NGINX server developers recently introduced a long-awaited ACME module. Written in Rust; DNS-01 challenge (required for wildcard certificates) is not supported. How to fix that?
The solution is to use the Angie server with its ACME module. Written in C, DNS-01 works just fine.
What is Angie?
NGINX web server has been initially created in Russia by mail.ru (this company is merged with VK nowadays) developers and sysadmins. They then moved it to an independent company, which has been sold to American F5, Inc. So F5 owns NGINX to this day.
However, the NGINX RnD office remained in Russia. Which turned out to be a problem in 2022. F5 asked developers either relocate to USA or leave. A couple of people indeed relocated, however, the majority decided to stay, created the NGINX fork with the name Angie and founded the company WebServer LLC to keep developing it.
I’d say those Angie guys are builders. The ones who want to build a technically excellent product not just for money. They packaged a lot of 3rd-party modules (including Lua module), developed the ACME and Prometheus modules, supported linking with BoringSSL (which is a big deal, just read this survey by HAproxy), hosted repositories for many Linux distributions (Alpine linux included) and FreeBSD with all of that. Just compare nginx build instructions with Angie build instructions, for example…
Angie is how the original NGINX was supposed to look like. Meanwhile the modern NGINX is getting rewritten in Rust. This is not sad (who tf cares about some American corp revenue), just pathetic. The exact kind of thing you’d expect from “developers” with “he/him” in their github profiles.
So anyway, how to use the angie acme module with DNS-01 challenge? Well there’s an excellent instruction on their website. I’d like to clarify a couple of things though.
- this module sets required TXT records and answers DNS challenges by itself. Kinda similar to acme-dns project.
- you need to manually set up required NS and A records. Your DNS provider should allow to do that (or else, use some other provider).
resolver 127.0.0.53;in their configuration example might be wrong. It’s used bysystemd-networkdif I’m not mistaken, so what if you’re not using systemd? I defined8.8.8.8instead.- if your host uses firewall (it’d be very foolish not to do that, right?) then you’ll need to open port 53 for DNS queries on that.