In the last couple of months, I had to install LetsEncrypt on a lot of WordPress sites and there wasn’t a single WordPress plugin that generated, verified and installed an SSL certificate along with HTTP to HTTPS redirection.
I spent the last two months developing ‘SSL Zen’ a WordPress LetsEncrypt plugin that helps you to -
Verify domain ownership using HTML file upload.
Generate an SSL certificate for your WordPress blog/website
Install SSL certificate using cPanel. Verify if the SSL certificate is working properly.
Redirect HTTP traffic to HTTPS
Renew SSL certificate (Manually)
Features:
The SSL certificate is securely sent to your registered email
Based on Let’s Encrypt ACME API v2
Browser-based installation
No root access required, No programming knowledge required
Works on shared hosting with cPanel (Godaddy, HostGator, 1&1, Bluehost)
You can manually renew the certificates before 30 days of expiry. You will get a notification when your certificate is going to expire. If you forget to renew, we will send you an email notification too.
Reading over the source, it appears that this requires manually placing the challenge response files, downloading and installing the certificate, and performing renewal. So it’s similar to e.g. ZeroSSL and gethttpsforfree, in that respect.
It seems like the plugin could potentially do all of these things on its own:
Automatic completion of challenges: since it has access to the document root and .htaccess file, it can place the challenge response files on its own
Automatic certificate installation
(If the cPanel host has disabled exec): you can invoke uapi directly to install the certificate to cPanel
(If the cPanel has NOT disabled exec): you can take and store the user’s cPanel username and password and install the certificate via the cPanel JSON-API.
Automatic renewal: now that the above can be automated, you can perform the entire thing non-interactively from a wp-cron hook.
Hey. Thank you so much for taking time to go through SSL Zen. I appreciate it. I came across LetsEncrypt for cPanel while doing research.
Automatic completion of challenges: since it has access to the document root and .htaccess file, it can place the challenge response files on its own
We can’t determine the document root if WP is installed in sub directories. I’m not sure how .htaccess will help.
Do you mind elaborating on your solution?
Automatic certificate installation
Don’t you think it’s unsafe to take user/pass over http?
Prompt the user for the document root on the first issuance, and the re-use that information for renewal, or
Use the cPanel UAPI to discover the document root for the domain (be it primary, addon, subdomain, whatever), or
Look at the WordPress Site URL and figure out the document root of the domain by counting the number of directories you need to climb, or
Trial and error: write a few distinct test files to your "best guess" directories as part of preflight, make a local request back to the domain to see which one is being served - that's your document root.
No, I don't think it's a problem:
cPanel JSON-API is protected via HTTPS over port 2083
cPanel JSON-API is hosted on the loopback interface (::1/127.0.0.1), which does not go out over the network (Ah, I think I misread your point. Getting these details from the user over HTTP is indeed not good. Perhaps stick to exec method only, and if that is not available, get them to write them to a file).
It is not commonly known, but all PHP code that runs on a cPanel account (including WordPress websites) already runs at the privilege level of the logged-in cPanel user. That's why you can exec the uapi binary (cPanel LiveAPI) and make changes to your cPanel account without any extra authentication. In that respect, avoiding talking to the cPanel API for security concerns is somewhat misguided.
I may have come across a bug in what’s likely an uncommon situation.
I’m testing a staging website on a spare sub-domain. The primary domain is currently config’d as a URL shortener (think bit.ly-esque), so I’m leaving that as is.
The shortener is the primary (second-level) domain, again like “bit.ly”.
I’ve just set up www.bit.ly for testing right now. The primary “bit.ly” domain is on completely separate infrastructure. If I were coding this, I probably wouldn’t expect this situation… so, yeah.
Here’s what I’m seeing: " Verifying domain ownership failed. Please check that the files listed below are uploaded to “webroot/.well-known/acme-challenge/” directory." Upon trying to verify the second (of two) files, which are in the correct directory. First file verified without any issues.
