Some questions about using CertSage

My domain is: isbd.co.uk
My web server is (include version): cPanel 94.0.19 on TsoHost
My hosting provider, if applicable, is: TsoHost
I can login to a root shell on my machine (yes or no, or I don't know): no

I'm need to know a little bit more about using CertSage to install certificates on cPanel hosting at TsoHost. I already use LetsEncrypt elsewhere so the basics are OK. I've also successfully installed a certificate using CertSage on one of the add-on domains on the above cPanel. I have about a dozen or so domains on this TsoHost cPanel system.

My questions are:-
1 - Where CertSage asks for "One domain name per line No wildcards (*) allowed" under Acquire Certificate I assume this means only that one can add the names of alias domains at the same time. One surely needs a different certificate for each distinct domain.

2 - I have a number of quite separate domains on this system hosted as 'Add-On' domains but from users/clients point of view they are entirely separate. (e.g. there's isbd.co.uk, oasis41.co.uk, russcreates.com and several others. The way that CertSage works means that there is a single CertSage directory on my hosting account and thus a single password.txt file. This means that I get the same password to use in CertSage on all the different sites, is this right? Is there any way to provide different passwords for the different sites so I can get site users/owners to do their own CertSage renewals?

1 Like

What version of CertSage are you using?
Here is the latest, I believe, CertSage ACME client (version 1.3.0) - easy webpage interface, optimized for cPanel, no commands to type, root not required
@griffin would the the authoritative answer.

3 Likes

Sorry, I should have said, I'm using CertSage 1.3.

3 Likes

I think that if users' domains are being served from separate folders, then each user/folder can have its' own CertSage.

3 Likes

Yes, OK, I think that's right. However they will all use the same password.txt file in the CertSage directory, is this how it's meant to be?

1 Like

They should each have their own CertSage directory.
So, the password.txt files can all be different.

3 Likes

Yes, but it doesn't do that!

All my 'add-on' domains are in sub-directories of the 'main' domain.

So, my main domain is at ~/public_html/

The domain isbd.co.uk is at ~/public_html/isbd.co.uk/
The domain russcreates.com is at ~/public_html/russcreates.com/
The domain reshapers.org is at ~/public_html/reshapers.org

... and so on. This is just the way that cPanel organises things, there's nothing I can do about it.

If I install CertSage on any of the above web sites the /CertSage/ directory with password.txt in it will be ~/public_html/CertSage/, the same for every site.

I could edit each copy of certsage.php to use a different directory but that does rather make it less 'automatic'.

That sounds unsafe. Let's wait to hear what @griffin has to say about this situation.

5 Likes

Yes! In an earlier thread (May this year) he recommends changing line 18 of certsage.txt from:-

public $dataDirectory = "../CertSage";

to

public $dataDirectory = "../../CertSage";

This at least moves the CertSage directory out of the main web site's /public_html/ where it is visible to anyone. However it doesn't address the problem of all add-on sites sharing the same password.txt file.

Maybe a more recent version deals better with addon sites, I dunno :person_shrugging:

4 Likes

Sorry for the delayed reply. I have been in the Caribbean for the last week without signal.

@chrisisbd

You have the right idea about editing that $dataDirectory line. You can point each website's copy of CertSage at its own data directory with its own password if you wish. I realize that this probably isn't the most convenient if you have a lot of addon websites. Unless there's some type of administrative issue (e.g. if you're subhosting for a lot of private parties and you want them to manage their own certificate renewals, which is now fully possible under version 1.3), there's not much benefit to having multiple CertSage directories aside from ensuring parallel, independent certificate acquisition and installation.

4 Likes

All the domain names (SANs) covered by a single certificate need to be aliases of the same content. For cPanel this usually means example.com, www.example.com, and mail.example.com

As indicated above, you can specify a separate data directory for each website's copy of CertSage. Those data directories do not need to be named CertSage, which should make management much easier.

4 Likes

hmm...
Perhaps there might be a single system variable that is linked to each "user" that can be referenced.

4 Likes

There are certainly a number of approaches that can be taken. Which to consider depends upon the level of access desired for a "user". If the "users" are, for example, WordPress site designers, assigning each designer his/her own CertSage data directory with a preassigned password (or, for more advanced configuration, giving each designer rights to his/her own CertSage data directory) is probably fairly straightforward.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.