Programster's Blog

Tutorials focusing on Linux, programming, and open-source

ACME PHP - Prove Domain Ownership

After having installed ACME PHP, and then registering, you want to start generating some SSL certificates. However, before you can do that you first need to prove that you own the domain. This might be a pain, but without it, people would be able to register certificates for your domains!

Steps

There are two main ways to prove that you own a domain. Use the section below that is appropriate to your needs.

Using Text File On Site

If you are happy to prove you own the domain, by exposing a text file that is dynamically generated and given to you, on a site that is hosted on that domain then proceed with this section.

Run the following command:

php acmephp.phar authorize subdomain.yourdomain.org

This will output instructions similar to:

Loading account key pair...  
Requesting an authorization token for domain programster.org ...  
The authorization token was successfully fetched!  
    Create a text file accessible on URL http://programster.org/.well-known/acme-challenge/u0nBLKJhWuyZK7x2_rfSenfK4fRgqKce_ivOuC24Zso
    containing the following content:

    someRandomTextBLKJhfSenK4fRgqKce_ivOuC24Zso.moreRandomTextm9HeJxchJdmISmIa4cnhscTwAEe2Y

    Check in your browser that the URL someRandomTextBLKJhfSenK4fRgqKce_ivOuC24Zso.moreRandomTextm9HeJxchJdmISmIa4cnhscTwAEe2Y returns
    the authorization token above.

Then, you can ask to the CA to check the challenge!
    Call the check command to ask the server to check your URL:

    php acmephp.phar check -s http programster.org

I recognize that the content appears to be a JSON web token (JWT). However, it appears to be encrypted, as it appears to output junk when I used an online debugger. This is probably a good thing.

Create and publish the text file with the text provided before continuing to the next main section (skipping "Using DNS TXT Record").

Using DNS TXT Record

If you are like me, you need to use DNS to prove you own the domain. This is because I often need to be able to generate certificates for sites that are not exposed to the internet. Also I prefer to just add the certificate files to the container using an ADD command in the Dockerfile, rather than have it generate the certificates during the build, or at the point of deployment. This way there is no room for something going wrong.

Use the following command to tell LetsEncrypt that we wish to prove domain ownership using DNS.

php acmephp.phar authorize --solver dns yourdomain.org

You will get output similar to:

Loading account key pair...  
Requesting an authorization token for domain test.programster.org ...  
The authorization token was successfully fetched!  
    Add the following TXT record to your DNS zone
        Domain: _acme-challenge.test.programster.org.
        TXT value: SomeMoreRandomTextFPgjeyVmW30m3ifxtVGt3Oc3tY

    Wait for the propagation before moving to the next step
    Tips: Use the following command to check the propagation

        host -t TXT _acme-challenge.test.programster.org.

Then, you can ask to the CA to check the challenge!
    Call the check command to ask the server to check your URL:

    php acmephp.phar check -s dns test.programster.org

Add the DNS text record using the values provided in your output.

Check the record has propagated using:

host -t TXT _acme-challenge.subdomain.myDomain.org.

If that successfully returns the text record you put in then tell the ACME server to check it.

php acmephp.phar check -s dns subdomain.myDomain.org

If that went successfully, you should get output similar to:

Loading account key pair...  
Loading the authorization token for domain test.programster.org ...  
Testing the challenge...  
Requesting authorization check for domain test.programster.org ...  

The authorization check was successful!

You are now the proved owner of the domain test.programster.org.
Please note that you won't need to prove it anymore as long as you keep the same account key pair.

You can now request a certificate for your domain:

   php acmephp.phar request test.programster.org

You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.test.programster.org..

Conclusion

You have now proved you own the domain and are ready to request a certificate for it.

References