I run a CMS site similar to reddit (but where karma = bitcoin). One of the key differentiators that puts it more into tumblr’s and WordPress’s space is that users can create their own communities and tie them to custom domains (so it can be used as a blog or forum platform). I also allow them to provide an SSL certificate for the custom domain so users can login directly into their domain.
In my use case, the user will either provide their own cert or will ask support to generate a free one for them using Let’s Encrypt. At this point, I expect we will generate the Let’s Encrypt (LE) cert manually (e.g., through gethttpsforfree.com/). However, for renewals, I want to build a renewal cron job into the CMS. Conceptually, the way I envision it working is:
- A table with four columns: custom_domain (mydomain.com), LE_URL (e.g., mydomain.com/.well-known/acme-challenge/filename), LE_response (which contains the content that would normally be in filename), and cert_expiration_date
- The app will check if the requested URL matches LE_URL and, if it does, it will return LE_response and end (this is instead of having a file with the LE content in mydomain.com/.well-known/acme-challenge/filename)
- The cron will, on a schedule, check the cert_expiration_date for each custom_domain and, if the cert will expire within 2 weeks, send a post to the LE API to renew with the appropriate arguments (e.g., domain name, private key)
- LE requests LE_URL and verifies LE_response (which the app returned based on the table)
- If the correct LE_response is received, LE responds with the updated cert and new expiration date
- The app replaces the cert file and updates cert_expiration_date in the table
I’m probably misunderstanding how this works. I looked at a few PHP implementations (e.g., github.com/kelunik/aerys-acme) and the API docs (e.g., letsencrypt.readthedocs.org/en/latest/api/renewer.html) but they aren’t clear to me as to how I would use/integrate. Would anyone be able to help me please with direction?