request_domain can set fullchain_der, privkey_der on ssl_options

[kapouer]

Hi,

i needed this in order to provide a wildcard certificate:

• does not fill autossl cache with a copy for each domain
• uses autossl ocsp logic to avoid nginx taking over

It requires some extra work in init_by_lua, see this example.

[kapouer]

It's a simple man's #97 solution.

[abozhinov]

Hi,
do you have some success with wilcard certs?

[kapouer]

Well yes, provided you have a third-party tool (like certbot on debian) to update the certificates.

[kapouer]

This is actually not needed, as someone can write directly to auto_ssl shared dict,
using that kind of logic:

auto_ssl:set("request_domain", function(ssl)
    local domain, err = ssl.server_name()
    if not err and domain ~= nil then
      local ssldict = ngx.shared.auto_ssl
      local fullKey = "domain:fullchain_der:" .. domain
      if ssldict:get(fullKey) == nil then
        local privKey = "domain:privkey_der:" .. domain
        for rootDomain, rootPem in pairs(rootPems) do
          local rootLen = rootDomain:len()
          if domain:sub(-rootLen) == rootDomain and domain:find(".", 1, true) >= domain:len() - rootLen then
            ssldict:set(fullKey, rootPem.full)
            ssldict:set(privKey, rootPem.key)
          end
        end
      end
    end
    return domain, err
  end)