does someone have good experiences with one of the php-based clients and could recommend one for me and perhaps give me some hints?
To tell something about my history with Let's Encrypt to give you an overview about what I am searching for: see below for my actual way of getting certificates
I am maintaining a couple of domains for myself and some customers. It's not much, round about 20 domains from which about 10 of them don't even have content actually, but maybe in the future and then I'll of course need SSL for them, too.
In the beginning, I got some free certificates from somewhere I don't even remember, always lasting a year before they needed a renewal. But then suddenly, they were deprecated long before the year was over and I had to find a solution very fast. Luckily I found zeroSSL providing Let's Encrypt Certificates with a very easy online system. Unluckily they also stopped their service and I had only a few weeks to find a new solution. My actual solution
Now, I have OpenSSL installed on my Desktop-PC (Windows) and using a downloaded version of gethttpsforfree and the GetHttpsForFree-UI to get the OpenSSL-Commands running just by copy&paste.
It is a lot of copy and paste to the left and to the right and left and right and so forth, you can imagine. And then I have to upload the validation files (I am using the file-based verification) And in the end, I have to upload the certificates On the configuration platform of my hoster (HostEurope). It is shared hosting, they don't support Let's Encrypt directly, but they support uploading own certificates and different certificates for different folders and so different domains. And of course, I don't want to show all domains in one certificate even so most people wouldn't recognize them.
Oh, and of course I can't install certbot there. They have some kind of SSH there but not with the needed permissions to install certbot. But at least, they have OpenSSL and curl in PHP7,1 so most of the PHP-based clients should work.
My idea now is to use one of those php-based clients to check regularely if the certificates need to be renewed and to do all that communication stuff with Let's Encrypt and finally notifying me when the certificates are ready, so I only have to download them and upload them on the configuration platform. (Zipping them and notifying me by email really shouldn't be a problem for me)
Now I hope you have a recommendation for me which of those php clients would work best for the way I want to use it and is easy to configure. (Since for now, I have the private keys and CSR everything ready on my pc and hope I can use them for that client)
Sorry for that much text. Didn't expect that much when I started writing.
I am the author of the upcoming CertSage ACME client, which is written entirely in PHP and provides a simple webpage interface with a one-step process to get a certificate in under a minute. It was created with GoDaddy cPanel shared hosting in mind and thus requires no root access or special installation. I actually used gethttpsforfree as a working case study when authoring CertSage. Unlike the sold-out services you mentioned, CertSage runs right off of your server. Just upload a single file to your server, modify a couple of lines of that single file to indicate where you want your certificate and private key to end up (if you wish), fill in the form, and push a button. If you're interested, just let me know and I'll send you the download link and full instructions.
Also, thanks to @Osiris's help, I will soon release a version that automatically installs the certificate and private key into cPanel (if you use it), making the process much shorter.
If you have access to a commandline - e.g. you can telnet/ssh in - then you may be able to install certbot locally using pip, and run the challenges.
However I have no idea how you could install the certificates. If you install certificates with a Control Panel, it might be easier to use DNS-01 challenges and run certbot off your local computer.
That somehow sounds like almost exactly what I am looking for and I would happily give it a try.
And I hope I can later transform it somehow into something that might even work with a crontab so , like i said, i only get an email telling me that I have to download and install the new certificates.
Ah, and no, I am not using cPanel or something similar. It is more like a login section on the hosters website where I have to upload the certificates. So there can't be an out of the box solution for my case for installing the certificates. I will have to install them manually anyways.
Keep in mind that CertSage saves the certificates and private keys on the hosted website itself. Once they're prepared, you can submit them as you wish to the hoster. You might even be able to just configure CertSage to put the private key and certificate in a location convenient to directly accessing them with your hoster's user interface. At present, CertSage does not use a timed mechanism for acquiring certificates in order to maintain broad compatibility and minimize dependencies. Since CertSage's interface is a single webpage form that takes seconds to use, you should just be able to either make a note of when to renew or be sure to enter an email address in the form so that Let's Encrypt will notify you 20 days, 10 days, and 1 day before expiration. The renewal process every 60 days or so is the same as the initial process except that you won't have to upload or reconfigure CertSage and you can skip entering an email address to keep using the same email address for expiration notifications.
I don't usually allow modification of CertSage because it makes support untenable. You are welcome to add your own side scripts if necessary, but I don't think you'll need them if I understand your use case well enough.
If this still sounds viable to you, just let me know.
I expected that. The private keys are needed on the server (in a folder not accessible via web of course) to sign the requests.
Do I have to fill that form for every certificate or can I put all information in a config file and fill it once to get, lets say, 5 certificates at once? (I guess I have about 5 websites on each hosting product so I want to run it once on each of them(once for 5 certificates on the first product and once for 5 domains on the other, since I can't access by file-access from one product to the other.))
