The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Automated cPanel/WHM SSL Renew

Discussion in 'General Discussion' started by Krydos, Jul 14, 2016.

  1. Krydos

    Krydos Member

    Joined:
    Jun 2, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I know I can manually install my certificates through:

    WHM >> Service Configuration >> Manage Service SSL Configuration

    But, is there a command line script that will do the same thing? I'm not referring to user accounts, or domains hosted on the server, but the server services themselves. server:2083, server:2087, server:2096, etc. The reason I ask is because I'm interested in automating the renewal process. I've found the certificates/keys located in

    /var/cpanel/ssl

    should I just write a script to move the new certificates to overwrite them into all of those service locations? Is there an easier way?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. Krydos

    Krydos Member

    Joined:
    Jun 2, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the reply, but that automatic renewal appears to be for self-signed certificates only. Am I wrong?

    I have root signed certificates that I need to renew. I can create new certificates on the command line with a bash script easy enough, but what is the best way to install them on the server? Should I just overwrite the previous certificates located in /var/cpanel/ssl and the various subdirectories there? I was mainly wondering if there was a cPanel script in /scripts/ or so that would do a better job of installing the new certificates.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. Krydos

    Krydos Member

    Joined:
    Jun 2, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That API was introduced in cPanel/WHM version 11.52.0.8. One of my older servers that was partitioned with the older suggested partition sizes is currently blocked from upgrading because of the 3 GB requirement.
    Source: https://documentation.cpanel.net/display/ALD/Upgrade+Blockers

    I know there are workarounds for this limitation such as symlinking the crap out of the /usr partiton, or I could try resizing the partitions on a live production server, but we are planning on moving all of the accounts off that server and completely refurbishing it soon anyways. Is there any easy way to install cPanel/WHM service SSL certificates through the command line on an older version of your software?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, you can manually replace the certificate files via the command line. There's actually a thread here that should help:

    cPanel SSL Certs for custom Let's Encrypt Plugin

    It's a question about replacing service SSL certificates for a custom plugin that uses "Let's Encrypt", however all of the paths and information required to manually update the certificate data is provided on this thread.

    Let us know if you have any questions.

    Thanks!
     
  7. Krydos

    Krydos Member

    Joined:
    Jun 2, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the replies, and thanks for that link. I had a hard time even searching to figure out that cPanel currently stores certificates in /var/cpanel/ssl/ since it has changed so many times over the years.

    In case anyone comes across this thread here is a portion of the bash script that I wrote to install the new certificates. Prior to this snippet my script renews the certificates, tests the certificates to make sure they have been updated, and then:

    Code:
    # location of new certificates
    cert_dir="/path/to/renewed/certificates"
    
    # location to install new certificates
    cpanel_dir="/var/cpanel/ssl"
    
    # domain that certificates are created for
    domain="mydomain.com"
    
    # create certificates here
    # test certificates to make sure there is something to update
    
    timestamp=`date +"_%Y-%m-%d_%H-%M"`
    
    # backup existing certificates
    echo "Backing up existing certificates to $backup_dir."
    
    # courier
    cp $cpanel_dir/courier/myimapd.pem $backup_dir/myimapd.pem$timestamp
    cp $cpanel_dir/courier/mypop3d.pem $backup_dir/mypop3d.pem$timestamp
    
    #cpanel
    cp $cpanel_dir/cpanel/mycpanel.pem      $backup_dir/mycpanel.pem$timestamp
    cp $cpanel_dir/cpanel/mycpanel.cabundle $backup_dir/mycpanel.cabundle$timestamp
    
    #exim
    cp $cpanel_dir/exim/myexim.key $backup_dir/myexim.key$timestamp
    cp $cpanel_dir/exim/myexim.crt $backup_dir/myexim.crt$timestamp
    
    # ftp
    cp $cpanel_dir/ftp/pure-ftpd.pem      $backup_dir/pure-ftpd.pem$timestamp
    cp $cpanel_dir/ftp/myftpd-rsa.pem     $backup_dir/myftpd-rsa.pem$timestamp
    cp $cpanel_dir/ftp/myftpd-rsa-key.pem $backup_dir/myftpd-rsa-key.pem$timestamp
    
    # install new certificates
    echo "Installing new certificates to $cpanel_dir."
    
    # courier
    cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/myimapd.pem
    cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/mypop3d.pem
    
    # cpanel
    cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.pem
    cat $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.cabundle
    
    #exim
    cat $cert_dir/$domain.key > $cpanel_dir/exim/myexim.key
    cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/exim/myexim.crt
    
    # ftp
    cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/pure-ftpd.pem
    cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/myftpd-rsa.pem
    cat $cert_dir/$domain.key > $cpanel_dir/ftp/myftpd-rsa-key.pem
    
    # restart services
    
    echo "Restarting courier."
    /scripts/restartsrv_courier
    
    echo "Restarting cPanel."
    /etc/init.d/cpanel restart
    
    echo "Restarting exim."
    /scripts/restartsrv_exim
    
    echo "Restarting ftp."
    /scripts/restartsrv_ftpd
    
    I've tested it on a live production server, and it works.
     
Loading...

Share This Page