Fully automate manual mode for shared hosting

Hi,

I’m running virtual web server on a shared hoster which supports certificates through the configuration panel. I’ve used the Let’s Encrypt client in manual mode to create the cert and was able to configure the server to enable https. Great!

Now, while the manual process works, it’s a bit tedious to create the challenge files and upload them to the web server. I would be interested to fully automate this process.

The provider specific configuration part is already solved (they provide a soap api for the web configuration panel), but with the Let’s Encrypt client I’m no sure what the best way would be to automate the creation and upload of the challenge files to our server.

Is is (already) possible to write a plugin for that? Or would the client and/or the manual plugin have to be altered to provide a mechanism for that?

Thanks!

what control panel are you using ? someone may have already started to develop a method.

It may be worth having a look at https://github.com/sjau/le2ispc which works for ISPconfig ( and places the relevant files into the cpanel GUI )

Anything is possible! ACME is an open protocol. You don’t have to use the official client. I’d even say you shouldn’t use the official Python client

I recommend acme-client + savon + a couple hours of writing Ruby.

Thanks! I was not aware of alternative implementations.

Looking at https://github.com/unixcharles/acme-client, their example already seems nearly there! I’ve never been exposed to ruby before, but looking at that code it seems that adding the uploading bit should not be hard (if there is some means to securely upload a file like SFTP).

For the soap part I already have a solution provided by a 3rd party (written in php), but I might re-implement it as a programming exercise.

There are a number of other clients which may also be of use / interest

It's a custom solution, I guess (might be a customization of some common product, I have not much experience in this space, it does not look that way).

But that part is already solved. I just want to automate the cert creation at this point.

Thanks very much for the pointer!

This seems to do exactly want to I want: GitHub - zero11it/acme-client-letsencrypt-demo: Java ACME Client Let's Encrypt DEMO, not sure about the quality, though. Being able to use the hopefully well-tested and correct official implementation might be a good thing here. Anyway, I will look into it. Thanks.

Do you happen to know what Ruby version is required to use acme-client? I receive syntax errors using the example:

syntax error, unexpected tLABEL, expecting ')' (SyntaxError)
  def initialize(private_key:, endpoint: DEFAULT_ENDPOINT,...

1.9 at least! Which is very old too. You should use 2.2.

Thanks. I’ve tried with 1.9.3 and 2.1.5. Both don’t work! While installing acme-client on Jessie, one dependency was complaining:

ERROR:  Error installing acme-client:
    activesupport requires Ruby version >= 2.2.2.

Unfortunately, 2.1 is the most recent version with Jessie. It’s a pity that LTS releases are often not supported.

But the ftp part is done and the rest should hopefully work once the correct ruby version is used. Thanks much for your help.

In the meantime I’ve found an easier way that involves no custom scripting: Mounting the webspace directly into the filesystem using CurlFtpFS and using the webroot plugin provided by the official client.

$ curlftpfs -o ssl,no_verify_hostname ftp://username:password@ftp.hostname /mountpoint/ftp.hostname
$ letsencrypt-auto certonly --agree-tos --text --rsa-key-size 4096 --webroot --webroot-path /mountpoint/ftp.hostname --email contact@hostname -d hostname -d www.hostname
$ fusermount -u /mountpoint/ftp.hostname

excluding the fact you are using insecure ftp, interesting. Try it with sftp now

It uses FTPS (which is actually the only way because my provider plan does not allow SFTP).

Try

curlftpfs -o ssl,no_verify_hostname ftp://username:password@ftp.hostname /mountpoint/ftp.hostname -v

to verify how the client uses the AUTH command to secure the connection before login and data transfer are done.

When available, SFTP could be used in a similar fashion with sshfs (and might be the better choice because it is more firewall-friendly).

I’m trying to follow your example of mounting the webspace. Unfortunately I get the following error:
The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError('/home/vagrant/<path to dir>/www does not exist or is not a directory',)

I’m trying to run this command from a vagrant box runnning Ubunut 14.x. using sshfs/fuse instead of curlftpfs. The webspace mounted with no issues and I can write files to it. Any ideas? Here’s copy of the command I used:

./letsencrypt-auto \ certonly \ --agree-tos \ --manual-public-ip-logging-ok \ --text \ --rsa-key-size 4096 \ --webroot \ --webroot-path ~/<path to dir>/www \ -d <domain name> \ -d www.<domain name>

Thanks for any help.

@devnoise: I would assume a problem with permissions. Make sure that the mounted folder is accessible by the user you use for certificate generation.

@waldon: Thanks for your response. Finally getting back to this and seem to have permission fixed. Now the failed response is:

`Failed authorization procedure. <domain name> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<domain name>/.well-known/acme-challenge/1ih3_o-d2IE_4wafLDCe10lgvIEM3INRZ_8azbQ1zPo [209.95.55.130]: 404, www.<domain name> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.<domain name>/.well-known/acme-challenge/y1i9KF_YUBh0bp9A2m9XX1d1yUEPELh6oTy8LRMfiFU [209.95.55.130]: 404

IMPORTANT NOTES:

• The following ‘urn:acme:error:unauthorized’ errors were reported by
  the server:

  Domains: <domain name>, www.<domain name>
  Error: The client lacks sufficient authorization`

Seems like the letencrypt client still can’t write the files over sshfs. Would prefer that as I don’t have to put passwords in the shell script wrappers I’ve been trying.

Yes, make sure the folder is writable by the Let’s Encrypt user (probably root).

Thanks, I tried a couple of different options/fixes and haven’t had any success with the Let’s Encrypt client. That said I seem to be making headway using acme-tiny client and sshfs to get the certificates signed on my vagrant box.

@devNoise I had the perfect result with sshfs. Ur above posted error points to a non web-accessible folder. Are u sure ur domain directs to the folder ur .well_known folder sits in?