ACME PHP - Prove Domain Ownership
After having installed ACME PHP, and then registering, you want to start generating some SSL certificates. However, before you can do that you first need to prove that you own the domain. This might be a pain, but without it, people would be able to register certificates for your domains!
Steps
There are two main ways to prove that you own a domain. Use the section below that is appropriate to your needs.
Using Text File On Site
If you are happy to prove you own the domain, by exposing a text file that is dynamically generated and given to you, on a site that is hosted on that domain then proceed with this section.
Run the following command:
php acmephp.phar authorize \
subdomain.yourdomain.org
This will output instructions similar to:
Loading account key pair...
Requesting an authorization token for domain programster.org ...
The authorization token was successfully fetched!
Create a text file accessible on URL http://programster.org/.well-known/acme-challenge/u0nBLKJhWuyZK7x2_rfSenfK4fRgqKce_ivOuC24Zso
containing the following content:
someRandomTextBLKJhfSenK4fRgqKce_ivOuC24Zso.moreRandomTextm9HeJxchJdmISmIa4cnhscTwAEe2Y
Check in your browser that the URL someRandomTextBLKJhfSenK4fRgqKce_ivOuC24Zso.moreRandomTextm9HeJxchJdmISmIa4cnhscTwAEe2Y returns
the authorization token above.
Then, you can ask to the CA to check the challenge!
Call the check command to ask the server to check your URL:
php acmephp.phar check -s http programster.org
Create and publish the text file with the text provided before continuing to the next main section (skipping "Using DNS TXT Record").
Using DNS TXT Record
If you are like me, you need to use DNS to prove you own the domain. This is because I often need to be able to generate certificates for sites that are not exposed to the internet. Also I prefer to just add the certificate files to the container using an ADD command in the Dockerfile, rather than have it generate the certificates during the build, or at the point of deployment. This way there is no room for something going wrong.
Use the following command to tell LetsEncrypt that we wish to prove domain ownership using DNS.
php acmephp.phar authorize --solver dns \
my.domain.org
You will get output similar to:
Loading account key pair...
Requesting an authorization token for domain test.programster.org ...
The authorization token was successfully fetched!
Add the following TXT record to your DNS zone
Domain: _acme-challenge.test.programster.org.
TXT value: SomeMoreRandomTextFPgjeyVmW30m3ifxtVGt3Oc3tY
Wait for the propagation before moving to the next step
Tips: Use the following command to check the propagation
host -t TXT _acme-challenge.test.programster.org.
Then, you can ask to the CA to check the challenge!
Call the check command to ask the server to check your URL:
php acmephp.phar check -s dns test.programster.org
Add the DNS text record using the values provided in your output.
Check the record has propagated using:
host -t TXT _acme-challenge.subdomain.myDomain.org.
If that successfully returns the text record you put in then tell the ACME server to check it.
php acmephp.phar check -s dns subdomain.myDomain.org
If that went successfully, you should get output similar to:
Loading account key pair...
Loading the authorization token for domain test.programster.org ...
Testing the challenge...
Requesting authorization check for domain test.programster.org ...
The authorization check was successful!
You are now the proved owner of the domain test.programster.org.
Please note that you won't need to prove it anymore as long as you keep the same account key pair.
You can now request a certificate for your domain:
php acmephp.phar request test.programster.org
You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.test.programster.org..
Conclusion
You have now proved you own the domain and are ready to request a certificate for it.
References
First published: 16th August 2018