Let's Encrypt Managed Certificates
OpenResty Edge can automatically obtain and renew TLS certificates from Let’s Encrypt. The following certificate types and any combination of them are supported:
- Single-domain certificates: e.g.,
example.com - SAN (Subject Alternative Name) multi-domain certificates: e.g., a single certificate covering both
example.comandwww.example.com - Wildcard certificates: e.g.,
*.example.com
Prerequisites
Let’s Encrypt uses different validation methods for non-wildcard and wildcard domains. OpenResty Edge automatically detects which method to use for each domain during issuance, but you need to complete the corresponding configuration in advance.
Non-wildcard domains (e.g., example.com, www.example.com)
HTTP validation is used. Let’s Encrypt will send an HTTP request to the domain, so you need to point the domain’s A record to the OpenResty Edge Node IP of the current Gateway Cluster at your DNS provider.
The DNS can be hosted anywhere, as long as the resolution result points to the OpenResty Edge Node.
If the A record does not point to the OpenResty Edge Node, but the authoritative DNS for the domain is already hosted on OpenResty Edge, the system will automatically fall back to DNS validation.
Wildcard domains (e.g., *.example.com, *.a.example.com)
DNS validation is used (as required by Let’s Encrypt). Two configuration steps are needed:
1. Host a DNS application on OpenResty Edge
Host the parent domain (or a higher-level ancestor domain) of the wildcard domain as a DNS application in OpenResty Edge. For example:
| Wildcard Certificate | DNS Application to Host (any one of the following) |
|---|---|
*.example.com | example.com |
*.a.example.com | a.example.com or example.com |
*.a.b.example.com | a.b.example.com or b.example.com or example.com |
2. Point NS records to OpenResty Edge at your domain registrar
At your domain registrar (e.g., GoDaddy, Namecheap, etc.), point the NS records for the corresponding domain to the OpenResty Edge Node, making OpenResty Edge the authoritative DNS server for that domain.
Changing the NS records means delegating the entire DNS resolution authority for that domain to OpenResty Edge. Make sure you have correctly configured all required DNS records in the OpenResty Edge DNS application.
You can refer to Migrating DNS Resolution to OpenResty Edge for more details.
Issuing Certificates
Step 1: Click the “New Certificate” button, then select “Let’s Encrypt”.
Step 2: Enter one or more domain names, then click “Save”.
Step 3: OpenResty Edge will automatically complete domain validation, certificate request, and deployment. Refresh the page to check the issuance status.
Automatic Renewal
OpenResty Edge automatically obtains or renews certificates in the following situations, with no manual intervention required:
- When a new Let’s Encrypt certificate is added;
- When the domain list of an existing Let’s Encrypt certificate is modified;
- When the certificate has less than 30 days of validity remaining.
Action Buttons
In the certificate list, the action buttons on the right side of each entry are, from left to right:
| Button | Function | Description |
|---|---|---|
| 1st | View Status | Hover to see a status summary; click to view detailed logs. Especially useful when troubleshooting failures. |
| 2nd | Retry Now | Manually trigger a re-issuance. Typically used only when the status shows a failure. |
| 3rd | Edit Certificate | Edit the certificate information. A re-issuance is automatically triggered after modification. |
| 4th | Delete Certificate | Delete the managed certificate. |
Troubleshooting
| Error Message | Cause and Solution |
|---|---|
| “DNS A record … is not point to this Gateway Cluster” | The domain’s A record does not point to the OpenResty Edge Node IP. Update the A record at your DNS provider. |
| “does not belongs to any DNS application” | The parent domain of the wildcard domain is not hosted as a DNS application on OpenResty Edge. Add the corresponding DNS application first. |
| “DNS NS record … is not point to this Gateway Cluster” | The domain’s NS records do not point to the OpenResty Edge Node. Update the NS records at your domain registrar. |
| “DNS query failed” / “unexpected answers” | The DNS records have not yet propagated or are misconfigured. Wait a few minutes and click Retry Now, or verify the NS configuration. |