And will it be using the old private keys and CSR, like GetHttpsForFree does? Or will it always create a new private key and CSR?
In that case, I would just run certbot off your local computer. You can either use the DNS-01 challenge or do HTTP-01 with a manual upload or figure out how to automate it.
If you had an automated way to register the certificates, @griffin's solution would be idea. Since you must manually register the certificates though, I think you'll have an easier flow by running everything off your local machine.
Well, @griffin 's solution would do the http-challenge for me while doing that on my locale machine I would have to upload the challenge files manually and check the upload and then confirm that I am hosting the files.
It would at least be much easier. Especially, because to use the DNS-challenge I would also need to edit the DNS entries at the control panel of my hoster, wich would make it just more complicated.
Certbot plugins can automate that. I once saw a plugin for HTTP that would FTP files onto a remote host, but I can't remember the name. If your DNS provider offers an API, there is likely a plugin for it. If your host does not offer an API, you can delegate the _acme-challenge onto another service that does, via CNAME.
Despite maintaining our own client, I handle several of our more complex configurations via certbot on local machine -- using DNS-01 challenges and DNS records that delegate authority to an acme-dns instance on a domain we control. The entire renewal process is automated from my laptop, then I just upload the certificates.
CertSage is presently designed to be a very simple "webroot" ACME client that satisfies http-01 challenges for a single domain name and up to 99 of its subdomains. Since it must be copied into the webroot folder for each domain, it can only really handle a single domain at a time.
CertSage handles the private key and CSR generation for you using OpenSSL. The CSR is never even saved to persistent storage since both the private key and CSR are generated after all of the http-01 challenges have been satisfied during the ACME order finalization step.
This is certainly a viable solution if you want (and can) handle everything locally in bulk with some out-of-box or custom automation.
CertSage really excels at operating in restricted circumstances (e.g. no root access, "factory" PHP installation) with being super-easy to configure and operate for even the most novice website operator. While it can fit into scripted solutions (by submitting a proper POST request to the PHP), it's primarily intended for someone who "simply wants to get a certificate" then handle installation however they want. With root access ideally if I were using CertSage with automation, I would probably just configure, say, my apache server to point to the location where CertSage saves the certificate and private key then just use a cron job that checks to see if the cert is 60+ days old. If so, submit the post request then reload apache with sudo apachectl -k graceful.
That's exactly right and to the point. As long as you don't mind handling the installations individually (which it sounds like you need to do now anyhow), CertSage allows you to handle all of the certificate generations/renewals from the comfort of your mobile browser. You visit each domain.com/certsage.php in turn, filling out the simple form, clicking the button, then installing the certificate.
If automation is at all possible, I highly recommend these methods.
I'm certainly a fan of your works, @jvanasco. When there's a complex setup, especially one with involved delegations and distribution, I trust your approach.
Where there's a will there's a way. Here's a example python script to apply a certificate via a web UI (in this case, a printer management UI) page: Automating Epson SSL/TLS certificate renewal · Fazal Majid's low-intensity blog - the script logs in to the website (gets a session cookie) then posts to the cert management form. Obviously if the web UI changes then it potentially breaks your script.
Most ACME Clients can optionally run scripts after renewal, so you can automate this as long as the machine you run the app on runs regularly enough. For instance, my own Certify The Web app can run on Windows, do all sorts of DNS validation and you can add a deployment task (such as export cert files, running a python script). You can also do this with other tools such as win-acme or Posh-ACME.
a python script is not what I am looking for, since I don't want to learn python for now.
certbot on a local machine is also not an option for now. Maybe I'll switch to a VPS someday with my websites and then use certbot (actually I feel much more safe not running a VPS on my own).
CertSage sounds like something that looks really close to what I am looking for. I'll keep that as an option.
Since I have just renewed my certificates yesterday, I have time enough for a final decission and some experiments.
I've found some php libraries in the LE clients list. Guess I have to take a look at all of them to see which one is easiest to use for me. If I don't get along with theese, I'll gonna try the CertSage.
as far as i know you can only provide SSL cert files via the web interface of HostEurope. You do not have any other option to solve your problem. Also you cannot edit the v-hosts - only in the webinterface. You will need to get a vServer.
It is truly an annoing work to do, i do it every 80 days for - god bless - only one domain. And even this takes minutes.
Yes, I know.
I am not searching for a solution that updates the certificates on the server. I only search for something to get the certificate without having some minutes of work for each domain. The upload on the web interface only takes a few seconds.
That's the reason I will look through those PHP libraries. I guess I'll find something there that works for me. Next week I think I'll look at it. However, I will have to wait about 2 month before I can do the final tests because I already renewed the certificates recently.
