Generate certificate using php

Hi All,

I am trying to automate the process of generating an SSL for the domains getting registered on my platform. For this, I am trying to execute the commands from the browser using PHP by manually configuring the commands in the backend.

I have used the following command to generate a certificate.

echo $ssh->exec('sudo certbot certonly --manual --preferred-challenges=dns --agree-tos --email shashank@depasserinfotech.in -d *.dcommerce.store');

The command gets executed properly but I want the process to be non-interactive as I am trying to pass all the parameters at one go so that certbot directly provides me with the TXT record.

I am generating the certificates on AWS Lightsail LAMPP Server

What am I doing wrong here?

1 Like

Hi @shashank

please read

You use --manual, that can’t work.

That's not true, unless the certbot devs have deleted the manual hooks.

Edit: according to the docs the options --manual-auth-hook and --manual-cleanup-hook still exist. With those, you can make the manual plugin work non-interactive.

There

but I want the process to be non-interactive

is no --manual-auth-hook.

I am trying to use the pre and post validation hook using the cloudfare api’s. I have generated two file i.e. authenticator.sh and cleanup.sh as instructed in the documentation. but i keep getting the error

Saving debug log to /var/log/letsencrypt/letsencrypt.log manual-auth-hook command /var/shell/authenticator.sh exists, but is not executable.

Any idea why is this happening?

Because you forgot to chmod +x your script, most probably.

2 Likes

Offtopic: if you mean to tell "you're missing the necessary options to make it work", but you actually say "it's impossible", I'm not sure your intended message is received. Perhaps it's best just to tell people they're missing a required option.

all the necessary permission are given to the script. but somehow the script still works in the interactive mode.

Following is my script.

API_KEY="xxxxxxxxxxxxxxxx"
EMAIL="xxxxxx@xxxxxx.xx"

Strip only the top domain to get the zone id

DOMAIN=$(expr match "$CERTBOT_DOMAIN" '..(...*)')

Get the Cloudflare zone id

ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all"
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS"
-H "X-Auth-Email: $EMAIL"
-H "X-Auth-Key: $API_KEY"
-H "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])")

Create TXT record

CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records"
-H "X-Auth-Email: $EMAIL"
-H "X-Auth-Key: $API_KEY"
-H "Content-Type: application/json"
--data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}'
| python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])")

Save info for cleanup

if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID

Sleep to make sure the change has time to propagate over to DNS

sleep 25

Any help would be really appreciated as I am new to this!

Thanks

If you are calling Certbot like this:

--manual-auth-hook hook.sh

try change it to:

--manual-auth-hook ./hook.sh

or

--manual-auth-hook /absolute/path/to/hook.sh

(I accidentally edited your post instead of replying, sorry).

I have given the absolute path for the Authenticator.sh file.

sudo certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /var/shell/authenticator.sh --manual-cleanup-hook /var/shell/cleanup.sh

It still works in the interactive mode.

Do you mean Certbot’s interactive mode? Or interactive as in you are calling your script in the shell?

I have to agree with the earlier suggestion that if it’s an absolute path, then the file mode is wrong.

What’s this say?

stat /var/shell/{authenticator,cleanup}.sh

Yes i mean certbot’s interactive mode. As per instructions, i am using the Pre/Post Hook to automate the process of generating certificates.

i have created 2 scripts authenticator.sh and cleanup.sh which are used to run the process on certificate generation in a non interactive mode.

i keep getting the following message even after following all the instructions.

The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o:

Any Help?

If you want to non-interactively choose “Yes,”, that’s what the --manual-public-ip-logging-ok option is for.

(Let’s Encrypt does not currently actually do that, but might in the future.)

If you are running this in a PTY via phpseclib or something (as in your original post), you should also include --non-interactive, so Certbot knows not to create any input prompts, and will either pick sensible defaults or immediately crash without waiting for input.

i believe the --manual command does not work in --non-interactive mode. Adding this shall immediately crash without even generating a certificate

You can definitely combine --non-interactive and --manual.

Most likely you are missing some mandatory flags (such as the one a few posts back), and if you pay attention to the output of your execution, it will tell you which ones.

okay shall use this and see if it works fine :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.