[Feature request] SSL by default for web/mail

By default, Hestia - just like vesta did - does not create SSL certificate by default.

One has to go through a very complex process to generate them manually.

I suggest to change this feature and have SSL creation by default. One simply needs to feed in certain default parameters using the domain name values and make email address with it.

If one does not need the auto-created SSL, then it is efficient to delete it rather than every one creating for every domain.

I have already created ssh scripts to generate SSL certificates for web/mail. But this is part of my bash framework. It has zero meaning here.

The only thing that is important, what I did, was to tweak one /tmp and temporary files created using random. Instead, I used the domain name under /tmp. Thus, I could use data inside the /tmp directory to point and move the SSL files into there respective directory and deleting the tmp dir.

If this idea is implemented in the core scripts, then each and every domain for web and mail created automatically shall have SSL ready files.

This might be possible if you use Hestia to handle your DNS, but I prefer to do that with a third party, so in my case this wouldn’t be possible: I still have to set up the DNS entries manually before I can issue an SSL certificate.

Hestia already tried to create an lets encrypt certificate on reboot, you only need to use a hostname with proper dns record and it works.

If you want to add it later, just run v-add-letsencrypt-host, this takes a few seconds and installs an lets encrypt cert.

Hi,

Well, v-add-letsencrypt-host has nothing to do with my request or lets encrypt certificates.

I will need a few hours to remember when I used a certificate issued by this spying agency. :laughing:

Further, the request relates to creation of each domain manually using bash scripts that will fill some basic domain data into a manually created SSL certificate. So it could be used as ready-for-SSL-to-go. This method could save time to manually create a SSL certificate and manually feed in the data.

The proposed solution is not relevant.

Ok, what exactly are you missing? Probaly just dont understand it properly over here.

For this, I shall need a few hours to remember also, when I used my personal DNS server. I think I changed to Cloudflare before a decade.

Further, as you did not understand my message above or have read hurriedly (which happens to me as well), DNS HAS_NOTHING to do with creation of a SSL certificate manually.

As I mentioned in my message above, I have enhanced my bash framework scripts to generate a SSL certificate for hundreds of domains. This is so easy with scripts.

For e.g. I have one hundred domains. These are spread out geographically. For e.g. each domain has cdn, which will make eu.domain.com, us.domain.com, afrika.domain.com, asia.domain.com.

Would someone here be ready to calculate the time required to manually create an SSL certificate for each subdomain on each of these servers?

Several days, right?

My solution will not take more than a few minutes.
I needed to do so because I simply cannot afford to generate them manually.

Again, this has nothing to do with Lets Encrypt.

BTW, when using Cloudflare as proxy, which I do or am compelled to do, there is no need to use Lets Encrypt certificate. One can change the config in there to “Full” instead of “strict”. In that case, Cloudflare shall not check anymore if the origin certificate has been issued by a publicy known issuer.

In all cases, the connection will be encrypted, whether a certificate is issued by a publicly known issuer or generated manually or locally. The difference would be that no company based under the Patriot Act shall have the key and their unencryption of the data would take time.

Hi ScIT,

Nothing! I am not missing anything, as I mentioned above. I have already a functioning bash framework that has implemented the above feature request. Fur this, I needed to tweak one script to change in v-generate-ssl-cert. Thats it.

Community is missing this valuable feature. Hence the feature request. Lets start all over again.

1. Prepare the script for auto-generation
In the script v-generate-ssl-cert, I have inserted “# Substitute following values for auto creation of SSL certificate”. With this, it is not necessary to manually feed required data to generate a certificate.

2. Execute auto generation script
Now everything is simple. Simply issue bash commands and generate a SSL certificate for one or hundreds of domains.

3. Auto generation as well as manual generation with default values
These changes in v-generate-ssl-cert allows creation of a SSL certificate through php scripts with default values (inserted in there) as well.

If you do not want to use these default values, you could give your new ones. This requires a bit more modification.

If one created a SSL certificate manually through SSL certificate online for one domain, one does not have to feed in manually all the data from one form to the original one.

This is a manual feature that was came together with Vesta and have remained.

The question is, why the hell one may want a domain without SSL? So the SSL will be default. One could remove that SSL certificate from the control panel and generate a new one manually. Or one could create a Lets Encrypt SSL certificate later, which should remove the old one by default too.

