Automated cPanel/WHM SSL Renew

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
Hi,

I know I can manually install my certificates through:

WHM >> Service Configuration >> Manage Service SSL Configuration

But, is there a command line script that will do the same thing? I'm not referring to user accounts, or domains hosted on the server, but the server services themselves. server:2083, server:2087, server:2096, etc. The reason I ask is because I'm interested in automating the renewal process. I've found the certificates/keys located in

/var/cpanel/ssl

should I just write a script to move the new certificates to overwrite them into all of those service locations? Is there an easier way?
 

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
It should already be automated I believe. Here's a Feature Request with comments that explains this:
https://features.cpanel.net/topic/t...-renew-self-signed-certificates-automatically
Thanks for the reply, but that automatic renewal appears to be for self-signed certificates only. Am I wrong?

I have root signed certificates that I need to renew. I can create new certificates on the command line with a bash script easy enough, but what is the best way to install them on the server? Should I just overwrite the previous certificates located in /var/cpanel/ssl and the various subdirectories there? I was mainly wondering if there was a cPanel script in /scripts/ or so that would do a better job of installing the new certificates.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
That API was introduced in cPanel/WHM version 11.52.0.8. One of my older servers that was partitioned with the older suggested partition sizes is currently blocked from upgrading because of the 3 GB requirement.
The cPanel & WHM installation and upgrade processes require at least 3 GB of additional disk space for staging purposes.
Source: https://documentation.cpanel.net/display/ALD/Upgrade+Blockers

I know there are workarounds for this limitation such as symlinking the crap out of the /usr partiton, or I could try resizing the partitions on a live production server, but we are planning on moving all of the accounts off that server and completely refurbishing it soon anyways. Is there any easy way to install cPanel/WHM service SSL certificates through the command line on an older version of your software?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Is there any easy way to install cPanel/WHM service SSL certificates through the command line on an older version of your software?
Hello,

Yes, you can manually replace the certificate files via the command line. There's actually a thread here that should help:

cPanel SSL Certs for custom Let's Encrypt Plugin

It's a question about replacing service SSL certificates for a custom plugin that uses "Let's Encrypt", however all of the paths and information required to manually update the certificate data is provided on this thread.

Let us know if you have any questions.

Thanks!
 

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
Thanks for the replies, and thanks for that link. I had a hard time even searching to figure out that cPanel currently stores certificates in /var/cpanel/ssl/ since it has changed so many times over the years.

In case anyone comes across this thread here is a portion of the bash script that I wrote to install the new certificates. Prior to this snippet my script renews the certificates, tests the certificates to make sure they have been updated, and then:

Code:
# location of new certificates
cert_dir="/path/to/renewed/certificates"

# location to install new certificates
cpanel_dir="/var/cpanel/ssl"

# domain that certificates are created for
domain="mydomain.com"

# create certificates here
# test certificates to make sure there is something to update

timestamp=`date +"_%Y-%m-%d_%H-%M"`

# backup existing certificates
echo "Backing up existing certificates to $backup_dir."

# courier
cp $cpanel_dir/courier/myimapd.pem $backup_dir/myimapd.pem$timestamp
cp $cpanel_dir/courier/mypop3d.pem $backup_dir/mypop3d.pem$timestamp

#cpanel
cp $cpanel_dir/cpanel/mycpanel.pem      $backup_dir/mycpanel.pem$timestamp
cp $cpanel_dir/cpanel/mycpanel.cabundle $backup_dir/mycpanel.cabundle$timestamp

#exim
cp $cpanel_dir/exim/myexim.key $backup_dir/myexim.key$timestamp
cp $cpanel_dir/exim/myexim.crt $backup_dir/myexim.crt$timestamp

# ftp
cp $cpanel_dir/ftp/pure-ftpd.pem      $backup_dir/pure-ftpd.pem$timestamp
cp $cpanel_dir/ftp/myftpd-rsa.pem     $backup_dir/myftpd-rsa.pem$timestamp
cp $cpanel_dir/ftp/myftpd-rsa-key.pem $backup_dir/myftpd-rsa-key.pem$timestamp

# install new certificates
echo "Installing new certificates to $cpanel_dir."

# courier
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/myimapd.pem
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/courier/mypop3d.pem

# cpanel
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.pem
cat $cert_dir/chain.crt > $cpanel_dir/cpanel/mycpanel.cabundle

#exim
cat $cert_dir/$domain.key > $cpanel_dir/exim/myexim.key
cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/exim/myexim.crt

# ftp
cat $cert_dir/$domain.key $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/pure-ftpd.pem
cat $cert_dir/$domain.crt $cert_dir/chain.crt > $cpanel_dir/ftp/myftpd-rsa.pem
cat $cert_dir/$domain.key > $cpanel_dir/ftp/myftpd-rsa-key.pem

# restart services

echo "Restarting courier."
/scripts/restartsrv_courier

echo "Restarting cPanel."
/etc/init.d/cpanel restart

echo "Restarting exim."
/scripts/restartsrv_exim

echo "Restarting ftp."
/scripts/restartsrv_ftpd
I've tested it on a live production server, and it works.