praswicaksono opened a new issue, #11845: URL: https://github.com/apache/apisix/issues/11845
### Description # Introduction This RFC proposes the implementation of ACME (Automatic Certificate Management Environment) to automate the process of obtaining and renewing SSL/TLS certificates for the Apache APISIX Gateway. This will enhance security by ensuring that all communications are encrypted and up-to-date with minimal manual intervention. # Motivation Currently, managing SSL certificates for the Apache APISIX Gateway involves manual processes that are prone to errors and can lead to downtime if certificates expire. By integrating ACME, we can automate this process, reducing the risk of expired certificates and improving the overall security posture. # Proposal Introducing new way to automatically manage SSL certificate, this proposal intend to not make any modification to current process to manage certificate. Let user decide how they want to manage certificate via `yaml` config This proposal will use this library to automatically handle certificate management. This library support multiple storage backend such as etcd or local file. - https://github.com/fffonion/lua-resty-acme Example implementation config ```yaml apisix: ssl: automatic: true acme: some-comfig: ``` ngx template ``` {% if acme_enabled then %} ssl_certificate_by_lua_block { require("resty.acme.autossl").ssl_certificate() } location /.well-known { content_by_lua_block { require("resty.acme.autossl").serve_http_challenge() } } {% else %} ssl_client_hello_by_lua_block { apisix.http_ssl_client_hello_phase() } ssl_certificate_by_lua_block { apisix.http_ssl_phase() } {% end %} ``` ## Pros - No need to create bash script to generate SSL certificate and update via admin api - Fully automatic including automatic renewal ## Cons - Only able to use one method to manage SSL certificate, either it manual or automatic -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
