It’s honestly not “hard” to get this working. It just takes some time, a bit of research, and some trial and error. Just be sure to use the “staging” environment (–dry-run) so you’re not generating junk certificates while you are testing (to keep you from running into limits from Let’s Encrypt).
It’s really getting confused for me, as I am completely new to get started.
I would like some help to get it start building. I’m newbie in developing things right now
You should be good to go then. Basically, you're looking to learn the fundamentals of using certbot for one customer account then script the process and just make those "scripted calls" from PHP. Then you can design web page forms around those processes without any issues.
The real secret here is just to turn on the "verbose" or "a lot of logs" for certbot and run through the --dry-run process a bunch of times. That will give you the process and the responses from the Let's Encrypt server to see what's going on. Much easier than just trying to understand the spec (RFC 8555 - Automatic Certificate Management Environment (ACME)).
Isn’t there any open source client for that kinda purposes? Because I see many people use that regularly.
Also, I know it’s a bit challenging to read, but look at the source pages and Javascript of gethttpsforfree.com. The notes they give in the source code and the flow of the process make things much easier to understand. You don’t need to implement all of it yourself (like I did). You can use libraries or certbot to do most of the complicated tasks. Just start with understanding the basic flow of the process.
I believe so, but I'm not very familiar. I like working from the basics myself.
But they are actually using a lot of things like public key and TXT records that I could not apply here.
Public key is not a problem for you
https://www.php.net/manual/en/function.openssl-pkey-new.php
https://www.php.net/manual/en/function.openssl-pkey-get-public.php
openssl_pkey_new() generates a new private and public key pair. The public component of the key can be obtained using openssl_pkey_get_public().
As for the records, I believe that the reference you sent to me shows you how to use CNAMES…
yup. I want CNAME and domain name. That’s it.
About CSR and all, clients will do it on their own.
Exactly. This whole issue comes down to the age-old question: How do you eat an elephant? Answer: One bite at a time. Just get a good understanding of the basic cert process and then script around it in PHP. A library is more “native”, but using certbot as your library is certainly an option.
No not like that!
Yup you are correct. So whenever I start, I will ask for any doubts. thanks!
Sounds good. You might want ask your development questions in the #client-dev forum. You’ll get more targeted help there with your bumps in the road.
acme.sh, an all bash ACME client, has a cPanel certificate deploy script. Perhaps you can integrate that script into a custom web page where clients can get a certificate with a single press of the button?
they can also probably use acme-dns to obtain certificates for their clients via dns validation, as I suggested last time we had this discussion with OP
Absolutely. There are a number of options. Just not many (or any) that are just drag and drop.
Well,
Can I use my VPS to pass DNS requests?
Like sending somethingrandom.acme.mydomain
to a TXT record to use Cert bot?
I tried but really confused.
If you use acme-dns, you are installing a dns server that will respond to dns challenges.
The dns server you install will answer to any dns queries for *.acme.yourdomain
To make those challanges meaningful, each of your clients domain will have a cname like this:
_acme-challenge 1200 in CNAME some-hash-or-random-string.acme.yourdomain.
meaning that a dns query for txt _acme-challenge.yourclientdomain
will follow the cname to some-hash-or-random-string.acme.yourdomain.
and the txt record will be whatever acme-dns puts there.
several acme clients support automating this.
how it will follow the request?
Can you name the best client I can use?
That line is a bit off. The spirit is right - as are the paragraphs after that - but that intro is misleading.
In the acme-dns
flow, this happens:
- You configure a (sub)domain to act as a nameserver and install
acme-dns
on it. - To provision a certificate, for each fully-qualified-domain-name (FQDN), you:
- Create an account on the
acme-dns
server. The "account" is a basically a triplet of UniqueRandomFQDN+Challenge+Password - Delegate the DNS query: update the FQDN's main DNS record to CNAME the
_acme-challenge
onto the unique subdomain on theacme-dns
server. - Update the
acme-dns
server with the DNS challenge from LetsEncrypt
- Create an account on the
- To renew a certificate, you just repeat Step 3, which can be automated by plugins, as the DNS delegating challenges to
acme-dns
is already configured.
There is never a DNS query from LetsEncrypt for *.acme.yourdomain
against acme-dns
or anything else. LetsEncrypt only queries DNS for the _acme-challenge.<YOUR_DOMAIN>.
record, expecting it to have the challenge value OR a CNAME that it will follow. When LetsEncrypt follows the CNAME to acme-dns
, it looks up the <UniqueRandomFQDN>
record - not *.example.com
.
IIRC, for wildcard certificates two subdomains/values are created in acme-dns
-- one for example.com
to CNAME onto and another for *.example.com
to CNAME onto (note: the same applies for subdomain.example.com
and *.subdomain.example.com
).
So instead of looking up *.example.com
, the acme-dns
flow has you delegate the DNS challenge to a unique random throwaway domain.