Bash scripts for certificate generation

Help
1

Please fill out the fields below so we can help you better. Note: You must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., crt.sh | example.com), so withholding your domain name here does not increase secrecy but only makes it harder for us to provide help.

My domain is: ssl.spseplzen.cz (school domain)
(I noticed that the school already has an active wildcard certificate, hope that isn't a big problem due to this site being the only one I could have been provided with)

I ran this command: certbot -- apache (tried with the -d + domain parameter, tried manual, some debugging parameters, etc.)

It produced this output: Some challenges have failed. (Some days days ago, there was an error regarding CAA records for some reason. Now it's back to some challenges that have failed after I reverted a snapshot due to a messy config)

My web server is (include version): Apache 2.4.62

The operating system my web server runs on is (include version): VirtualBox VM, Linux - Debian 12

My hosting provider, if applicable, is: cesky-hosting.cz (apparently)

I can login to a root shell on my machine (yes or no, or I don't know): no, not on my own, it's a vm managed by our school administrator, got sudo privileges only

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Negative, or at least I am unaware of it.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.0

Hello, anyway, this whole thing of mine is going to be my high school leaving practical exam.

My teacher / administrator lended me a VirtualBox VM with Debian 11 installed (upgraded to 12), set a public ip of the VM to 185.68.29.39, which is accessible from the internet, recently even from our LAN. I did the basic self-signed thing for https allowance. I hope that doesn't cause any trouble, 80 should still be accessible.

Tried doing some research. However, I still don't know whether my code is complete.

I did everything exactly by the tutorials and certbot guide, or at least I think I did.

However, I keep getting that error mentioned above.

I would send you a bash script (in txt file), where I have something like a linux distribution + web server detection and stuff, alongside the certificate creation, however it would be in my native language (czech)

bash.txt (5.6 KB)

Every piece of help is much appreciated

2

Hi @Lishaczek,

The CAA doesn’t have "letsencrypt.org" to allow Let’s Encrypt to issue certificates for the domain.

https://letsdebug.net/ssl.spseplzen.cz/2278561
spseplzen.cz. 0 IN CAA 0 issue "trust-provider.com"

Edit

Also see https://letsencrypt.org/docs/caa/

4 Likes
3

Hey there, thanks for the reply.

I thougjt of the problem when I had the CAA records failure, eithwr way it seems weird to me, because our school has certs verified by LE, and it's basically just s subdomain of spseplzen.cz, for which they have a wildcard cert (*.spseplzen.cz)

I'm gonna try to discuss it with my teacher, though.

1 Like
4

The wildcard cert was issued by Alpiro not Let's Encrypt.

And, I don't see any active certs issued by Let's Encrypt for that apex domain or its subs. The most recent expired in July 2023. Which domains have Let's Encrypt certs? (from https://crt.sh)

image
image2577×798 416 KB

3 Likes
5

Oh, wait, you're right, my bad.

Alpiro rings a bell.

Then, I am truly mistaken.

So, what are the next steps to make, ask him to check the CAA records, add an LE record? (Do I have a guarantee that it won't disrupt the other, Alpiro certs?)

1 Like
6

Let's Encrypt first checks for a CAA record for exactly ssl.spseplzen.cz so you could just add one for that. It would not affect other subdomains or the apex domain. Well, it could affect someone requesting "newsub.ssl.spseplzen.cz".

If your school wants to allow LE on its apex or other subdomains then add the CAA at the apex domain level.

The CAA record "closest" to the domain requested is used. See the CAA docs page Bruce linked earlier.

4 Likes
7

Hey there, I need to discuss another thing, and I want to keep using this thread for everyrhing rwgarding this topic.

First of all, thank you,, all of you

With your help, I have successfully issued the certificate.

Now, however, I need this:

I have to make an intuitive web layout for the cert creation.

My idea is to make a php website on the server, which would let me choose from some pre-created domains (unfortunately, they would have to be x.ssl.spseplzen.cz, where I am not sure, whether it wouldn't disrupt the stuff, as MikeMcQ said), as well as the server I want to use, which key I wanna use (rsa/ecdsa)...

Using these inputs, I would need to make a php code, which would then "issue" the certificate by running the bash script I sent earlier with the given parameters from the php form page.

Is that achievable in some way? Or is it a complete madness?

1 Like
8

If you have to pre-create the domains why don't you just get the cert when you make the domain?

Getting new certs for subdomains of ssl.spseplzen.cz will not affect the cert you already got for that name. And, because there is a CAA for this it may also be used for these new subdomains. Let's Encrypt will first check for a CAA for new.ssl.spseplzen.cz. If none is found it will then check ssl.spseplzen.cz so you should be fine.

3 Likes
9

Alright, thank you for that. I'll contact you again here if I come across something new to discuas

2 Likes
10

Hello, I've decided to reach out here again.

This time, it's only partially about LE, well, to clarify, it's about a linux bash script for certificate creation.

My script works fine by itself, fully as expected, however I need to modify it to fit the assignment.

I have to make a web interface for it.

My first (and only) idea was to make a php form-like index page, where the user would select a pre-defined subdomain name, key type and for rsa, key length. Possibly also email.

Lasti time, there was an objevtion why don't I make the cert while setting up the domains, that wasn't in the plan.

I need to get the inputs from the form and somehow "pass 'em" to the bash script as arguments.

I'll send the script (czech langage again), as well as the index, if it helps.

I appreciate every possible advice on this matter.

Or if you have any other suggestion on how to fight this issue, I'm all ears.

index.php.txt (2.6 KB)
bashnew.txt (5.5 KB)

11

From the php script invoked by your POST (certGen.php) can't you just invoke the bash script using php EXEC (or similar). Pass data on the command line, or as env vars, or various other ways.

But, you are right, this is far away from this forum's scope. It is a routine programming problem best handled at a php forum. Try stackoverflow or other programming forums.

3 Likes
12

I had tried the php exec, shell_exec, escapeshellarg..., not much success, though.

But thanks for the reply, anyway.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.