I don't think this is a great approach to certificate management. Is there a specific reason you're constrained to automating Certbot through PHP subprocess creation? There are serveral pure PHP ACME clients listed here: ACME Client Implementations - Let's Encrypt You might have a better experience with one of them.
It's hard to say with confidence without more context but this PHP snippet looks strongly to me like it would have a command injection vulnerability.
If you're absolutely constrained to invoking Certbot from PHP with shell_exec I think you'll have to provide a lot more information to help with debugging. (What's the cert.sh script? What does the interpolated certbot command line given to shell_exec look like at runtime? What is the $www output returned from shell_exec? Is the return NULL? What user is the PHP process running as? What's its $PATH?, etc)
Hi @cpu,
I’m afraid to use these third-party stuff because you update and terminate with the agent, I protected the shell_exec command well, it’s turned on and released when it validates the domain, what do you tell me?
I'm not sure I understand what you mean. Certbot is third-party as well.
shell_exec returns NULL in the error case, so that is one signal to help with debugging
One way to make progress debugging this may be to try running your .cert.sh script as the php-fpm user from a SSH connection. It will probably provide error messages to stderr that are being masked by shell_exec. You may also want to check what the $PATH for that user is, and make sure that the certbot executable is located somewhere in that user's $PATH.
(I still think that trying to use Certbot in this manner is a recipe for trouble)
[root]# /usr/local/openresty/nginx/html/pHpServer-PG/api/./cert.sh teste.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/teste.tk-0003/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/teste.tk-0003/privkey.pem
Your cert will expire on 2019-09-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
ahh, I misunderstood when you said "I use php-fpm user root". The user is root, not php-fpm.
I'm afraid I don't know enough about php-fpm and shell_exec to suggest further debugging steps. Perhaps a more PHP centric forum would be more helpful.
I really think running Certbot this way, especially as root, is problematic.
Good luck sorting out the remaining errors! I'm sorry I wasn't able to help more.
Hi 