NGINX receives native ACME integration
NGINX now natively supports the ACME protocol for the automatic management of SSL/TLS certificates. The module is part of the Open Source and Plus versions.
(Image: iX)
NGINX introduces native support for the ACME protocol – an important step towards simplifying and automating the management of SSL/TLS certificates. The Automated Certificate Management Environment (ACME) protocol was originally developed by the Internet Security Research Group as part of the Let's Encrypt project to automate the time-consuming and error-prone process of issuing and renewing digital certificates. With ACME, web servers can communicate directly with certificate authorities to automatically request, validate, renew, or revoke certificates without the need for manual intervention by administrators.
No more external tools
With the new NGINX implementation, ACME can be configured directly via NGINX directives. The new module ngx_http_acme_module, which is programmed in Rust and is available as a dynamic module both in the open-source version of NGINX and in the commercial Plus license from F5, is responsible for this. This native integration eliminates the need to use external tools such as Certbot. The developers want to reduce sources of error and security risks and improve platform independence.
Videos by heise
The setup is quick: it includes specifying the ACME server (e.g., Let's Encrypt), configuring storage areas for certificates and validation data, and automating certificate issuance and renewal. The HTTP-01 challenge is currently supported, in which a web server proves ownership of the domain by means of an HTTP query. Further challenges such as TLS-ALPN or DNS-01 are to follow in the future. Administrators can use simple NGINX directives to define the domains for which certificates are to be provided, and NGINX takes care of the entire certificate lifecycle.
The ACME integration is currently in preview. Instructions can be found in the NGINX announcement. Technical details can also be found in the module documentation on GitHub.
(fo)
