Simple SSL Verification using Laravel & Environment Variables

Prove control of your client domains for SSL verification without modifying your project directories

Jamison Valenta
3 minute read

In my previous post, I detailed an nginx config structure for providing white label domain services in your application under SSL.

When you run a white labeled application that allows clients to use their own domain names, one of the biggest pains can be verifying that you own their domains, which is necessary to set up an SSL certificate. The most common verification process requires you to control the DNS for the domain, but since we're talking about a white labeled application, it's very unlikely you'll have control of your client's DNS.

How non-DNS SSL Domain Validation works

Any time you need to verify control of a domain where you don't have control of its DNS, your best option is called Domain Validation, which you'll most often perform by serving a particularly-named .html or .txt file from your domain root.

In this circumstance, your SSL cert vendor will provide you a random string, and expect you to generate a file with that string as both the name and the contents.

For example, if the string your cert providers gives you isRaNd0mStR1nG, you'd need to create a file accessible at http://mostamazingservice.com/RaNd0mStR1nG.html, containing the text RaNd0mStR1nG.

So you log into your production box, add a file called RaNd0mStR1nG.html to your public directory and set the content to be raNd0mStR1nG. Or, you add a file locally, commit it to your version control, and then deploy the code changes. Both options add cruft to your application that needs to be cleaned up later. Gross.

Fortunately, with a single environment variable, Laravel, and the code below, whenever you need to create/update one of your SSL certificates, you can prove domain control by simply updating the environment variable. No need to SSH into your server, or deploy code modifications.

Note: Conveniently, if you are putting more than one domain on an SSL cert CSR (Certificate Signing Request), there's a very good chance you'll have just one RaNd0mStR1nG for all domains on the cert. This makes our job much easier.

Making it happen

Open app/Http/routes.php and add the following co de to your routes file:

Route::get(env('SSL_VERIFICATION_CODE') . '.html', function () {
    return env('SSL_VERIFICATION_CODE');
});

This route definition will match the environment variable RaNd0mStR1nG.html and respond with the contents RaNd0mStR1nG. This makes a fake static HTML file for us, which is super slick.

Then, add the new key to your .env and .env.example files:

SSL_VERIFICATION_CODE=RaNd0mStR1nG

And we're done! Push this code live and you'll never have to change it again.

Now, to verify control of a domain for your updated SSL cert, log into Laravel Forge, and follow the links to manage your application's install.

Find the environment tab, and update/add the SSL_VERIFICATION_CODE environment value to the one provided by your SSL vendor. Until you change this, the site will now serve your raNd0mStR1nG file happily and without complaint.

Cheers ~