Renew failed missing lua_ssl_trusted_certificate in http{} block about lua-resty-acme HOT 11 CLOSED

Hi, you will need to configure trusted CA:

        # required to verify Let's Encrypt API
        lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
        lua_ssl_verify_depth 2;

the path is dependent on your OS.

from lua-resty-acme.

Hi.
These settings are written initially.

`lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 2;

ssl_certificate /etc/openresty/default.pem;
ssl_certificate_key /etc/openresty/default.key;

ssl_certificate_by_lua_block {
require("resty.acme.autossl").ssl_certificate()
}

location /.well-known {
content_by_lua_block {
require("resty.acme.autossl").serve_http_challenge()
}
}

/ # ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 231411 Sep 9 13:48 /etc/ssl/certs/ca-certificates.crt
/ #

`

from lua-resty-acme.

Ah I see, we will need that two lua_ssl_* directives in http{} block. Since the renewal timer is started in init_worker phase. I'll update the readme. Thanks for spotting this!

from lua-resty-acme.

I just updated the readme, feel free to re-open if issue persists.

from lua-resty-acme.

taking out to the http level - it works. Thanks. The certificate has been updated.

I see a very strange situation. To exclude any cache in the middle, I make requests locally. But I get different certificates. Here's an example. Requests with a difference of several seconds. The domain is just changed.

root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 17 Nov 2020 09:27:03 GMT
root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 09 Feb 2021 15:33:24 GMT
root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 17 Nov 2020 09:27:03 GMT
root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 17 Nov 2020 09:27:03 GMT
root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 17 Nov 2020 09:27:03 GMT
root@dev:~# curl -v --resolve somesite:443:127.0.0.1 https://somesite > /dev/stdout 2>&1| grep expire
*        expire date: Tue, 09 Feb 2021 15:33:24 GMT

from lua-resty-acme.

@constantineav There's a cache of 1 hr, we don't actively invalidate cache right now. This can be improvement.

from lua-resty-acme.

Can I renew the certificate automatically after it has expired ? @fffonion

from lua-resty-acme.

@wangyp0701 yes

from lua-resty-acme.

I have multiple domain names that have expired, but they have not been renewed automatically. I deleted the redis key of one of them and regenerated a new certificate @fffonion

from lua-resty-acme.

@wangyp0701 Which version of library are you using? Let's also open a new issue instead of discussing in a closed one.

from lua-resty-acme.

All expired certificates are updated at zero

from lua-resty-acme.