How to automate the process of creating a ssl generator?

I want to create something like the PunchSalad certificate generator where the user passes the domain name, select DNS and then use the dns record and get the certificates.
I want to know how to make this? Till now all I did was just create an api endpoint to take the domain name. I don't know how the certificate is generated. Do I need a VM running somewhere on the cloud to get the certificates to do all those sudo commands for certbot or can it be done for free using a local webserver?
Eliminating HTTP option completely, I just want to go through the DNS route.

You would use an ACME library (for your particular server side environment/framework) to talk to the Let's Encrypt (ACME) API, that would in turn:

  • begin the certificate order and fetch challenges to complete
  • help the user perform domain validation challenges (or perform it for them), then mark them completed ready to be checked by Let's Encrypt
  • finalize the certificate order, download the certificate

If this sounds complicated, it's because it generally is - if you can use an existing client (like certbot or something else) you'll probably save some time and effort.

One problem with this type of solution is that you will have to hold the private key (which should really be held only by the domain owner/controller, not you).

6 Likes

yeah does look complicated but I saw a library called greenlock.js, hopefully it will reduce the complexity for me.

and for the easy solution you mentioned certbot, that looks a little complicated to me. I mean yes, it's just some sudo commands. But I'm not sure how I will run the sudo commands in node or express. I know I can run them on my computer terminal but not sure how I can run that in a function in javascript. Is there a library for that too?

why is it a bad thing if I hold the key? I think github pages hold the key for you too if you enforce https.

1 Like

We are frequently asked this question with reference made to the highly not recommended website you mentioned. You should never have access to the private keys of the ACME accounts or certificates of other people. If you are intending to create a third-party web page that acquires certificates for other people, please don't as the likelihood of it violating the Let's Encrypt subscriber agreement is very high. There are already hundreds of those sites in existence that should be taken down. Please don't add to the problem.


Holding someone else's ACME account private key allows you to revoke the certificates generated for them using that ACME account without their authorization.

Holding someone else's certificate private key is an obvious violation of their security.

5 Likes

Will greenlock violate the T&S of letsencrypt too? For example, I take the email and domain of the user and pass it through greenlock file and give the domain a certificate, will that be a problem? I'm still going through greenlock docs since it's not very well written but I don't think I will be storing the certificates either. It's just that I will create a rest api endpoint in express, where the request object will be the email and domain of the user and then run a function probably to let greenlock do it's thing and then get the certificate

1 Like

The problem is that the ACME account private keys and certificate private keys should generally only be generated/stored on the server/device that will be terminating TLS/SSL. It is highly unlikely that someone will visit your web page from the server/device terminating TLS/SSL and your web page will generate the private keys on the client side such that your server never has access to them. Even if the latter condition were actually true, it would require blind trust or continual audit of your client-side code, both of which are unreasonable from a security standpoint.

Even worse, automating the DNS-01 challenge would require granting your server access to the DNS zones of others in some capacity, which is obviously not secure. This is why those websites require the DNS-01 challenge to be satisfied manually.

3 Likes

So basically I shouldn't build this service where user can just enter their email and domain and get the ssl certificate as it imposes a security problem?

2 Likes

Correct. It's at best redundant and at worst a phishing service. If you want to develop/utilize a proper ACME client, that's fine, but you need to fully understand your motives for doing so.

Both @webprofusion and I have developed our own ACME clients (with his being far more sophisticated than mine). Even with the great efforts of Let's Encrypt, it's not a simple matter to do, so there should be a functional need if it is to be undertaken.

https://tools.ietf.org/html/rfc8555

5 Likes

Out of interest, what is your motivation for providing this service? Do you run website hosting or DNS hosting, or do you just want to provide an easy way for people to get certificates in general?

You mentioned it was all DNS validation so I assume you control the DNS somehow.

5 Likes

It's just to help my clients get ssl easily without having them to know the underlying things on how to get it or go to cpanel and upload files in acme-challenge, etc. Let's just say the clients are complete noob in technology. So, I will just give them a frontend like the punchsalad website, where they enter the email and domain and it goes through an express rest api endpoint and they get the ssl certificate.

I don't necessarily have control of their dns. DNS seemed easier than having to upload files so in case they still don't know how to do either of the two methods, I will go for the dns way since it seems less time consuming and do it for them if they ask for it. But I was looking for a complete automation without having to upload or change anything and everything to be done in an api endpoint funciton. It wouldn't be available to the public, just for myself helping clients.
If there is a solution like that, please let me know. Thanks.

1 Like

There cannot be a solution like that. Getting a CA Certificate with ACME requires ability to control the domain name. You show control by manipulating the DNS records for DNS challenge or the server config for http challenge. It is impossible to create certs in acme without one of those.

I understand your intent but without demonstrating control anyone could get certs for anything which defeats the value of a cert.

7 Likes

doesn't greenlock.js create the certs without uploading or changing anything in the dns records? all we have to do is run the api endpoint, say postman and whatever domain is in the greenlock config file, it gets the cert without doing anything

1 Like

I am not overly familiar but a quick look at their docs shows them using DNS plug-ins just like certbot so ...

Besides, it is for Lets Encrypt - this is how ACME works

5 Likes

Thanks for the links. So looks like my use case is not possible unfortunately :frowning:

4 Likes

Are you their webhost or providing a whitelabel service for their domain? In those cases, you wouldn't be violating any ToS or Security protocols, because you would be acting as their partner and agent. The issue is if you were creating this service for the general public, or if you are a consultant and are trying to help them install certificates on systems you don't manage.

If they have control of their DNS, they can delegate the acme-challenges to you or a third-party.

3 Likes

I will be making their webapps for example and I will have control of everything since they will are not from tech background so I'm not sure if it still violates the ToS.
Maybe they can at least buy the domain for themselves which is why I said I won't necessarily have access to their dns records but if I ask them then they would happily provide me their details I believe

If their hosting provides you root access, you can simply install certbot on their hosting servers and run it yourself. Once the initial certificates are acquired and installed, the renewals will be automatic, so neither you nor they will need to do anything additional going forward unless something changes.

4 Likes

You could also just setup their website to be hosted using Caddy and it'll do all the https stuff automatically.

5 Likes

If you’re making webapps, you should be able to run certbot via crontabs for renewal.

3 Likes

yeah I'm aware of the certbot method and renewal using cronjobs. It's just that I was just looking for a plug and play solution, like a postman tab with the rest api and whenever i need a cert, just bring it up, change the body content to a different email, domain and get the cert