It’s honestly not “hard” to get this working. It just takes some time, a bit of research, and some trial and error. Just be sure to use the “staging” environment (–dry-run) so you’re not generating junk certificates while you are testing (to keep you from running into limits from Let’s Encrypt).
1 Like
It’s really getting confused for me, as I am completely new to get started.
I would like some help to get it start building. I’m newbie in developing things right now 
You should be good to go then. Basically, you're looking to learn the fundamentals of using certbot for one customer account then script the process and just make those "scripted calls" from PHP. Then you can design web page forms around those processes without any issues.
The real secret here is just to turn on the "verbose" or "a lot of logs" for certbot and run through the --dry-run process a bunch of times. That will give you the process and the responses from the Let's Encrypt server to see what's going on. Much easier than just trying to understand the spec (RFC 8555 - Automatic Certificate Management Environment (ACME)).
Isn’t there any open source client for that kinda purposes? Because I see many people use that regularly.
Also, I know it’s a bit challenging to read, but look at the source pages and Javascript of gethttpsforfree.com. The notes they give in the source code and the flow of the process make things much easier to understand. You don’t need to implement all of it yourself (like I did). You can use libraries or certbot to do most of the complicated tasks. Just start with understanding the basic flow of the process.
I believe so, but I'm not very familiar. I like working from the basics myself.
1 Like
But they are actually using a lot of things like public key and TXT records that I could not apply here.
Public key is not a problem for you 
https://www.php.net/manual/en/function.openssl-pkey-new.php
https://www.php.net/manual/en/function.openssl-pkey-get-public.php
openssl_pkey_new() generates a new private and public key pair. The public component of the key can be obtained using openssl_pkey_get_public().
As for the records, I believe that the reference you sent to me shows you how to use CNAMES…
yup. I want CNAME and domain name. That’s it.
About CSR and all, clients will do it on their own.
Exactly. This whole issue comes down to the age-old question: How do you eat an elephant? Answer: One bite at a time. Just get a good understanding of the basic cert process and then script around it in PHP. A library is more “native”, but using certbot as your library is certainly an option.
1 Like
No not like that!
Yup you are correct. So whenever I start, I will ask for any doubts. thanks!
Sounds good. You might want ask your development questions in the #client-dev forum. You’ll get more targeted help there with your bumps in the road.
acme.sh, an all bash ACME client, has a cPanel certificate deploy script. Perhaps you can integrate that script into a custom web page where clients can get a certificate with a single press of the button?
1 Like
they can also probably use acme-dns to obtain certificates for their clients via dns validation, as I suggested last time we had this discussion with OP 
1 Like
Absolutely. There are a number of options. Just not many (or any) that are just drag and drop.
Well,
Can I use my VPS to pass DNS requests?
Like sending somethingrandom.acme.mydomain to a TXT record to use Cert bot?
I tried but really confused.
If you use acme-dns, you are installing a dns server that will respond to dns challenges.
The dns server you install will answer to any dns queries for *.acme.yourdomain
To make those challanges meaningful, each of your clients domain will have a cname like this:
_acme-challenge 1200 in CNAME some-hash-or-random-string.acme.yourdomain.
meaning that a dns query for txt _acme-challenge.yourclientdomain will follow the cname to some-hash-or-random-string.acme.yourdomain. and the txt record will be whatever acme-dns puts there.
several acme clients support automating this.
1 Like
how it will follow the request?
Can you name the best client I can use?
That line is a bit off. The spirit is right - as are the paragraphs after that - but that intro is misleading.
In the acme-dns flow, this happens:
- You configure a (sub)domain to act as a nameserver and install
acme-dnson it. - To provision a certificate, for each fully-qualified-domain-name (FQDN), you:
- Create an account on the
acme-dnsserver. The "account" is a basically a triplet of UniqueRandomFQDN+Challenge+Password - Delegate the DNS query: update the FQDN's main DNS record to CNAME the
_acme-challengeonto the unique subdomain on theacme-dnsserver. - Update the
acme-dnsserver with the DNS challenge from LetsEncrypt
- Create an account on the
- To renew a certificate, you just repeat Step 3, which can be automated by plugins, as the DNS delegating challenges to
acme-dnsis already configured.
There is never a DNS query from LetsEncrypt for *.acme.yourdomain against acme-dns or anything else. LetsEncrypt only queries DNS for the _acme-challenge.<YOUR_DOMAIN>. record, expecting it to have the challenge value OR a CNAME that it will follow. When LetsEncrypt follows the CNAME to acme-dns, it looks up the <UniqueRandomFQDN> record - not *.example.com.
IIRC, for wildcard certificates two subdomains/values are created in acme-dns -- one for example.com to CNAME onto and another for *.example.com to CNAME onto (note: the same applies for subdomain.example.com and *.subdomain.example.com).
So instead of looking up *.example.com, the acme-dns flow has you delegate the DNS challenge to a unique random throwaway domain.
3 Likes