2

I'm using phpseclib to implement certificate to my domain.

The typical procedure of certificate implementation comes through:

[root@centos web]# sudo certbot --nginx -d somedomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for somedomain.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /home/admin/conf/web/somedomain.com.nginx.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /home/admin/conf/web/somedomain.com.nginx.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://somedomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=somedomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/somedomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/somedomain.com/privkey.pem
   Your cert will expire on 2019-11-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The PHP script of the same command looks like:

<?php
$hostname = '192.168.1.1'; //my hosting ip
$username = 'root';
$password = 'somesecret'; //password

include('Net/SSH2.php');

$ssh = new Net_SSH2($hostname);
if (!$ssh->login($username, $password)) {
    exit('Login Failed');
}

echo $ssh->exec("sudo certbot --nginx -d somedomain.com");

The output I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Process finished with exit code 0

The problem is that script should wait for specific question ("Select the appropriate number [1-2] then [enter] (press 'c' to cancel):") and then enter 2...

I was trying to use ssh->write() and ssh->read() but the output is the same.

<?php
$hostname = '192.168.1.1'; //my hosting ip
$username = 'root';
$password = 'somesecret'; //password

include('Net/SSH2.php');

$ssh = new Net_SSH2($hostname);
if (!$ssh->login($username, $password)) {
    exit('Login Failed');
}

$ssh->write("sudo certbot --nginx -d somedomain.com");
echo $ssh->read("Select the appropriate number [1-2] then [enter] (press 'c' to cancel):");

Result:

Last failed login: Sun Aug 25 21:04:23 CEST 2019 from 192.168.1.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Sun Aug 25 21:03:39 2019 from 192.168.1.1
sudo certbot --nginx -d somedomain.com[root@centos web]# sudo certbot --nginx -d somedomain.com 
Process finished with exit code 0

Please advice where to keep searching.

Steven Clay
  • 45
  • 5
  • "_I was trying to use ssh->write() and ssh->read() but the output is the same_". Post the code you were using with that. Keep in mind that if you're doing `read()` / `write()` you'd need to either _not_ use `exec()` at all or else you'd need to do `enablePTY()` _before_ calling `exec()`. – neubert Aug 25 '19 at 18:41
  • @neubert updated thread – Steven Clay Aug 25 '19 at 19:06
  • So normally I'd say read the prompt first. eg. do `$ssh->read('[prompt]');` before you do the `$ssh->write()` because there can be a little lag time between when you first initialize the shell and when input is first accepted. Also, if you're doing `$ssh->write()` then all commands should end with `\n` and yours doesn't. Further, the text you're waiting for is colorized in any way then ANSI escape codes are probably being used and you need to through in some additional "invisible" characters for the `$ssh->read()` to work as expected – neubert Aug 25 '19 at 19:55
  • Tried this way, first ```$ssh->read('[prompt]');``` then ```$ssh->write("sudo certbot --nginx -d somedomain.com\n");``` and after that echo ```$ssh->read();``` the result in next comment. – Steven Clay Aug 25 '19 at 20:28
  • ```Last login: Sun Aug 25 22:25:41 2019 from 192.168.1.1 sudo certbot --nginx -d somedomain.com g Saving debug log to /var/log/letsencrypt/letsencrypt.log Process finished with exit code 0``` – Steven Clay Aug 25 '19 at 20:28
  • What does `/var/log/letsencrypt/letsencrypt.log` say? Also, do `define('NET_SSH2_LOGGING', 2);` at the top and then `$ssh->getLog()` at the end of the program and post the results. Well, post them to pastebin.com and then post the pastebin.com link here. – neubert Aug 25 '19 at 20:50
  • ```/var/log/letsencrypt/letsencrypt.log``` it's a common certbot behavior there's no mistake -> https://pastebin.com/0QRQhZJx. ```$ssh->getLog()``` output the same https://pastebin.com/WHUx8zYj (end of result) – Steven Clay Aug 25 '19 at 21:23
  • Can you post the full SSH logs instead of the last two lines? If you're concerned about the PW being included, don't be. The password is replaced with "password" for logging purposes. If you're curious I can show you where in the code is done. – neubert Aug 26 '19 at 01:19

1 Answers1

0

Even your latest pastebin.com link doesn't contain the full SSH logs but whatever. What that one included is enough to see what's going on:

<- NET_SSH2_MSG_CHANNEL_DATA (since last: 2.5204, network: 0.0001s)
00000000  00:00:00:02:00:00:00:3a:53:61:76:69:6e:67:20:64  .......:Saving d
00000010  65:62:75:67:20:6c:6f:67:20:74:6f:20:2f:76:61:72  ebug log to /var
00000020  2f:6c:6f:67:2f:6c:65:74:73:65:6e:63:72:79:70:74  /log/letsencrypt
00000030  2f:6c:65:74:73:65:6e:63:72:79:70:74:2e:6c:6f:67  /letsencrypt.log
00000040  0d:0a                                            ..

-> NET_SSH2_MSG_CHANNEL_EOF (since last: 7.4256, network: 0.0001s)
00000000  00:00:00:00                                      ....

phpseclib has a default timeout of 10s. The "Saving debug log" message takes 2.5s to display and the next line... idk how long it normally takes to display but phpseclib is giving up after ~7.5s. 7.5s+2.5s is 10s, which is the timeout, hence why phpseclib is closing the connection.

I'm guessing the certbot command takes a while to run.

My recommendation is to do one of the following:

  1. Use nohup
  2. Disable the timeout by doing $ssh->setTimeout(0);
neubert
  • 15,947
  • 24
  • 120
  • 212
  • Regarding full SSH logs I don't know - I just posted all I got. I have tried with $ssh->setTimeout(0); - it seems that terminal stuck (I guess either some error or need further actions to take place), is there any way to display live what's going on there (cause I see blanc screen)... – Steven Clay Aug 26 '19 at 17:49
  • You may have a limit on the number of lines in your window terminal history. But as for live stuff... try `define('NET_SSH2_LOGGING', 3);` – neubert Aug 26 '19 at 18:53