I want to generate SSL certificate for custom domain and subdomains and all process will be dynamic so whenever system found any new domain it will generate SSL certificate and I want this things to be done without executing shell script at my server. As shell script execution is restricted on server.
I can run php script and server guy is restricting that shell script to execute on server due to some security issues. So I can’t execute linux binary or shell script on my server rather If possible can run PHP script.
There’s an ACME client written fully in PHP that you could use: https://github.com/kelunik/acme-client . However, you will need administrative privileges to reload nginx after issuing a certificate …
It sounds a little bit like you have a dysfunctional relationship with your server admin, to be brutally honest
Another option might be to get a separate server and issue the certificates there (running the software of your choice), and then download the certificates and private keys onto the restricted server using scp or rsync.
First thing is that there scp and rsync is the command of terminal and by using this your case I can’t achieve this. As shell execution is prohibited but one thing I can do is that I can download certificate from another server using PHP API.
Second thing I want to ask is that certificate generation on one server can run on other server.
Like for example,
Is that thing happens? If yes then I can go with this process. After that only one thing I need to do is that copy certificate from #1(example.com) and paste it #2(default.com).
Is second case possible then it could be best solution?
How do you intend to install the certificate into nginx and trigger a graceful reload, given these restrictions?
Since nginx runs (or at least, should run) at a separate privilege level to PHP, even if you get your hands on a certificate file … what are you going to do with it?
(1) If you temporarily change the DNS record for www.default.com to point at www.example.com, then the www.example.com server can obtain certificates for www.default.com.
(2) Or, if you make http://www.default.com/.well-known/acme-challenge/ URLs redirect to the corresponding URLs on http://www.example.com/.well-known/acme-challenge/, then the www.example.com server can obtain certificates for www.default.com.
(3) Or, if the www.example.com server has DNS API credentials for the DNS provider for www.default.com, then it can use them to create TXT records to obtain certificates for www.default.com.
(4) Or, if you create a DNS CNAME record for _acme-challenge.www.default.com that points at _acme-challenge.www.example.com, then if the www.example.com has DNS API credentials for the DNS provider for www.example.com, then it can use them to create TXT records to obtain certificates for www.default.com.