ELI5: PHP use case for renewals as part of CMS


#1

I run a CMS site similar to reddit (but where karma = bitcoin). One of the key differentiators that puts it more into tumblr’s and WordPress’s space is that users can create their own communities and tie them to custom domains (so it can be used as a blog or forum platform). I also allow them to provide an SSL certificate for the custom domain so users can login directly into their domain.

In my use case, the user will either provide their own cert or will ask support to generate a free one for them using Let’s Encrypt. At this point, I expect we will generate the Let’s Encrypt (LE) cert manually (e.g., through gethttpsforfree.com/). However, for renewals, I want to build a renewal cron job into the CMS. Conceptually, the way I envision it working is:

  • A table with four columns: custom_domain (mydomain.com), LE_URL (e.g., mydomain.com/.well-known/acme-challenge/filename), LE_response (which contains the content that would normally be in filename), and cert_expiration_date
  • The app will check if the requested URL matches LE_URL and, if it does, it will return LE_response and end (this is instead of having a file with the LE content in mydomain.com/.well-known/acme-challenge/filename)
  • The cron will, on a schedule, check the cert_expiration_date for each custom_domain and, if the cert will expire within 2 weeks, send a post to the LE API to renew with the appropriate arguments (e.g., domain name, private key)
  • LE requests LE_URL and verifies LE_response (which the app returned based on the table)
  • If the correct LE_response is received, LE responds with the updated cert and new expiration date
  • The app replaces the cert file and updates cert_expiration_date in the table

I’m probably misunderstanding how this works. I looked at a few PHP implementations (e.g., github.com/kelunik/aerys-acme) and the API docs (e.g., letsencrypt.readthedocs.org/en/latest/api/renewer.html) but they aren’t clear to me as to how I would use/integrate. Would anyone be able to help me please with direction?


#2

I would not recommend to use a third-party for this. Just use an LE/ACME client on your own server to do this.
Introducing more participants and connections (your server --> gethttpsforfree.com ---> LE server) is not really a good idea. Additionally according to the repo gethttpsforfree makes AJAX requests so it uses JS, which you certainly cannot execute on your server - unless you also deliver this to the end user in their browser, so you have the three-connections again.
In any way is very cumbersome, so the easy solution is: Use the LE client - maybe adapt it for your needs, but just use it and run it on your server.


As for the general question: You may have a look at the API docs. They describe how you have to make the requests. How you store and deliver the stuff on your site is your job, but possibly someone can recommend you some “best practises”.
FYI it may also be worth looking into acme-triny.


#3

Thanks for your comments.

I’m very hesitant to install any LE/ACME clients at this point because my CMS is a production app and I don’t yet have the time or familiarity with how LE works to go through the client’s code and understand all that it’s doing. So I don’t mind having to spend a few minutes manually creating a cert through something like gethttpsforfree.com and then manually installing it. My current userbase isn’t tech-savvy enough to go and get their own certs so I want to be able to provide those for them. Just to be clear: valME.io support will be manually going to gethttpsforfree.com to get the cert. This will not be automated.

I did look at the API docs but, admittedly, I had a hard time understanding them (examples would have been helpful). I also did look at acme-tiny before posting here but, in addition to my comment above about not yet wanting to install a client, I don’t have any background using Python and don’t have it installed on my server.

Thus, if I can manually create the cert and then add some PHP code to my app to do the renewal, I can help my users get the SSL certs for their domains that they wouldn’t get otherwise.


#4

Ah okay. I did not knew this. In this case it is okay - if your users want to do this.


#5

I haven’t tried it yet but for those of you who are looking for a PHP script: Simple Let’s encrypt client concept in PHP.