Running Certbot via PHP exec() Function

Help
1

I'm attempting to use Certbot to issue a certificate via PHP exec() function. Here's what the exec call looks like:

exec("certbot certonly --dry-run --webroot -w /home/sites -d mydomain.com");

When I did that I got the following error back:

The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

PHP does not run as root on my server, so I changed the exec command to contain the parameters Certbot suggested as follows:

exec("certbot certonly --dry-run --webroot -w /home/sites -d mydomain.com" --config-dir /home/sites --work-dir /home/sites --logs-dir /home/sites);

This produced the following error:

Saving debug log to /home/sites/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
An unexpected error occurred:
EOFError
Please see the logfiles in /home/sites for more details.

I opened the log file mentioned above and this is what it contained:

2019-03-07 21:20:54,080:DEBUG:certbot.main:certbot version: 0.31.0
2019-03-07 21:20:54,080:DEBUG:certbot.main:Arguments: ['--dry-run', '--webroot', '-w', '/home/sites', '-d', 'mydomain.com', '--config-dir', '/home/sites', '--work-dir', '/home/sites', '--logs-dir', '/home/sites']
2019-03-07 21:20:54,080:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-07 21:20:54,110:DEBUG:certbot.log:Root logging level set at 20
2019-03-07 21:20:54,110:INFO:certbot.log:Saving debug log to /home/sites/letsencrypt.log
2019-03-07 21:20:54,111:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-07 21:20:54,112:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f3b839a42d0>
Prep: True
2019-03-07 21:20:54,112:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f3b839a42d0> and installer None
2019-03-07 21:20:54,113:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-07 21:20:54,114:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1234, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 605, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 518, in _determine_account
config.email = display_ops.get_email()
File "/usr/lib/python2.7/site-packages/certbot/display/ops.py", line 53, in get_email
force_interactive=True)
File "/usr/lib/python2.7/site-packages/certbot/display/util.py", line 180, in input
ans = input_with_timeout(message)
File "/usr/lib/python2.7/site-packages/certbot/display/util.py", line 85, in input_with_timeout
raise EOFError
EOFError
2019-03-07 21:20:54,117:ERROR:certbot.log:An unexpected error occurred:

What am I doing wrong? Is there any way to run Certbot from PHP via the exec() function? I looked at Acme PHP and decided it was overkill for what I needed, I'd rather create my own interface to Certbot if possible.

My web server is (include version): Apache 2.4
The operating system my web server runs: CentOS 7.6
I can login to a root shell on my machine: Yes
I'm using a control panel to manage my site: No
The version of my client is: Certbot 0.31.0

2

Hi @MontyHu

Certbot want's your input - but your php script doesnt send an input.

input_with_timeout

Looks like the machine account doesn't has the right to read the directory with the Letsencrypt account informations. So Certbot want to create a new account - and had a timeout.

3

Why does Certbot need my input? When I run the same command on the command line, I'm never asked for any input, the process proceeds and finishes without any other interaction from me.

What directory is it trying to read for the account information? When I looked in my /home/sites folder, I saw a folder named accounts that I believe Certbot created. It's owned by the Apache user and the permissions are set to 700, so, maybe that's why? Is there a way to make Certbot make the permissions for this accounts folder 755?

4

Try passing it the email address it is asking for.

5

One key thing you need to do when running Certbot programmatically is to use --non-interactive. Otherwise, Certbot might except that it is running in a terminal and wait for user input.

This way, it will immediately fail if you did not provide a required parameter, rather than prompting for it. For example, if you did not provide --email or --register-unsafely-without-email.

Regarding your permission denied error, you should not get that as long as you pass writable directories for the work, config and log directories - but it looks like you already figured that one out.

1 Like
6

What email does it want?

The directories I passed in the parameters from my original post at the top of this thread did include directories that are writable. And it appears Certbot did create two folders in that directory: accounts and renewal-hooks. So I guess it didn't work because it needed an email address passed? What email is it expecting? The owner of the certificate or the webmaster for the server it's being installed on?

7
8

The purpose of the e-mail address is to receive reminder notifications from Let’s Encrypt related to certificates that need to be renewed, or in some cases to software that needs to be updated because it’s using Let’s Encrypt features or technologies that are being phased out. You can specify any e-mail address for the person you think this information would be most relevant to.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.