How to automate the process of creating a ssl generator?

yeah does look complicated but I saw a library called greenlock.js, hopefully it will reduce the complexity for me.

and for the easy solution you mentioned certbot, that looks a little complicated to me. I mean yes, it's just some sudo commands. But I'm not sure how I will run the sudo commands in node or express. I know I can run them on my computer terminal but not sure how I can run that in a function in javascript. Is there a library for that too?

why is it a bad thing if I hold the key? I think github pages hold the key for you too if you enforce https.

1 Like

We are frequently asked this question with reference made to the highly not recommended website you mentioned. You should never have access to the private keys of the ACME accounts or certificates of other people. If you are intending to create a third-party web page that acquires certificates for other people, please don't as the likelihood of it violating the Let's Encrypt subscriber agreement is very high. There are already hundreds of those sites in existence that should be taken down. Please don't add to the problem.


Holding someone else's ACME account private key allows you to revoke the certificates generated for them using that ACME account without their authorization.

Holding someone else's certificate private key is an obvious violation of their security.

5 Likes

Will greenlock violate the T&S of letsencrypt too? For example, I take the email and domain of the user and pass it through greenlock file and give the domain a certificate, will that be a problem? I'm still going through greenlock docs since it's not very well written but I don't think I will be storing the certificates either. It's just that I will create a rest api endpoint in express, where the request object will be the email and domain of the user and then run a function probably to let greenlock do it's thing and then get the certificate

1 Like

The problem is that the ACME account private keys and certificate private keys should generally only be generated/stored on the server/device that will be terminating TLS/SSL. It is highly unlikely that someone will visit your web page from the server/device terminating TLS/SSL and your web page will generate the private keys on the client side such that your server never has access to them. Even if the latter condition were actually true, it would require blind trust or continual audit of your client-side code, both of which are unreasonable from a security standpoint.

Even worse, automating the DNS-01 challenge would require granting your server access to the DNS zones of others in some capacity, which is obviously not secure. This is why those websites require the DNS-01 challenge to be satisfied manually.

3 Likes

So basically I shouldn't build this service where user can just enter their email and domain and get the ssl certificate as it imposes a security problem?

2 Likes

Correct. It's at best redundant and at worst a phishing service. If you want to develop/utilize a proper ACME client, that's fine, but you need to fully understand your motives for doing so.

Both @webprofusion and I have developed our own ACME clients (with his being far more sophisticated than mine). Even with the great efforts of Let's Encrypt, it's not a simple matter to do, so there should be a functional need if it is to be undertaken.

https://tools.ietf.org/html/rfc8555

5 Likes

Out of interest, what is your motivation for providing this service? Do you run website hosting or DNS hosting, or do you just want to provide an easy way for people to get certificates in general?

You mentioned it was all DNS validation so I assume you control the DNS somehow.

5 Likes

It's just to help my clients get ssl easily without having them to know the underlying things on how to get it or go to cpanel and upload files in acme-challenge, etc. Let's just say the clients are complete noob in technology. So, I will just give them a frontend like the punchsalad website, where they enter the email and domain and it goes through an express rest api endpoint and they get the ssl certificate.

I don't necessarily have control of their dns. DNS seemed easier than having to upload files so in case they still don't know how to do either of the two methods, I will go for the dns way since it seems less time consuming and do it for them if they ask for it. But I was looking for a complete automation without having to upload or change anything and everything to be done in an api endpoint funciton. It wouldn't be available to the public, just for myself helping clients.
If there is a solution like that, please let me know. Thanks.

1 Like

There cannot be a solution like that. Getting a CA Certificate with ACME requires ability to control the domain name. You show control by manipulating the DNS records for DNS challenge or the server config for http challenge. It is impossible to create certs in acme without one of those.

I understand your intent but without demonstrating control anyone could get certs for anything which defeats the value of a cert.

7 Likes

doesn't greenlock.js create the certs without uploading or changing anything in the dns records? all we have to do is run the api endpoint, say postman and whatever domain is in the greenlock config file, it gets the cert without doing anything

1 Like

I am not overly familiar but a quick look at their docs shows them using DNS plug-ins just like certbot so ...

Besides, it is for Lets Encrypt - this is how ACME works

5 Likes

Thanks for the links. So looks like my use case is not possible unfortunately :frowning:

4 Likes

Are you their webhost or providing a whitelabel service for their domain? In those cases, you wouldn't be violating any ToS or Security protocols, because you would be acting as their partner and agent. The issue is if you were creating this service for the general public, or if you are a consultant and are trying to help them install certificates on systems you don't manage.

If they have control of their DNS, they can delegate the acme-challenges to you or a third-party.

3 Likes

I will be making their webapps for example and I will have control of everything since they will are not from tech background so I'm not sure if it still violates the ToS.
Maybe they can at least buy the domain for themselves which is why I said I won't necessarily have access to their dns records but if I ask them then they would happily provide me their details I believe

If their hosting provides you root access, you can simply install certbot on their hosting servers and run it yourself. Once the initial certificates are acquired and installed, the renewals will be automatic, so neither you nor they will need to do anything additional going forward unless something changes.

4 Likes

You could also just setup their website to be hosted using Caddy and it'll do all the https stuff automatically.

5 Likes

If you’re making webapps, you should be able to run certbot via crontabs for renewal.

3 Likes

yeah I'm aware of the certbot method and renewal using cronjobs. It's just that I was just looking for a plug and play solution, like a postman tab with the rest api and whenever i need a cert, just bring it up, change the body content to a different email, domain and get the cert

If you’re able to run Certbot or another ACME client on the machine, you really should be doing that.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.