auto-letsencrypt | Docker image to automatically request | TLS library
kandi X-RAY | auto-letsencrypt Summary
kandi X-RAY | auto-letsencrypt Summary
A Docker image to automatically request and renew SSL/TLS certificates from Let's Encrypt
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of auto-letsencrypt
auto-letsencrypt Key Features
auto-letsencrypt Examples and Code Snippets
Community Discussions
Trending Discussions on auto-letsencrypt
QUESTION
I'm building a web app (example: www.mywebapp.example
) that allows users to point their domain - www.xyz.example
- to www.mywebapp.example
. When users go to www.xyz.example
, their content will be served from www.mywebapp.example
instead. Users will be told how to update their @
and www
A records
in their domain providers DNS settings to connect www.xyz.example
to www.mywebapp.example
.
I can manually create new SSL certificates using ./certbot-auto -d
for each domain. I have also set a cron job to test for renewal.
However, I want to automate this process by running a PHP script, triggered from a JavaScript function, each time a user connects their domain to www.mywebapp.example
. My questions are:
Should I execute the
./certbot-auto
command from PHP using theexec()/shell_exec()
command? Should I write a separate bash script and run the bash script instead?Should I use an ACME PHP library recommended by LetsEncrypt - https://letsencrypt.org/docs/client-options/
I manually created a new SSL certificate for a domain
www.xyz2.example
, which successfully pointed towww.mywebapp.example
. However, this broke SSL support for all existing domains -*.mywebapp.example, mywebapp.example, www.xyz.example
. Do I need to create virtual hosts for each domain pointing towww.mywebapp.example
?- Do I need to edit
/etc/httpd/conf.d/ssl.conf
to add the new virtual hosts? Can multiple domains use the sameDocumentRoot
path?
I've read through all the following links, but am still pretty confused:
- https://httpd.apache.org/docs/2.4/vhosts/name-based.html
- https://serverfault.com/questions/7308/dynamic-virtual-hosts-in-apache
- https://serverfault.com/questions/126554/multiple-domains-with-ssl-on-same-ip
- certbot-auto / letsencrypt setting up one key for multiple domains pointing to the same server
Any help is greatly appreciated. If more information is required, please let me know.
My server setup is:
- LAMP
- AWS EC2
ANSWER
Answered 2019-Mar-28 at 17:42You have many questions in one.
Should I execute the ./certbot-auto command from PHP using the exec()/shell_exec() command? Should I write a separate bash script and run the bash script instead?
In a generic case: no.
PHP is executed once a webpage has been reached, hence it lives inside the current HTTP session, and the browser at the other end will wait for some kind of response back, in some kind of limited time (and users get angry if they do not see something appearing "fast").
If you exec things you have two options:
- you wait for completion of external program: problem, this can be after an "undefinite" time, so if this is not taken into account, user will never see anything back in their browser
- you start it in the background, and you do not wait for its completion: problem, you do not need if it succeeds or not, so even if you are then able to reply "something" to the browser, how will you handle failures?
The generic solution to cases like this is:
- The action triggered by the HTTP visit just records the request, like in a DB or something
- Separately a process polls the DB for tasks to do and executes them; this is completely separate from any webserver; when job has completed (success or failure), the DB will be updated in the same way
- The process at 1) can regularly poll the DB to see the status (pending or completed or failed) and show user a message, like during its visit, with some kind of auto-refresh, and/or provide a specific separate page where the user would be able to track status of its operation
Should I use an ACME PHP library recommended by LetsEncrypt - https://letsencrypt.org/docs/client-options/
You can use any library in any language that properly implements the ACME protocol.
Let's Encrypt only recommends one software: certbot
. All the rest listed in that page are examples of client libraries/programs that are expected to work.
Do I need to create virtual hosts for each domain pointing to www.mywebapp.example?
Yes, specially if they are using each of them a specific certificate, otherwise the webserver will not be able to identify the proper certificate to return at the beginning of the TLS handshake based on which hostname the browser gave (inside the SNI extension used at beginning of TLS handshake)
Or you can use some Apache features of mass virtual hosting, such as https://httpd.apache.org/docs/2.4/mod/mod_vhost_alias.html As is however this may probably mean a single certificate with all names added to it, which can technically work until some amount of names, but can create non technical problems (like seeing all the names, etc.)
Of course other software, like Nging/HAProxy can provide more advanced features, where you do not need to configure things virtual host per virtual host, even with different certificates, you just put things in place with specific naming and the webserver will match things as needed.
Do I need to edit /etc/httpd/conf.d/ssl.conf to add the new virtual hosts?
Yes, or any other file as long as you use Include
or similar.
If you manage many different and separate websites, it may be simpler to have one configuration file per website, including its certificate paths and so on, many Linux distributions install Apache in such a way that you have /etc/httpd/sites-enabled/
for that feature. If not, you can do the same yourself.
Can multiple domains use the same DocumentRoot path?
Of course yes.
PS: please stop saying SSL, the protocol is named TLS, invented 20 years ago. SSL is long gone, current recommandations are to run TLS 1.2 except if good reasons to also allow 1.1 and 1.0 which have vulnerabilities. There are no "SSL certificate" either for this reason and because they are a misnommer. TLS can work without certificates and these certificates can be used outside of TLS, like in S/MIME. They are X.509 certificates.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install auto-letsencrypt
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page