Now that's something I can sleep on.
2 Likes
Makes sense, that's most likely the user Apache/nginx is running on.
That said, I'm still a little bit puzzled why you're trying to get CertSage working. While CertSage is a godsend for some very tightly "locked out" users on for example GoDaddy, in most environments other ACME clients are probably more suited.
3 Likes
It's mostly because I prefer using a GUI over manually entering commands that have to be remembered among thousand of other CLI commands, for example, on my test bed I have PHP versions 5.6, 7.0-4, and 8.0, instead of my trying to remember what CLI command to use to change version for both the Apache PHP module and the CLI version, I wrote a bash script that would show the current version in the title bar and menu of versions to choose from, then the script would do all the commands needed to change PHP version, and also, if I need to edit the Apache config files, most other server based configurations or add a virtual server, then I do it through webmin, I only use the console CLI for small things like updating/removing/adding software using apt, hence I wanted to use CertSage as it's web based, much the same as ZeroSSL.
1 Like
@Usalabs The idea about Let's Encrypt is automation, i.e.: install a client once, forget about it forever. Which is the theory anyway. For example, Apache has a module called mod_md. Once set up, it will fetch certificates automatically. No user intervention required.
Other more mainstream ACME clients using the CLI would also just require some simple commands when setting up a certificate or when you require an addition or otherwise change of the certificate. All the renewing and stuff would be fully automatic.
Heck, Webmin has a feature for Let's Encrypt certificates..................
3 Likes
I'm working on integrating the cPanel autoinstallation option today. Thanks be to @Osiris for pioneering this effort a while back. Given the fairly dramatic shift in the underlying architecture right before the 1.0.0 version, many options have opened up, including, possibly, automatic renewal... 
3 Likes
I'm gonna retest this today. There's a slight chance I might not have tested it correctly given the state of the code at the time.
1 Like
Problem here is that a stateless PHP session won't be able to remember/find the random variable it created. I suppose if it were prefixed a directory search could be possible, but it's still risking public storage of private credentials (and potentially interfering with the website contents).
1 Like
For the next renewal?
Or it immediately forgets what it just did?
2 Likes
For the next session to remember where the account key went...
?
2 Likes
hmm...
Use not-so-random randomness!
[some call that a hash]
But in order to keep that secret sauce outside of the code that all can see, you will need to provide an external URL that always returns the same long one-way hash given the same input.
[it should be very low bandwidth and you should provide it right from wherever you host your site]
2 Likes
If you're meaning in the PHP file itself, that's not too big of an issue since the webserver (or any other public mechanism) should never be serving the raw PHP. At one point in time, I had actually thought of doing the unthinkable by prepending a JSON object to the top of the PHP file itself (in a comment block of course) that holds the ACME account information. It makes for a single-file ACME client with state information that's highly portable. This doesn't allow for a single data directory for multiple instances of certsage.php in different webroot directories. The problem of where to put the certificate and private key also remains.
Any changes within public_html outside of the necessary /.well-known/acme-challenge/ present some degree of risk.
2 Likes
I've been happily managing a Let's Encrypt certificate on a website hosted on a VPS, but I was unable to do the same on several sites I managed on Media Temple's grid service, so I was excited to try this tool.
Generating the certificate was a snap, but I'm sorry to report that I'm unable to install it on the site for which I generated it.
Media Temple doesn't provide a CPanel or Plesk interface for managing its grid sites, but it does offer an interface to "Import SSL Certificate." The interface asks for three things: the private key, the certificate, and (for one scenario only) a CA/chain certificate.
I've copy/pasted the contents of my private .key and .crt files into the appropriate boxes, but I get an error message on Save.
I've tried this with and without the "Begin" and "End" comments for the keys. (The .crt file contains three keys. When pasting without the comments, I've tried with and without a blank line between keys.)
I realize that this "import" process may not be a valid way to deploy what I generated using certsage.php. (By the way, I did test, with success, in both the staging and production environments.)
But it's also possible I've misunderstood something about how to use the .key and .crt file contents. If so, please advise!
I have ssh and ftp access to all sites on my grid account, so if there's a simple command-line workaround for installing the generated certificate, I can give that a try as well.
2 Likes
Hi 
You don't need to strip the headers off of the certificates or key.
Your certificate file contains three certificates in this order:
your leaf certificate
R3 (signed by ISRG Root X1)
ISRG Root X1 (signed by DST Root CA X3)
Those last two certificates are the CA intermediate certificates. If for some reason the CA box doesn't accept multiple CA certificates, you can use the following CA certificate:
If you find that you need to use that single CA certificate, please inform Media Temple that they need to update their interface and reference this topic.
2 Likes
Thanks, @griffin! I pasted the leaf certificate in the box requesting my "Certificate" and the CA intermediate certificates in the box requesting my CA/Chain certificate. And I made some progress.
Previously, the error message said that both the key and the certificate were invalid. This time, it said only that the key was invalid.
I tried the single CA certificate and got the same result.
So no success yet, but as I said, progress. Any suggestions for next steps?
2 Likes
Do the key and certificate match? You can use command-line openssl to test this. You could instead simply delete both the certificate and key files then generate a new certificate and key.
2 Likes
Thanks for asking. They do not match. 
I'll try deleting the files and re-generating. BTW (and possibly related?), after testing in the staging environment, when I went to test in the production environment, my first attempt failed. I took another look at code.txt and the code had changed. I used the new code in the production environment and the test succeeded.
Anyway, I'll re-try tomorrow and report back. Thanks so much again for your help!
2 Likes
That's a strange thing to occur.
You need to review your steps (and their order).
2 Likes
The 96-bit code changes every time anyone visits certsage.php in a browser. This prevents malicious third-parties from using your CertSage to generate certificates on your behalf.
3 Likes
I generated a new certificate and private key, testing in the staging environment and succeeding there and in production.
I entered the private key in the box labeled "Key", the first certificate within certificate.crt in the box labeled "Certificate" and the second and third certificates in the box labeled "CA/Chain Certificate".
I still get "The key is invalid" from Media Temple.
I ran
$ openssl x509 -noout -modulus -in certificate.crt | openssl md5
$ openssl rsa -noout -modulus -in private.key | openssl md5
as described at SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
and the certificate and key match.
So, still stuck. 
2 Likes
I found the solution!
In the private key file, add RSA, so...
this:
-----BEGIN PRIVATE KEY-----
becomes this:
-----BEGIN RSA PRIVATE KEY-----
and this:
-----END PRIVATE KEY-----
becomes this:
-----END RSA PRIVATE KEY-----
This should not be necessary. Media Temple needs to fix their interface.
5 Likes