I’m amazed that there is a button to automatically add a CNAME and automatically install an SSL certificate when requesting a new SSL certificate. However, my suggestion is to create a REST API to request a new SSL certificate, delete and add CNAME, retrieve the private key and certificate until there is a REST API to install the certificate on the server.
Cron and other scheduling functions are disabled on free hosting
Did you read this
4 Likes
The REST API I mean comes from infinityfree, not our site, if the PHP curl feature can still be used.
Too bad cron can no longer be used
If I understand your request correctly: you want to have a REST API to basically access the features from the Free SSL Certificates tool? Which I presume you want for the purpose of automating the renewal of your certificate?
If so, if we are going to do anything like that, I think it’s more likely that we’ll just fully automate the SSL setup (at least the renewal, and maybe install SSL by default on all sites), for a few reasons:
- Not everyone would be able to make use of such a REST API. Only a small number of people have both the skill and motivation to actually implement this. Maybe we’d see an open source project pop up for this that other people can use, but then it’s still quite a clunky solution for something that could be included by default.
- We kinda need a speed bump in the process to prevent the issuance of certificates nobody cares about. All SSL vendors have usage limits, and we wouldn’t want SSL issuance to break for everyone because someone’s API client script went crazy and started to issue a huge number of certificates. Or even just keep issuing certificates for a website that was abandoned already.
4 Likes
What makes it so difficult that there is still no full ssl renewal automation feature? My suggestion is that the ssl expiration check is done when the visitor visits the site then the automatic renewal is done 5 days before the ssl certificate expires.
check via javascript:
var crt_pem = 'path/to/certificate.crt';
const x509 = require('x509');
var crt_obj = x509.parseCert(crt_pem);
console.log(crt_obj.notAfter);
check via php:
$crt_pem = 'path/to/certificate.crt';
$crt_obj = openssl_x509_parse(file_get_contents($crt_pem));
print_r($crt_obj['validTo']);
print_r($crt_obj['validTo_time_t']);
It’s not difficult, but I can list at least two reasons why not
Many people set up a website for a school project and after receiving a grade simply leave and leave all the files on the server, etc.
The server has to serve a large number of websites that nobody actually uses.
As admin mentioned the number of certificates is limited
and having a TLS auto-install for a bunch of abandoned sites makes no sense,
that’s why the manual process is a simple solution because whoever needs it and has a live website will come and ask for a certificate
Another reason is that there should be a difference between a free service and a premium one
The majority of the income for InfinityFree is advertisements, because advertisements are served within the Client area and in other places, and the goal is to get people to visit those places
otherwise, who would pay for this forum, various servers and the rest?
and it’s getting harder anyway because of various ad blockers and def. browser settings.
imagine it like this:
You make some tool on your website and you pay the server
and if nothing else, you try to at least cover the costs of that server by serving ads
Would it make sense for you if your server does everything automatically and people don’t have to come at all?
Very soon you would be in the financial red and would have to close the website
5 Likes
So, can infinityfree create a dedicated team feature for renewing ssl certificates?
Or can other users just renew (but don’t show others the contents of the private key) my site’s ssl certificate using one click the button?
My suggestion is that the button to automatically add CNAMEs also has a button to clear all CNAMEs.
We don’t have anything in place to allow multiple people to manage the services. Our services are primarily aimed at individuals, not businesses, so there is not a lot of demand for something like that.
If you do manage it as a team, then the only way to do so right now is to share the client area credentials with other (trustworthy) team members.
Thankfully, it’s not possible for other users to manage the SSL on your behalf. That would be a big security problem if other people could obtain an SSL certificate for your domain.
This will not work because:
- The CNAME record for most SSL providers is tied to your user profile. If someone else would try to request an SSL certificate for your domain, they will get a different CNAME record, which of course they won’t be able to set up if they don’t already control your domain.
- The SSL installation feature only works on your own accounts. If the domain is assigned to an account on a different profile, you won’t be able to do the automatic installation.
I think that this would cause more harm than help, because:
- Some people may have setup CNAME records for other purposes than SSL validation, and removing those may break stuff.
- For all providers except GoGetSSL, the same CNAME record is used to install an renew SSL certificates with all supported providers. So for most people, keeping the CNAME record in place is the smart thing to do.
Why do you think such a feature would be helpful?
4 Likes
I think for security reasons, only show the one-click button, not the CNAME data and private key. And ssl certificate from infinityfree only so no need from other parties.
So here’s how, first a user allows other users to install ssl certificates. Then another user requests an ssl certificate from InfinityFree (like GoGetSSL) until the add CNAME button appears (here the CNAME is not shown). After that, a button will appear to install the ssl certificate to the server (here the private key is also not displayed)
I’m sorry, but again, we don’t have anything in place for the management of a single hosting account by multiple people.
If we ever have the ability to have multiple users at all, and have the ability to have users with limited permissions, then having a permission option to only renew certificates would be useful.
But we’re still quite a few steps away for something like this to even be something we could begin to think about implementing.
Please understand that you’re asking for a particular team feature, but we don’t even have teams yet. And it’s not on the roadmap either.
4 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.