On-the-fly let's encrypt mode


#1

it would be useful to have a config option / mode where haproxy will fetch a letsencrypt certificate for a domain on first request similar to https://github.com/GUI/lua-resty-auto-ssl

already obtained certificates should be cached and reused until it expires.
edpired certificates should be removed from cache, or renewed.

the first request that needs to fetch a certificate will have a higher latency, but the following should be normal.

the goal is to have a single config directive for that, so it will stay static.

i guess this will only work for SNI clients, but that ok nowadays.
the background is, that we’re using wildcard certs and subdomains in DNS.
unfortunately letsencrypt doesn’t issue them and maintaining a list on the loadbalancer should be avoided.

basically this is a feature request, as i expect a new config directive handling this.
now sure, whether this may be implemented in lua.


#2

Check this out:


#3

i already did. it’s not useful if you don’t know the (sub)domains.