTP challenge response
- Pushes config to ACME client
- Recurringly pulls certificates from ACME client
- Dynamically uses certificates from ACME client
- Handles reloads.
- Allows configuring the ACME client via acme_* directives.
Build
- Makefile anyone can use
- Build dynamic module binaries against nginx.org source distributions
- Build dynamic module binaries against Debian/Ubuntu/EPEL source distributions.

orangepizza · June 19, 2024, 3:47pm

Feels like throwing water at you but may want to look at that

Osiris · June 19, 2024, 3:48pm

But that's JavaScript

jvanasco · June 19, 2024, 5:07pm

Is that written by @_az ?

I open-sourced a very similar internal tool a few years ago. Our design goals were to have scalable domains/nodes, so there is a tiered external caching system for certificates with a fallback to a centralized external client. I was very happy with the caching system, as it supports: i) both shared memory regions in nginx, ii) failover to redis, iii) failover to internal client via http endpoint.

The nginx integration is done in Lua via OpenResty - GitHub - aptise/lua-resty-peter_sslers: OpenResty/Lua support for https://github.com/aptise/peter_sslers Certificate Manager

The backing ACME client is a Python server: GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate

I haven't touched it in a while, but we've been using it for a few years. I need to build ARI into the client and support some of the ECDSA stuff.

Nummer378 · June 19, 2024, 7:08pm

Yes, as a PoC.

Nekit · June 28, 2024, 5:32pm

I feel this might be somewhat relevant. There's a fork of nginx called Angie, they got their own acme implementation, for anyone curious:

github.com

webserver-llc/angie/blob/5707d583fdf6b8267358d57e92ba7de524af29d8/src/http/modules/ngx_http_acme_module.c


/*
 * Copyright (C) 2024 Web Server LLC
 */


#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <ngx_fiber.h>


/* Some timeout constants */

/*
 * How long the ACME client will wait for the ACME server to complete
 * authorization (sec)
 */
#define NGX_ACME_AUTHORIZATION_TIMEOUT  60

This file has been truncated. show original