Using resty-nginx in set_ssl_certificate_by_lua*, connect is blocking

leo.unbek · 2016-10-14T00:44:43+00:00

Hi, I would like to if i could dynamically update a global value using a timer and that value should be used by some other lua block.

Using resty-nginx in set_ssl_certificate_by_lua*, connect is blocking

leo.unbek

Hi there, I've done the following PoC to use ssl_certifciate_by_lua: and loading dynamically a certificate from a redis server. However it doesn't work I can't connect to the database.

The first logs appear correctly in my error log, however the second is never called. So I assume, the red:connect statement is blocking.

Is it by design? Can't I use the coroutine - tcp related API here? What is the workaround?

Nginx is stopping client connection, curl is exeiting with the following error:

* Unknown SSL protocol error in connection to <host>:443

The nginx configuration:

server  {
  listen 80 default_server;
  listen 443 ssl default_server;


  server_name  default;


  access_log /var/log/nginx/app-access.log;
  error_log /var/log/nginx/app-error.log;


  ssl_certificate /etc/ssl/web/default.crt;
  ssl_certificate_key /etc/ssl/web/default.key;


  ssl_certificate_by_lua_block {
    local ssl = require "ngx.ssl"
    local redis           = require "resty.redis"
    local red             = redis:new()
    ngx.log(ngx.ERR, "Before connection")
    local ok, err         = red:connect(os.getenv("127.0.0.1", "6379")
    ngx.log(ngx.ERR, ok..""..err)


    ... More logic (clean old cert, setup new)
  }
}

jonathan

Your second line is bad code:

red:connect(os.getenv("127.0.0.1", "6379")

should be:

red:connect("127.0.0.1", "6379")

aside from not needing the 'os.getenv', you're missing a parenthesis.

leo.unbek

Hi there, thanks for your answer.

I actually made a mistake in my sample, the real code is a little different and takes variables from the env, so consider it correct (otherwise I would have got a syntax error from Lua)

red:connect("127.0.0.1", "6379")

Is exactly what is executed, and of course, redis is ok I can reach it with `redis-cli`

Apologies for the mistake in the sample.

-- Leo

Le jeudi 13 octobre 2016 20:42:39 UTC+2, jona...@findmeon.com a écrit :

Your second line is bad code:

red:connect(os.getenv("127.0.0.1", "6379")

should be:

red:connect("127.0.0.1", "6379")

aside from not needing the 'os.getenv', you're missing a parenthesis.

jonathan

I opensourced our ssl cert manager. The lua/resty bit is in this file

https://github.com/aptise/peter_sslers/blob/master/tools/nginx_lua_library/ssl_certhandler.lua

it's essentially the same code. is there anything in your log or `err` string that suggests anything ?

leo.unbek

Hi Jonathan, thanks for your answer

Actually, as I said, the line before red:connect is displayed in the log as expected, however, the line just after the connect is never called.

I'm using the following releases :

* nginx 1.10.1 (last stable)
* lua-resty-core v0.1.8 (last release)
* lua-resty-redis v0.25 (last release)
* lua-nginx-module v0.10.6 (last release)

May it be linked to a mix of these versions ?

Thanks,

On 10/14/2016 06:48 PM, jon...@findmeon.com wrote:

I opensourced our ssl cert manager. The lua/resty bit is in this file

https://github.com/aptise/peter_sslers/blob/master/tools/nginx_lua_library/ssl_certhandler.lua

it's essentially the same code. is there anything in your log or `err` string that suggests anything ?

.

cz0NCj1ZcndDDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg==