ssl_certificate_by_lua_* and "default" certificates

jonathan · 2016-03-19T07:41:10+00:00

Wow, you are my idol, my nansheng, mua.What is your suggestion, to use lua shared dict or to get it done as Mr. rpaprocki said? My real confus...

ssl_certificate_by_lua_* and "default" certificates

jonathan

i've been experimented with openresty to handle dynamic certificate options

we have a whitelabel service and would like to default to our domains certificate (yes, it will be mismatched) if the dynamic lookup fails.

is there any way to 'return' out of this lua block/file and keep the nginx-option certficate active, or would we have to run code in lua to set the ssl certificate to that?

agentzh

Hello!

On Fri, Mar 18, 2016 at 4:41 PM,  jonathan wrote:
> i've been experimented with openresty to handle dynamic certificate options
>
> we have a whitelabel service and would like to default to our domains
> certificate (yes, it will be mismatched) if the dynamic lookup fails.
>
> is there any way to 'return' out of this lua block/file and keep the
> nginx-option certficate active, or would we have to run code in lua to set
> the ssl certificate to that?
>

The certificate and private key set by ssl_certificate and
ssl_certificate_key are the default as long as you don't call
`ssl.clear_certs()` on the Lua code path you want to fall back to the
default. See

https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md

for more details.

Regards,
-agentzh

moseleymark

On Thu, Mar 24, 2016 at 12:47 PM, Yichun Zhang (agentzh) <age...@gmail.com> wrote:

Hello!

On Fri, Mar 18, 2016 at 4:41 PM, jonathan wrote:
> i've been experimented with openresty to handle dynamic certificate options
>
> we have a whitelabel service and would like to default to our domains
> certificate (yes, it will be mismatched) if the dynamic lookup fails.
>
> is there any way to 'return' out of this lua block/file and keep the
> nginx-option certficate active, or would we have to run code in lua to set
> the ssl certificate to that?
>

The certificate and private key set by ssl_certificate and
ssl_certificate_key are the default as long as you don't call
`ssl.clear_certs()` on the Lua code path you want to fall back to the
default. See

https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md

for more details.

I've seen where my lookup succeeds but then something else fails along the way (malformed cert, cert/key mismatch, etc -- we're talking about thousands of certs and support agents don't always get it right), and I don't find out till after ssl.clear_certs() is called.

Maybe if there was a call to get the current cert and the current key (or have an optional 3rd and 4th return value for ssl.clear_certs() that returns the cleared cert and key, respectively), then if either ssl.set_der_cert or ssl.set_der_priv_key fails, you can reset the connection to the previously cleared cert/key.

agentzh

Hello!

On Thu, Mar 24, 2016 at 1:04 PM, Mark Moseley wrote:
> I've seen where my lookup succeeds but then something else fails along the
> way (malformed cert, cert/key mismatch, etc -- we're talking about thousands
> of certs and support agents don't always get it right), and I don't find out
> till after ssl.clear_certs() is called.
>
> Maybe if there was a call to get the current cert and the current key (or
> have an optional 3rd and 4th return value for ssl.clear_certs() that returns
> the cleared cert and key, respectively), then if either ssl.set_der_cert or
> ssl.set_der_priv_key fails, you can reset the connection to the previously
> cleared cert/key.

Seems like you should instead *verify* your untrusted certificate and
key pairs before overriding the default ones?

Regards,
-agentzh