Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when using storage_adapter = redis requires a shm? #40

Closed
constantineav opened this issue Jun 1, 2021 · 7 comments · Fixed by #43
Closed

when using storage_adapter = redis requires a shm? #40

constantineav opened this issue Jun 1, 2021 · 7 comments · Fixed by #43

Comments

@constantineav
Copy link

i use storage_adapter redis and trying to setup tls-alpn-01 challenge.
but at start I get an error:

stack traceback:
	[C]: in function 'error'
	...al/openresty/luajit/share/lua/5.1/resty/acme/autossl.lua:344: in function 'init'
	init_worker_by_lua:2: in main chunk

patch cross-module is needed anyway?
@fffonion
Copy link
Owner

fffonion commented Jun 1, 2021

Hi @constantineav, looks like the error message is chunked, could you share surrounding lines as well?
Also could you share the config you passed to autossl?

@constantineav
Copy link
Author

Hi!

stream section

stream {
  init_worker_by_lua_block {
        require("resty.acme.autossl").init({
            staging = false,
            tos_accepted = true,
            enabled_challenge_handlers = { 'tls-alpn-01' },
            account_key_path = "/etc/openresty/account.key",
            account_email = "admin@mydomain",
            domain_whitelist = setmetatable({}, { __index = function(_, k)
                return ngx.re.match(k, [[^ws\.mydomain\.ru$]], "jo")
            end}),
            storage_adapter = "redis",
             storage_config = {
             host = os.getenv("REDIS_HOST"),
             port = 6379,
             database = 15,
             auth = os.getenv("REDIS_PASS"),
            },
        })
        require("resty.acme.autossl").init_worker()
    }

    map $ssl_preread_alpn_protocols $backend {
        ~\bacme-tls/1\b unix:/tmp/nginx-tls-alpn.sock;
        default unix:/tmp/nginx-default.sock;
    }

    server {
            listen 443;
            listen [::]:443;

            ssl_preread on;
            proxy_pass $backend;
            proxy_protocol on;

    }

server {
            listen unix:/tmp/nginx-tls-alpn.sock ssl proxy_protocol;
            ssl_certificate /etc/openresty/default.pem;
            ssl_certificate_key /etc/openresty/default.key;

            set_real_ip_from unix:;

            ssl_certificate_by_lua_block {
                    require("resty.acme.autossl").serve_tls_alpn_challenge()
            }

            content_by_lua_block {
                    ngx.exit(0)
            }

    }
}

http block

lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 2;

lua_shared_dict acme 64m;
resolver 8.8.8.8 ipv6=off; 
init_by_lua_block {
        require("resty.acme.autossl").init({
            staging = false,
            tos_accepted = true,
            enabled_challenge_handlers = { 'tls-alpn-01' },
            account_key_path = "/etc/openresty/account.key",
            account_email = "admin@mydomain",
            domain_whitelist = setmetatable({}, { __index = function(_, k)
                return ngx.re.match(k, [[^ws\.mydomain\.ru$]], "jo")
            end}),
            storage_adapter = "redis",
            storage_config = {
              host = os.getenv("REDIS_HOST"),
              port = 6379,
              database = 15,
              auth = os.getenv("REDIS_PASS"),
            },
        })
    }

    init_worker_by_lua_block {
        require("resty.acme.autossl").init_worker()
    }

There is also a proposal for http-01. It would be cool if the answer to the request from letsencrypt was put in redis(or other shared storage). So that any server can confirm the validity if the domain is registered in dns round-robin.

@constantineav
Copy link
Author

full log.

2021/06/01 10:11:50 [error] 6#6: init_worker_by_lua error: ...al/openresty/luajit/share/lua/5.1/resty/acme/autossl.lua:344: shm acme is not defined
stack traceback:
	[C]: in function 'error'
	...al/openresty/luajit/share/lua/5.1/resty/acme/autossl.lua:344: in function 'init'
	init_worker_by_lua:2: in main chunk

i apply patch and all work

@kfigiela
Copy link
Contributor

It would be cool if the answer to the request from letsencrypt was put in redis(or other shared storage). So that any server can confirm the validity if the domain is registered in dns round-robin.

You can do this. You need to pass a second argument to autossl.init that sets up storage for ACME challenges.

autossl.init({
    ...
    storage_adapter = "redis",
    storage_config = {
        host = os.getenv("REDIS_HOST"),
        port = tonumber(os.getenv("REDIS_PORT")),
        database = 0,
        auth = os.getenv("REDIS_AUTH"),
    },
   ...
}, {
  -- storage for ACME challenges
  storage_adapter = "redis",
  storage_config = {
      host = os.getenv("REDIS_HOST"),
      port = tonumber(os.getenv("REDIS_PORT")),
      database = 1,
      auth = os.getenv("REDIS_AUTH"),
  },
})

@constantineav
Copy link
Author

wow! Thank you!

@kfigiela
Copy link
Contributor

kfigiela commented Jun 24, 2021
edited
Loading

Note, there is race condition between server instances as they all attempt renewals simultaneously. It causes some warning messages (and let's encrypt complaining about buggy client). You should increase lock expiration time as in this commit kfigiela@65b3451

fffonion added a commit that referenced this issue Jun 25, 2021
@fffonion
fix(autossl) pass storage config to acme client
ec994c9 
Fix #40
@fffonion
Copy link
Owner

This storage config part is a bug, it should pass stoage config automatically. I will fix in next commits.

@fffonion fffonion mentioned this issue Jun 25, 2021
Merged
fffonion added a commit that referenced this issue Jun 25, 2021
@fffonion
fix(autossl) pass storage config to acme client (#43)
ef1e541 
Fix #40
fffonion added a commit that referenced this issue Jun 25, 2021
@fffonion
fix(autossl) pass storage config to acme client (#43)
102312f 
Fix #40
@kfigiela kfigiela mentioned this issue Aug 9, 2021
Merged
fffonion added a commit that referenced this issue Apr 8, 2022
@fffonion
fix(autossl) pass storage config to acme client (#43)
5cc8f2a 
Fix #40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(autossl) pass storage config to acme client fffonion/lua-resty-acme
3 participants
@kfigiela @fffonion @constantineav