I manage an nginx instance, that does http loadbalancing and TLS-Termination.
So far I generated TLS certificates manually using certbot --nginx and selecting the Host I would like to lease a certificate for.
I would like my server to poll a git repository, that serves as the single source of truth for my nginx configuration (GitOps).
How would I handle the automatic ACME generation & renewal of TLS certificates for my nginx config (preferably using Let's Encrypt certs)?
I suppose would need something (certbot?) to:
- detect which server blocks need ssl certificates,
- trigger the ACME challenge,
- store the cert in the given location or predict the default location when writing the nginx config.
- renew the cert before it expires
How does one handle this challenge?
http {
# upstreams pointing to kubernetes clusters
upstream development {
server 192.168.XX.XX;
server 192.168.XX.XX;
server 192.168.XX.XX;
}
upstream staging {
server 192.168.XX.XX;
server 192.168.XX.XX;
server 192.168.XX.XX;
}
# example config for one application running on development cluster
server {
server_name dev.app1.example.com;
proxy_set_header Host $host;
location / {
proxy_pass https://development;
}
listen 443 ssl;
ssl_certificate /path/to/fullchain.pem; # how would I generate those without manual intervention?
ssl_certificate_key /path/to/privkey.pem; # how would I generate those without manual intervention?
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
}
Footnote: I am aware that I could just do TCP loadbalancing and handle TLS termination by the upstream, but I would like to manage a single loadbalancer that can do path-based routing to different upstreams (also SSL peak seems a bit icky).
TLDR: I am looking for a declarative way to manage my nginx config, that also takes care of certificate management.
