Proof of Concept: NGINX ACME Dynamic Module

A major contributor to the Certbot project over the years brought to fruition a proof of concept that accomplishes establishing an ACME (RFC8555) dynamic module for NGINX. This is not currently under active development but any feedback/comments would be appreciated in case this can be picked up again in the near future. Also feel free to fork and play with this.

The README has an extensive overview of architecture, reproducibility, feature checklist, and memory safety. But I will give a short synopsis here as well.

It utilizes the dynamic module to remain an external process and not disrupt the request cycle by working with the Event loop API in NGINX.

Capabilities Listed and Desired Features:

  • ACME client
    • Account registration
    • Obtaining certificates
    • Retrying failed orders
    • Renewing certificates
    • Pushing updates to workers
    • Receiving worker configuration
  • nginx module
    • nginx master process launches ACME client
    • ACME HTTP challenge response
    • Pushes config to ACME client
    • Recurringly pulls certificates from ACME client
    • Dynamically uses certificates from ACME client
    • Handles reloads.
    • Allows configuring the ACME client via acme_* directives.
  • Build
    • Makefile anyone can use
    • Build dynamic module binaries against nginx.org source distributions
    • Build dynamic module binaries against Debian/Ubuntu/EPEL source distributions.
12 Likes

Feels like throwing water at you but may want to look at that

3 Likes

But that's JavaScript :scream:

2 Likes

Is that written by @_az ?

I open-sourced a very similar internal tool a few years ago. Our design goals were to have scalable domains/nodes, so there is a tiered external caching system for certificates with a fallback to a centralized external client. I was very happy with the caching system, as it supports: i) both shared memory regions in nginx, ii) failover to redis, iii) failover to internal client via http endpoint.

The nginx integration is done in Lua via OpenResty - GitHub - aptise/lua-resty-peter_sslers: OpenResty/Lua support for https://github.com/aptise/peter_sslers Certificate Manager

The backing ACME client is a Python server: GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate

I haven't touched it in a while, but we've been using it for a few years. I need to build ARI into the client and support some of the ECDSA stuff.

4 Likes

Yes, as a PoC.

4 Likes

I feel this might be somewhat relevant. There's a fork of nginx called Angie, they got their own acme implementation, for anyone curious:

4 Likes