Automated cPanel/WHM SSL Renew

[Krydos]

Hi,

I know I can manually install my certificates through:

WHM >> Service Configuration >> Manage Service SSL Configuration

But, is there a command line script that will do the same thing? I'm not referring to user accounts, or domains hosted on the server, but the server services themselves. server:2083, server:2087, server:2096, etc. The reason I ask is because I'm interested in automating the renewal process. I've found the certificates/keys located in

/var/cpanel/ssl

should I just write a script to move the new certificates to overwrite them into all of those service locations? Is there an easier way?

 

[Infopro]

I'm interested in automating the renewal process.

It should already be automated I believe. Here's a Feature Request with comments that explains this:
https://features.cpanel.net/topic/t...-renew-self-signed-certificates-automatically

 

[Krydos]

It should already be automated I believe. Here's a Feature Request with comments that explains this:
https://features.cpanel.net/topic/t...-renew-self-signed-certificates-automatically

Thanks for the reply, but that automatic renewal appears to be for self-signed certificates only. Am I wrong?

I have root signed certificates that I need to renew. I can create new certificates on the command line with a bash script easy enough, but what is the best way to install them on the server? Should I just overwrite the previous certificates located in /var/cpanel/ssl and the various subdirectories there? I was mainly wondering if there was a cPanel script in /scripts/ or so that would do a better job of installing the new certificates.

 

[cPanelMichael]

Hello,

You can do this with a custom script, or with a single command, by using the following WHM API 1 function:

WHM API 1 - install_service_ssl_certificate

Also, if you simply want to obtain the service SSL certificate info, you can use this function:

WHM API 1 - fetch_service_ssl_components

Let us know if you have any questions.

Thank you.

 

[Krydos]

That API was introduced in cPanel/WHM version 11.52.0.8. One of my older servers that was partitioned with the older suggested partition sizes is currently blocked from upgrading because of the 3 GB requirement.

The cPanel & WHM installation and upgrade processes require at least 3 GB of additional disk space for staging purposes.

Source: https://documentation.cpanel.net/display/ALD/Upgrade+Blockers

I know there are workarounds for this limitation such as symlinking the crap out of the /usr partiton, or I could try resizing the partitions on a live production server, but we are planning on moving all of the accounts off that server and completely refurbishing it soon anyways. Is there any easy way to install cPanel/WHM service SSL certificates through the command line on an older version of your software?

 

[cPanelMichael]

Is there any easy way to install cPanel/WHM service SSL certificates through the command line on an older version of your software?

Hello,

Yes, you can manually replace the certificate files via the command line. There's actually a thread here that should help:

cPanel SSL Certs for custom Let's Encrypt Plugin

It's a question about replacing service SSL certificates for a custom plugin that uses "Let's Encrypt", however all of the paths and information required to manually update the certificate data is provided on this thread.

Let us know if you have any questions.

Thanks!

 

[Krydos]

Thanks for the replies, and thanks for that link. I had a hard time even searching to figure out that cPanel currently stores certificates in /var/cpanel/ssl/ since it has changed so many times over the years.

In case anyone comes across this thread here is a portion of the bash script that I wrote to install the new certificates. Prior to this snippet my script renews the certificates, tests the certificates to make sure they have been updated, and then:

# location of new certificates
cert_dir="/path/to/renewed/certificates"

# location to install new certificates
cpanel_dir="/var/cpanel/ssl"

# domain that certificates are created for
domain="mydomain.com"

# create certificates here
# test certificates to make sure there is something to update

timestamp=`date +"_%Y-%m-%d_%H-%M"`

# backup existing certificates
echo "Backing up existing certificates to $backup_dir."

# courier
cp $cpanel_dir/courier/myimapd.pem $backup_dir/myimapd.pem$timestamp
cp $cpanel_dir/courier/mypop3d.pem $backup_dir/mypop3d.pem$timestamp

#cpanel
cp $cpanel_dir/cpanel/mycpanel.pem      $backup_dir/mycpanel.pem$timestamp
cp $cpanel_dir/cpanel/mycpanel.cabundle $backup_dir/mycpanel.cabundle$timestamp

#exim
cp $cpanel_dir/exim/myexim.key $backup_dir/myexim.key$timestamp
cp $cpanel_dir/exim/myexim.crt $backup_dir/myexim.crt$timestamp

# ftp
cp $cpanel_dir/ftp/pure-ftpd.pem      $backup_dir/pure-ftpd.pem$timestamp
cp $cpanel_dir/ftp/myftpd-rsa.pem     $backup_dir/myftpd-rsa.pem$timestamp
cp $cpanel_dir/ftp/myftpd-rsa-key.pem $backup_dir/myftpd-rsa-key.pem$timestamp

# install new certificates
echo "Installing new certificates to $cpanel_dir."

# courier
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/myimapd.pem
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/mypop3d.pem

# cpanel
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.pem
cat $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.cabundle

#exim
cat $cert_dir/$domain.key > $cpanel_dir/exim/myexim.key
cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/exim/myexim.crt

# ftp
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/pure-ftpd.pem
cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/myftpd-rsa.pem
cat $cert_dir/$domain.key > $cpanel_dir/ftp/myftpd-rsa-key.pem

# restart services

echo "Restarting courier."
/scripts/restartsrv_courier

echo "Restarting cPanel."
/etc/init.d/cpanel restart

echo "Restarting exim."
/scripts/restartsrv_exim

echo "Restarting ftp."
/scripts/restartsrv_ftpd

I've tested it on a live production server, and it works.