in kong/kong/plugins/acme/handler.lua [94:179]
function ACMEHandler:certificate(conf)
local host, err = ngx_ssl.server_name()
if err then
kong.log.warn("failed to read SNI server name: ", err)
return
elseif not host then
kong.log.debug("ignoring because no SNI provided by client")
return
end
host = string.lower(host)
if not check_domains(conf, host) then
kong.log.debug("ignoring because domain is not in allowed-list: ", host)
return
end
local cert_and_key, err = kong_certificate.find_certificate(host)
if err then
kong.log.err("error find certificate for current request:", err)
return
end
if not default_cert_key then
default_cert_key = kong_certificate.find_certificate()
end
if cert_and_key ~= default_cert_key then
kong.log.debug("ignoring because non-default cert is served")
return
end
local certkey, err = client.load_certkey_cached(conf, host)
if err then
kong.log.warn("can't load cert and key from storage: ", err)
return
end
if not certkey then
if kong.configuration.role == "data_plane" and conf.storage == "kong" then
kong.log.err("creating new certificate through proxy side with ",
"\"kong\" storage in Hybrid mode is not supported; ",
"consider create certificate using Admin API or ",
"use other external storages")
return
end
ngx.timer.at(0, function()
local ok, err = client.update_certificate(conf, host, nil)
if err then
kong.log.err("failed to update certificate: ", err)
return
end
if ok then
err = client.store_renew_config(conf, host)
if err then
kong.log.err("failed to store renew config: ", err)
return
end
end
end)
return
end
kong.log.debug("set certificate for host: ", host)
local _, err
_, err = ngx_ssl.clear_certs()
if err then
kong.log.warn("failed to clear certs: ", err)
end
_, err = ngx_ssl.set_der_cert(certkey.cert)
if err then
kong.log.warn("failed to set cert: ", err)
end
_, err = ngx_ssl.set_der_priv_key(certkey.key)
if err then
kong.log.warn("failed to set key: ", err)
end
end