#!/bin/bash
# info: generate self signed certificate and CSR request
# options: DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]
# labels: panel
#
# example: v-generate-ssl-cert example.com [email protected] USA California Monterey ACME.COM IT
#
# The function generates self signed SSL certificate and CSR request


#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Argument definition
domain=$1
domain=$(echo $domain |sed -e 's/\.*$//g' -e 's/^\.*//g')
domain_alias=$domain
email=$2
#country=$3 # Substitute following values for autocreation of SSL certificate
#state=$4
#city=$5
#org=$6
#org_unit=$7
country="DE"
state="DE"
city="DE"
org=$domain
org_unit=$domain
aliases=$8
format=${9-shell}
KEY_SIZE=4096
DAYS=365

# Includes
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/conf/hestia.conf
source $HESTIA/conf/hestia.conf

# Json function
json_list_ssl() {
    i='1'       # iterator
    echo '{'
    echo -e "\t\"$domain\": {"
    echo "        \"CRT\": \"$crt\","
    echo "        \"KEY\": \"$key\","
    echo "        \"CSR\": \"$csr\","
    echo "        \"DIR\": \"$workdir\""
    echo -e "\t}\n}"
}

# Shell function
shell_list_ssl() {
    if [ ! -z "$crt" ]; then
        echo -e "$crt"
    fi
    if [ ! -z "$key" ]; then
        echo -e "\n$key"
    fi
    if [ ! -z "$csr" ]; then
        echo -e "\n$csr"
    fi
    echo -e "\nLine 59 (v-generate-ssl-cert): Directory: $workdir"
}

# Additional argument formatting
format_domain_idn
if [[ "$email" = *[![:ascii:]]* ]]; then
    email=$(idn -t --quiet -a $email)
fi


#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'
check_args '7' "$#" "$args_usage"
is_format_valid 'domain' 'aliases' 'format'

release="$(lsb_release -s -r)"
if [ "$release" = "18.04" ]; then
    is_format_valid 'email'
fi

if [ ! -f /root/.rnd ]; then
    touch /root/.rnd
fi

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Create temporary work directory # Substitute following values for autocreation of SSL certificate
# workdir=$(mktemp -d)
tempdir="/tmp/ssl."$domain
mkdir $tempdir
workdir=$tempdir
cd $workdir

# Generate private key
openssl genrsa $KEY_SIZE > $domain.key 2>/dev/null

subj=""
# Generate the CSR
if [ -z "$email" ]; then
    subj="/emailAddress=$email"
fi

subj="$subj/C=$country/ST=$state/L=$city/O=$org"
subj="$subj/OU=$org_unit/CN=$domain_idn"

if [ -z "$aliases" ]; then
    openssl req -sha256\
        -new \
        -batch \
        -subj "$subj" \
        -key $domain.key \
        -out $domain.csr >/dev/null 2>&1
else
    for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
        if [[ "$alias" = *[![:ascii:]]* ]]; then
            alias=$(idn -t --quiet -a $alias)
        fi
        dns_aliases="${dns_aliases}DNS:$alias,"
    done
    dns_aliases=$(echo $dns_aliases |sed "s/,$//")
    if [ -e "/etc/ssl/openssl.cnf" ]; then
        ssl_conf='/etc/ssl/openssl.cnf'
    else
        ssl_conf="/etc/pki/tls/openssl.cnf"
    fi

    openssl req -sha256\
        -new \
        -batch \
        -subj "$subj" \
        -key $domain.key \
        -reqexts SAN \
        -config  <(cat $ssl_conf \
            <(printf "[SAN]\nsubjectAltName=$dns_aliases")) \
        -out $domain.csr >/dev/null 2>&1
fi

# Generate the cert 1 year
openssl x509 -req -sha256 \
    -days $DAYS \
    -in $domain.csr \
    -signkey $domain.key \
    -out $domain.crt >/dev/null 2>&1


# Listing certificates
if [ -e "$domain.crt" ]; then
    crt=$(cat $domain.crt |sed ':a;N;$!ba;s/\n/\\n/g' )
fi

if [ -e "$domain.key" ]; then
    key=$(cat $domain.key |sed ':a;N;$!ba;s/\n/\\n/g' )
fi

if [ -e "$domain.csr" ]; then
    csr=$(cat $domain.csr |sed ':a;N;$!ba;s/\n/\\n/g' )
fi

case $format in
    json)   json_list_ssl ;;
    plain)  nohead=1; shell_list_ssl ;;
    shell)  shell_list_ssl ;;
    *)      check_args '1' '0' '[FORMAT]'
esac

# Delete tmp dir # Substitute following values for autocreation of SSL certificate
#rm -rf $workdir


#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

# Logging
log_event "$OK" "$ARGUMENTS"

exit

Following issues

  1. Users forget to tend creating DNS records and there for fails. Via Hestia DNS their is a delay of 5 min on average when a wild card is not used
  2. Self generated certficates have issue that the might leak private information to the public we got angry users that complained that the self generated certificate leaked their ip to the public
  3. Self generated certificates doen’t work when you are not using Cloudflare…

If you really want to create a self certificate:

Create a file in:

/usr/local/hesita/data/templates/web/apache2/php-fpm/

with the name: default.sh

#!/bin/bash

/usr/bin/local/hestia/bin/v-generate-ssl-certificate $1 $2 "email" xxxxxxx

user=$1
domain=$2
ip=$3
home=$4
docroot=$5

Are the available vars…

Hello Markus,

Good that you found a solution for the community. Let us hope this helps someone. As I said earlier, I do not need it. My bash framework environment (+200 scripts) is far too complex to change things now.

The titles says:

[Feature request]

So here is a solution for the issue … Current method is not going to change… Maybe when we connect directly to more DNS providers/ servers and create it directly

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.