How to use Nginx to dynamically load and update SSL certificates

How to use Nginx to dynamically load and update SSL certificates

Overview:
In the modern Internet environment, protecting the security of user data is crucial. Among them, using SSL/TLS certificates to encrypt communication with web servers is a common method. However, the traditional method requires manually modifying the Nginx configuration file and reloading the server, which will cause downtime for the website when the certificate is updated. This article will introduce how to use Nginx modules and scripts to dynamically load and update SSL certificates to improve the stability and availability of the website.

Implementation process:

1. Install the necessary dependencies:
   First, make sure Nginx and OpenSSL have been installed on the server. In addition, you also need to install the LuaJIT development package.

   sudo apt-get install nginx openssl libluajit-5.1-dev

2. Create a certificate storage directory:
   Create a directory on the server to store the SSL certificate and key files.

   sudo mkdir -p /etc/nginx/ssl

3. Create Lua script:
   Create a Lua script for dynamically loading and updating SSL certificates. Create a new file named "ssl_cert_updater.lua" and add the following code:

   local ssl_cert_path = "/etc/nginx/ssl/cert.pem"
   local ssl_key_path = "/etc/nginx/ssl/key.pem"
   
   local function update_ssl_cert()
       -- 从远程服务器下载最新的SSL证书文件和密钥文件，并保存到指定路径
       os.execute("wget -O " .. ssl_cert_path .. " https://example.com/cert.pem")
       os.execute("wget -O " .. ssl_key_path .. " https://example.com/key.pem")
       -- 重新加载Nginx配置文件
       os.execute("nginx -s reload")
   end
   
   update_ssl_cert()

4. Update the Nginx configuration file:
   Edit the Nginx configuration file and add the entry for the Lua script. Open the default Nginx configuration file "/etc/nginx/nginx.conf", find the location of the "http" module, and add the following code in it:

   lua_shared_dict ssl_cert_cache 10m;
   lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
   lua_ssl_verify_depth 3;
   init_by_lua_block {
       require "ssl_cert_updater"
   }

   This code will load the Lua script and initialize it.

5. Configure scheduled tasks:
   Use Crontab or other scheduled task tools to execute Lua scripts regularly. Edit the Crontab file:

   crontab -e

   Add the following line (example is to execute every Monday at 2 am):

   0 2 * * 1 lua /path/to/ssl_cert_updater.lua

6. Test update:
   Now, you can manually Run the Lua script to check if the update is working properly:

   lua /path/to/ssl_cert_updater.lua

Summary:
Through the above steps, we successfully implemented the dynamic loading and update of Nginx's SSL certificate. Whenever a certificate expires or needs to be updated, the script will automatically download the latest certificate file and reload the Nginx server. This avoids website downtime and keeps user data safe. By using Lua scripts and scheduled tasks, we are able to automate certificate updates and improve the stability and availability of the website.

Please note that this article only provides basic examples, and specific implementation plans can be further optimized based on actual needs. At the same time, ensure that the source URL for certificate download is reliable, and the security of the server is properly assessed and protected.

The above is the detailed content of How to use Nginx to dynamically load and update SSL certificates. For more information, please follow other related articles on the PHP Chinese website!