I want to generate SSL certificate without execute shell script on my server


#1

I want to generate SSL certificate for custom domain and subdomains and all process will be dynamic so whenever system found any new domain it will generate SSL certificate and I want this things to be done without executing shell script at my server. As shell script execution is restricted on server.

I am using Ubuntu 16.04 with nginx server.

Your help will be appreciated.

Please suggest me some way out.

Thanks.


#2

And what else is restricted?

Can you run a Linux binary or are only shell scripts prohibited? Who is restricting what runs?

If you can’t run a program of some form (whether a shell script or a Linux binary), then what you’re asking for is not going to be possible.


#3

Thanks for your quick response.

I can run php script and server guy is restricting that shell script to execute on server due to some security issues. So I can’t execute linux binary or shell script on my server rather If possible can run PHP script.

Ask me if you have any query.


#4

There’s an ACME client written fully in PHP that you could use: https://github.com/kelunik/acme-client . However, you will need administrative privileges to reload nginx after issuing a certificate …

It sounds a little bit like you have a dysfunctional relationship with your server admin, to be brutally honest :speak_no_evil:


#5

Thanks for the suggestion of acme-client. Let me check this acme-client library.

Hope I will get something into it.

Yeah. You can say that. But he is doing his job and it is kind of requirement.

Thanks.


#6

Another option might be to get a separate server and issue the certificates there (running the software of your choice), and then download the certificates and private keys onto the restricted server using scp or rsync.


#7

First thing is that there scp and rsync is the command of terminal and by using this your case I can’t achieve this. As shell execution is prohibited but one thing I can do is that I can download certificate from another server using PHP API.

Second thing I want to ask is that certificate generation on one server can run on other server.
Like for example,

  1. www.example.com (SSL certificate generation here)
  2. www.default.com (Copy SSL from #1 and paste here)

Is that thing happens? If yes then I can go with this process. After that only one thing I need to do is that copy certificate from #1(example.com) and paste it #2(default.com).

Is second case possible then it could be best solution?

Thanks.


#8

How do you intend to install the certificate into nginx and trigger a graceful reload, given these restrictions?

Since nginx runs (or at least, should run) at a separate privilege level to PHP, even if you get your hands on a certificate file … what are you going to do with it?


#9

Yes, if certain conditions are met.

(1) If you temporarily change the DNS record for www.default.com to point at www.example.com, then the www.example.com server can obtain certificates for www.default.com.

(2) Or, if you make http://www.default.com/.well-known/acme-challenge/ URLs redirect to the corresponding URLs on http://www.example.com/.well-known/acme-challenge/, then the www.example.com server can obtain certificates for www.default.com.

(3) Or, if the www.example.com server has DNS API credentials for the DNS provider for www.default.com, then it can use them to create TXT records to obtain certificates for www.default.com.

(4) Or, if you create a DNS CNAME record for _acme-challenge.www.default.com that points at _acme-challenge.www.example.com, then if the www.example.com has DNS API credentials for the DNS provider for www.example.com, then it can use them to create TXT records to obtain certificates for www.default.com.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.