Feedback and suggestions / feature requests

[stgoos]

@t-me really like how easy the script works!

Here is my feedback after test driving it during the weekend:

• The DA host I'm hosted on requires https:// so it would be an suggestion to either mention it in the instructions that the protocol is required in the URL and/or to build in a test to validate that the URL includes a :// as that would also include the check for ssl://.

• Installed the script both on a subfolder and later on a subdomain, both setups work without problem.

• Requested a Let's Encrypt certificate for the domain + subdomain (on which I have Certificate Manager installed) without issues, it works, wicked!

• Added 3 more domains to my DA host (I'm on a Plus package with Antagonist). I see them nicely in the dashboard located on the first domain. (See screenshots for this and the following 2 bullets at: http://imgur.com/a/JYLPU)

• For the 4th domain I manually added the COMODO certificate I've via SSLS to the domain via the DA interface. That domain shows nicely in the dashboard with all the certificate details.

• The 2nd and 3rd domain are shown BUT I can't request the Let's Encrypt certificates via the dashboard of the Certificate Manager installation on the 1st domain. This would be definitely a very nice future feature as it would be good to only have one installation of Certificate Manager installed on your server from a security point of view.

• Another feature request would be cronjob triggered certificate renewal which auto-renews, let's say 2 days before the Let's Encrypt certificate expires. To be able to setup the cronjob you only need to have a trigger file which can be called upon by the cronjob.

• Last but not least, I think it would make good sense to secure the installation of Certificate Manager with some code in an .htaccess. Prevent view access to some key files and have it running on https:// in combo with a 'firewall rule' to limit the IP ranges to certain countries only (requires mod_geoip enabled), for example:

  
  ## Prevent viewing of .htaccess and config.ini
  <FilesMatch "\.(htaccess|ini)$">
  Order Allow,Deny  
  Deny from all
  </FilesMatch>

Prevent directory listings

Options All -Indexes

Rewrite rules start

RewriteEngine On RewriteBase /

Rewrite: always via https:// (without mod_ssl)

RewriteCond %{HTTPS} !=on [NC] RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Rewrite: remove www. (generic method)

RewriteCond %{HTTP_HOST} ^www. RewriteCond %{HTTPS}s ^on(s)|off RewriteCond http%1://%{HTTP_HOST} ^(https?://)(www.)?(.+)$ RewriteRule ^ %1%3%{REQUEST_URI} [R=301,L]

Rewrite: allow access only to listed countries via a 'firewall rule', with a no-access page or redirect to other website.

Include the iso3166 code of the countries you want to allow access in the list, requires mod_geoip to be installed on the server.

Please note: the no-access.php can't load anything from 'external' sources, so all css/js/images/etc should be embeded in that single file!

RewriteRule ^no-access/?$ /no-access.php [L,END] RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(US|CA|AU|UK|DE|FR|NL|BE|etcetera)$ RewriteRule ^(.)$ /no-access/ [L] # --OR-- RewriteRule ^(.)$ https://anotherdomain.tld/$1 [L]

Maybe the .htaccess is something you just have to leave to the user of Certificate Manager to setup. But in that case it could make sense to add a page with these security tips.

[t-me]

Hello @stgoos Thanks for the feedback.

i will look at your feedback. Is there any whay i can reach you Skype or something?

The 2nd and 3rd domain are shown BUT I can't request the Let's Encrypt certificates via the dashboard of the Certificate Manager installation on the 1st domain

That should work, i have multiple domains an can request a certificat.

cronjob triggered certificate renewal which auto-renews

is on my todo list.

[t-me]

@stgoos For probely fixing (Step 1 (for 2nd and 3rd domain) ) change this function : DA_GET_SUB_DOMAINS to

Public Function DA_GET_SUB_DOMAINS($domain){
            $da = $this->DA_CONNECT();
    $da->query('/CMD_API_SUBDOMAINS',
        array(
            'domain' => $domain
        ));
    $domains = $da->fetch_parsed_body();

    if (empty($domains)) {
        return array();
    }else{
        return $domains['list'];
    }

}

`

And change this Page Encrypt to this

<?php 
    $subs = $func->DA_GET_SUB_DOMAINS($domain);
    if( empty($subs)){
        $alldomains = array($domain, 'www.'.$domain);
    } else {
        foreach($subs as $sub){
            $subdomains[] = $sub . '.' . $domain;
        }
        $domainsarr = array($domain, 'www.'.$domain);
        $alldomains = array_merge($domainsarr, $subdomains);
    }

    foreach($alldomains as $certdomain){
        if($certdomain == 'www.'.$domain || $certdomain == $domain){
            echo '<option value="'.$certdomain.'" selected>'.$certdomain.'</option>';
        }else{
            echo '<option value="'.$certdomain.'">'.$certdomain.'</option>';
        }
    }
?>

Can You tell me if this fixed the problem?

[stgoos]

Been busy at work but will have time the coming days to check. Will let you know the outcome.