Use certbot with php

version 0.31.0

I need to generate certbot with php, but it was not created, and I’m trying with .sh and tbm nothing worked how to make it work?

$ww = "certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email email@gmail.com -w /usr/local/openresty/nginx/html -d ".strtolower($postData->dominio)." -d www.".strtolower($postData->dominio)." -d admin.".strtolower($postData->dominio);
      $www = shell_exec($ww);

cert.sh ->

#!/bin/sh
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email email@gmail.com -w /usr/local/openresty/nginx/html -d $1 -d admin.$1 -d www.$1
exec("~/.cert.sh ".strtolower($postData->dominio), $out);

not show error logs in php and lets

:wave: Hi @arisco,

I don’t think this is a great approach to certificate management. Is there a specific reason you’re constrained to automating Certbot through PHP subprocess creation? There are serveral pure PHP ACME clients listed here: https://letsencrypt.org/docs/client-options You might have a better experience with one of them.

It’s hard to say with confidence without more context but this PHP snippet looks strongly to me like it would have a command injection vulnerability.

If you’re absolutely constrained to invoking Certbot from PHP with shell_exec I think you’ll have to provide a lot more information to help with debugging. (What’s the cert.sh script? What does the interpolated certbot command line given to shell_exec look like at runtime? What is the $www output returned from shell_exec? Is the return NULL? What user is the PHP process running as? What’s its $PATH?, etc)

2 Likes

Hi @cpu,
I’m afraid to use these third-party stuff because you update and terminate with the agent, I protected the shell_exec command well, it’s turned on and released when it validates the domain, what do you tell me?

Yes, this is NULL. of shell_exec

I updated the post showing cert.sh

i use php-fpm user root

I’m not sure I understand what you mean. Certbot is third-party as well.

shell_exec returns NULL in the error case, so that is one signal to help with debugging :+1:

One way to make progress debugging this may be to try running your .cert.sh script as the php-fpm user from a SSH connection. It will probably provide error messages to stderr that are being masked by shell_exec. You may also want to check what the $PATH for that user is, and make sure that the certbot executable is located somewhere in that user’s $PATH.

(I still think that trying to use Certbot in this manner is a recipe for trouble)

@cpu in root,

[root]# /usr/local/openresty/nginx/html/pHpServer-PG/api/./cert.sh teste.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/teste.tk-0003/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/teste.tk-0003/privkey.pem
   Your cert will expire on 2019-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
    exec("/usr/local/openresty/nginx/html/pHpServer-PG/api/./cert.sh ".strtolower($postData->dominio), $out);
    var_dump($out);
    print_r(error_get_last());

return var dump in php

array(0) {
}

not response error, i used user root in php-fpm

ahh, I misunderstood when you said “I use php-fpm user root”. The user is root, not php-fpm.

I’m afraid I don’t know enough about php-fpm and shell_exec to suggest further debugging steps. Perhaps a more PHP centric forum would be more helpful.

I really think running Certbot this way, especially as root, is problematic.

Good luck sorting out the remaining errors! I’m sorry I wasn’t able to help more.

1 Like