Lua Resty Auto Ssl Versions Save

Changed

• Eliminate dependency on GNU version of the date command line utility to improve compatibility with Alpine Linux, BSDs, and others. Fixes warnings that may have started getting logged in v0.13.0. (#196, #195)
• Enable PCRE-JIT compilation of regular expressions used in code.

Upgrade Notes

This version upgrades the bundled version of the dehydrated library to fix certificate registration due to recent changes in the Let's Encrypt service. It also brings support for ACMEv2 which will be required for new account registration in November. Upgrading is recommended or certificate registration and renewal may fail. See #192, #189 for more details.

Added

• Allow for additional Redis connect options to be specified. (#191)
• Pass ssl_options and renewal arguments to the allow_domain callback. Thanks to @gohai. (#123, #176)
• Add support for specifying HTTP proxy options for OCSP requests. Thanks to @Unknown22. (#133)

Changed

• Upgrade dehydrated to v0.6.5. This fixes "badNonce" errors cropping up since 2019-09-23 and also supports ACMEv2 which will be required for new account registration in November. Thanks to @luto. (#190, #192, #189)
• Check whether domains are allowed (by calling allow_domain callback) on renewals. Thanks to @yveslaroche. (#176)
• Remove certificates that cannot be successfully renewed. Thanks to @gohai. (#128)
• Don't store backups of previous versions of certificates. Thanks to @gohai. (#124)
• Cleanup unused cert files after successfully adding certs to permanent storage. Thanks to @gohai. (#155)
• Randomize order of certificate renewal processing. Thanks to @luto. (#154)
• Upgrade sockproc to newer version to fix compiling under FreeBSD. Thanks to @imerr. (#118)
• Improve shell command escaping and handling. This could potentially fix issues if trying to store files in directories with spaces in the name. (#175)
• Switch the test suite to be written in Lua to better align with the code base, and hopefully make it easier to debug and maintain. (#193)

Fixed

• Fix documentation errors. Thanks to @jfreax, @Ephemera. (#118, #183)

Upgrade Notes

This version upgrades the bundled version of the dehydrated library to deal with recent redirect changes in the Let's Encrypt service. The issue could lead to certificate registration failures in dehydrated and quota exhaustion, so upgrading is recommended. See 4aed490 or https://community.letsencrypt.org/t/dehydrated-caused-rate-limits-to-be-reached/52477/2 for more details.

Added

• Allow for the Redis db number to be configured. Thanks to @RainFlying. (#103)
• Expose the storage adapter instance in the allow_domain callback so the Redis connection can be reused. (#38)
• Add generate_certs option to allow for disabling SSL certification generation within specific server blocks. Thanks to @mklauber. (#91, #92)
• Add json_adapter option for choosing a different JSON encoder/decoder library. Thanks to @meyskens. (#85, #84)

Changed

• Upgrade dehydrated to latest version from master to fix recent redirect changes in Let's Encrypt. The issue could lead to certificate registration failures in dehydrated and quota exhaustion. (4aed490)
• Make the renewal process more efficient so the dehydrated shell script is only executed when certificates are up for renewal (rather than every night). This can reduce CPU usage in environments with lots of certificates. Thanks to @brianlund. (#111, #110)
• Only call the allow_domain callback if a certificate is not present in shared memory. This may improve efficiency in cases where the allow_domain callback is more costly or takes longer. Thanks to @gohai. (#107)
• The internal APIs for storage:get_cert() and ssl_provider.issue_cert() has changed to return a single table of data instead of multiple values (so it's easier to pass along other metadata).

Deprecated

• If accessing the storage object off of the auto-ssl instance, use auto_ssl.storage instead of auto_ssl:get("storage").

Fixed

• Fix renewals when using the file adapter and too many certificate files were present for shell globbing (#109)

Fixed

• Update dehydrated to v0.4.0 to account for new Let's Encrypt Subscriber Agreement as of November 15, 2017. This would lead to certificate registration errors for new users (but should not have affected existing lua-resty-auto-ssl users). (#13, #104)

Upgrade Notes

This update mostly fixes bugs related to edge-case situations, so upgrading is recommended. However, it requires a couple of small adjustments to your nginx configuration, so if you're upgrading, be sure to make the following changes:

1. Add this line to nginx's http block:

   lua_shared_dict auto_ssl_settings 64k;
   

   (This is in addition to the existing lua_shared_dict auto_ssl you should already have.)

2. Add these 2 lines to the server block that is listening on port 8999:

   client_body_buffer_size 128k;
   client_max_body_size 128k;
   

See the README for a full example of the updated config.

Fixed

• Fix potential for failed requests if nginx is reloaded at the same time new certificates are being issued. Many thanks to @luto. (#66, #68)
• Fix possibility of sockproc inheriting nginx's sockets, which could lead to nginx hanging after reloading or restarting. (#75)
• Fix race condition on nginx reload if the lua_shared_dict ran out of memory that could lead to sockproc trying to be started twice. (#76)
• Increase the suggested body buffer size configuration, to prevent SSL registration from failing if nginx's default was too small. (#65, #77)

Security

• Fix possibility of certificate private keys being logged to nginx's error log when unexpected errors occur (this has actually been fixed since v0.10.5, but somewhat by accident—further steps have been taken to reduce debug output in this release). (#64)

Added

• Add documentation and link about test suite used. Thanks to @luto. (#69)