Kong: Let's Encrypt support

Created on 6 Jan 2017  路  8Comments  路  Source: Kong/kong

I'd like to use Kong with certificates from Let's Encrypt, but since the certificates expire after 90 days they need to be refreshed automatically. I've been able to modify Kong to use lua-resty-auto-ssl, but I don't think it's possible to add this feature as a plugin because I needed to adapt templates/nginx_kong.lua (code needs to be added to init_by_lua_block + an additional server and location).

Is there any interest in creating built-in support for Let's Encrypt?

Thanks,
Sigurd

proposal
Source
picture sisp
👍9

Most helpful comment

As of Kong 0.10, TLS certs are now handled through the certificates object interface, so the daemon or cronjob that re-fetches the new cert/key pair after re-authz can just use the admin API to re-up certs for all nodes automatically (and of course the .well-known ACME endpoint can just be handled upstream, Kong should not touch that).

Given this, seems like there's not much to do here? I don't think making Kong handle LE interaction directly is the right way to go; it provides a low-level interface to configure APIs as desired, which is always Kong's goal.

picture p0pr0ck5 on 28 Apr 2017
👍5

All 8 comments

Don't think this is possible in an easy way. Consider a cluster of Kong nodes; they would all need to serve the same certificate, and not be updating each on their own.

Tieske picture Tieske on 6 Jan 2017

Hm, so what would be a good way to use Let's Encrypt certificates with Kong?

sisp picture sisp on 6 Jan 2017

lua-resty-auto-ssl supports Redis as a storage backend for the SSL certificates so that they may be shared among a cluster of nodes.

sisp picture sisp on 6 Jan 2017

@sisp is right. Data might be stored on Redis, Cassandra or PostgreSQL. And also Free SSL support with Kong might be interested.

se picture se on 6 Jan 2017

+1

noogen picture noogen on 9 Jan 2017

I would also like to see this, however I already have another system to auto renew the Let's Encrypt certificate.
My problem is just how to add it to Kong.

marktopper picture marktopper on 23 Jan 2017

As of Kong 0.10, TLS certs are now handled through the certificates object interface, so the daemon or cronjob that re-fetches the new cert/key pair after re-authz can just use the admin API to re-up certs for all nodes automatically (and of course the .well-known ACME endpoint can just be handled upstream, Kong should not touch that).

Given this, seems like there's not much to do here? I don't think making Kong handle LE interaction directly is the right way to go; it provides a low-level interface to configure APIs as desired, which is always Kong's goal.

p0pr0ck5 picture p0pr0ck5 on 28 Apr 2017
👍5

Actually having kong directly support let's encrypt built-in like traefik would be real nice

JnMik picture JnMik on 9 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

carnei-ro picture carnei-ro  路  3Comments
xiaochai picture xiaochai  路  3Comments
antoniott15 picture antoniott15  路  3Comments
Voronenko picture Voronenko  路  3Comments
cospotato picture cospotato  路  3Comments