Automatic renew without ssh

RRougemont · September 9, 2018, 11:22am

Hello Everybody.

I have a lot of sites and they all are hosted on sharing hosting, so I don’t have any ssh access. I only have ftp and a control panel on the Internet.
So I have until now used certbot certonly --manual to securise my domains, but I have too much sites, and it takes me a lot of precious time. Is there any solution to automate that? Because let’s encrypt is free and my hosting provider propose me to pay between 50 and 320 per year to have a certificate. So with more than 15 sites, it’s not possible.
If not, do you know if there is another way to do it? Do you have any suggestions?

Others informations :

I have done my certificates on Centos 7,
My hosting provider is amen.fr

Excuse me if my english isn’t very good…

R.

JuergenAuer · September 9, 2018, 11:29am

Hi @RRougemont

where is this certbot instance installed?

There are two questions: Can you automate the certificate order? And can you automate the certificate installation?

Looks like you can't automate the installation part.

Osiris · September 9, 2018, 11:30am

Without root SSH access, you are limited to the features of your control panel. Perhaps it has some sort of API to upload the certificates without manual intervention, perhaps not. You didn't specify your control panel and also your hosting provider can probably disable such an API if it even existed.

Tell your hosting provider you're not satisfied with it's current policy of SSL (but they probably won't care, as it is a method of income for them) and tell them you'll switch to another hosting provider which does support free and automated Let's Encrypt certificates. You can find such a hosting provider in Web Hosting who support Let's Encrypt

RRougemont · September 9, 2018, 11:31am

certbot is installed on centos 7

JuergenAuer · September 9, 2018, 11:35am

Where? Online? One of your domains? How can you start Certbot?

If you are able to run Certbot online and if Certbot can write to the webroots of your domains, then you can automate the certificate order.

RRougemont · September 9, 2018, 11:40am

with this command :
certbot certonly --manual
you can securise a site without shell access putting a key in the ftp.
Then you enter the certificate and the private key in the control panel, and it’s done. But it takes a long time to do it for every site, so I’m searching for another way to do it.

RRougemont · September 9, 2018, 11:41am

I don’t really want to change my hosting provider, but I will ask and maybe they will respond

Osiris · September 9, 2018, 11:43am

In your situation, without an automated point of entry into the control panel, there's no way to automate the renewal of a certificate.

If the control panel doesn't have an official API to do such a thing, it might be possible to script all the HTTP requests and POSTs to your control panel and upload a certificate. But I don't know if anyone has done such a thing before for your controle panel or if you have the technological skills to script such a thing.

In the end, if you can point and click your way to upload the cert, so can a script.. But it might take a lot of time and know-how to do so.

JuergenAuer · September 9, 2018, 12:10pm

How do you start that if you don't have ssh?

This is one step to validate that you are the domain owner - http-01 - challenge, place a special file under /.well-known/acme-challenge/. You can do that per FTP.

But there is another challenge, dns-01. You have to create a dns-entry. So if your dns-provider supports an api and if you are able to run a command like

certbot --dns-cloudflare (or one of the other dns-apis)

you can automate the certificate order - step.

There are a lot of dns-apis:

https://certbot.eff.org/docs/using.html#certbot-commands

--dns-cloudflare, --dns-cloudxns, --dns-digitalocean, --dns-dnsimple etc.

RRougemont · September 9, 2018, 12:15pm

you can run certbot certonly --manual on your own computer, and finish with ftp and control panel

RRougemont · September 9, 2018, 12:16pm

i will see but it seems very complicated… thanks!

JuergenAuer · September 9, 2018, 12:22pm

I know.

Then you should check if your dns-provider has an api. Or check other clients:

acme.sh

Automatic DNS API integration

has a lot of supported dns apis (52).

RRougemont · September 9, 2018, 12:35pm

okay!

thanks for all !

r.

Osiris · September 9, 2018, 12:43pm

How would that help @RRougemont with the installation of the certificate and private key in his control panel?

Jup, quite complicated. An API for your control panel (I still haven't heard you say a name ;)) would be less complicated though.

danb35 · September 9, 2018, 12:45pm

It would at least help automate issuing the cert...

RRougemont · September 9, 2018, 12:47pm

oh excuse me…
There is an api but but the possibilities are very restricted and no very useful…

Osiris · September 9, 2018, 12:47pm

That's true. Scripting some scripts for the uploading and removing of the token through FTP is also very much possible.

RRougemont · September 9, 2018, 12:49pm

do you have some help about using ftp with terminal?
I searched a lot but didn’t find anything…

R.

Osiris · September 9, 2018, 12:50pm

I’m sure there’s there’s something useful in these search results: https://www.google.nl/search?q=bash+script+uploading+ftp

Personally, I haven’t done something like that, so I can’t help you with the details.

RRougemont · September 9, 2018, 12:52pm

thanks a lot!
I think there is a way to do it but it will be complicated…
R.