Automatically generate certificates for services

[axel50397]

Hi there,

I'm struggling with an issue regarding Autossl/Let's-Encrypt certificates for cPanel Services (WHM/Mail/FTP). Currently, AutoSSL generates certificates for every subdomain + cpanel.* + mail.* for every account, including our website's account.

As we forbid the creation of services subdomains for users, we can't include the services subdomains like ftp.* and whm.* . If it's possible in another way, i'm open to suggestions.

Here is our current workaround: Disabling AutoSSL for our website's account and using another script instead (certbot for instance). Now from there, I would like to automate the new certificates installation to our website's account, then to WHM services (which will simply use our website's certificate which includes whm., ftp., ...). Can it be done entirely by command line?

BTW, I'm able to replace the currently installed certificates in files (~/.ssl/{certs,keys}) but even after /scripts/rebuilduserssldb, the certificates are updated on cPanel UI but not effectively on apache (the old certificates still appears on the browser). I'm certainly missing steps.

Thanks for your help.

 

[cPanelLauren]

Hello,

I'm a bit confused, as to what the actual issue is though, you can exclude specific domains from being included in the SSL check-in cPanel, none the less if the SSL check fails the SSL certificate should still be generated and installed for the valid domains. Can you explain what the issue is specifically that is causing you to want to employ an unsupported workaround?

 

[axel50397]

Hi Lauren,
Sorry if it's not clear. The simplest way to put it: We would like to include specific subdomains (like whm.* and ftp.*) to AutoSSL generation for at least 1 specific user (our website's account).

The rest is about how I thought about achieving it: We could create the subdomains in cPanel, but we forbid the creation of services subdomains by the users.

Then, I explained the current workaround: Using an external script to do it (with AutoSSL disabled for this account). And it's working perfectly, but the 2 parts I couldn't automate are: Installation on a user account, replacing the current certificate (not adding another one, which would pollute our /home/website1/ssl folder). And secondly, installation of an account certificate in WHM Services certificates.

Sorry again if my first post is messy

 

[cPanelLauren]

Hello,

I believe this would be possible by going to cPanel>>Security>>SSL/TLS Wizard and excluding all but the domains you want certificates for.

 

[axel50397]

The thing is, I don't want to exclude anything, I want to include specific subdomains (whm.* and ftp.*)...

 

[cPanelLauren]

So to do that, the only method which you could would be if the domain actually existed on the server OR if you're using Let's Encrypt and the domain *.domain.tld exists it will create wildcard certificates for the wildcard domains. This is discussed here: The Let's Encrypt Plugin - cPanel Knowledge Base - cPanel Documentation

 

[axel50397]

Well... OK. As I said, I was able to create a certificate by a non-supported method. I'll dig into your link, thanks.

My problem was also auto-installation. I have the certificate, I want to automatically install it when renewed, to WHM services, how can I do that, please?

 

[cPanelLauren]

That wouldn't be a non-supported method though and this would allow it to be done automatically. A wildcard certificate would literally cover anything.yourdomain.tld

 

[axel50397]

I agree with you concerning the generation of the certificate... But using the account's certificate as services certificates would still be a manual process I will have to do at every renewal, wouldn't it?

 

[cPanelLauren]

Hello,

No, you wouldn't, unless you're generating it for the hostname of the server to be applied in WHM>>Service Configuration>>Manage Service SSL Certificates

 

[axel50397]

Sorry, I'm a little confused by your answer.

How generating a let's encrypt certificate, for the hostname or wildcard, would make it be renewed and installed automatically?

 

[cPanelLauren]

How generating a let's encrypt certificate, for the hostname or wildcard, would make it be renewed and installed automatically?

I specifically noted that you WILL NOT be able to utilize this if you're attempting to generate a certificate for the hostname because you used the following phrase:

But using the account's certificate as services certificates would still be a manual process

To break down what I'm suggesting for you further:

• AutoSSL is our system which automatically provisions and installs free 90-day certificates and can be configured at WHM>>SSL/TLS>>Manage AutoSSL
  
  
• Let's Encrypt is a provider available using cPanel's AutoSSL function. By default, we use the Sectigo provider.
  
  
• You can select the Let's Encrypt provider to install SSL's using cPanel's AutoSSL system at WHM>>SSL/TLS>>Manage AutoSSL -> Providers which will generate and install certificates automatically.
  
  
• One advantage Let's Encrypt has over Sectigo currently is that it allows the provisioning of wildcard certificates when a wildcard domain exists (*.domain.tld)
  
  • The definition of Wildcard in this sense is: a character that will match any character or sequence of characters in a search.
  • This means it would cover the domains whm.domain.tld and ftp.domain.tld if it was present on the server
  • Because AutoSSL automatically provisions and installs the certificates you wouldn't have to make any changes, just ensure that the domain validation was able to be completed successfully on the *.domain.tld domain.

 

[axel50397]

Ok, then sorry for the confusion about which "system" to use to generate the certificates.

The thing is, we are talking about generation since the beginning, and thanks for your suggestions. But I would like to install services certificates and not care about it every 60 to 90 days (because I think AutoSSL regenerate them every 60 days, even though the expiration is 90 days).

I'm not trying to generate a hostname certificate. Our website's domain is "website.com" (example), the account is websitec, the AutoSSL certificate generates everything needed for our everyday use. This part is taken care of.

Concerning the services' certificates, I would like to use whm.website.com to use WHM (instead of https://website.com:2087). To have a valid certificate, I need to install one as (as far as I know) AutoSSL doesn't generate services' certificates. Let's say we managed to generate a valid certificate for whm.website.com, how to install it automatically by command line or using WHM's GUI?

Currently, the only way I know is by either copy paste a valid certificate and key via WHM GUI, in services certificate menu, or on the same menu by choosing an account's certificate. Is it possible to automate the process?

 

[cPanelLauren]

I think the only thing that might help if you're generating the certificates on your own, would be the whmapi1 function installssl here: https://documentation.cpanel.net/display/DD/WHM+API+1+Functions+-+installssl

We did create a hookable even that might potentially be helpful as well - SSL::installssl - Guide to Standardized Hooks - Whostmgr Functions - Developer Documentation - cPanel Documentation

 

[axel50397]

I think the only thing that might help if you're generating the certificates on your own, would be the whmapi1 function installssl here: https://documentation.cpanel.net/display/DD/WHM+API+1+Functions+-+installssl

As I was referring to service certificates, wouldn't this function be more appropriate? https://documentation.cpanel.net/display/DD/WHM+API+1+Functions+-+install_service_ssl_certificate

 

[cPanelLauren]

As I was referring to service certificates, wouldn't this function be more appropriate? https://documentation.cpanel.net/display/DD/WHM+API+1+Functions+-+install_service_ssl_certificate

That's for the hostname though, which is what I was initially referring to. This is an entirely different process and should only apply to certificates associated with the server's hostname. We do provide free 1 year certificates for this, but if your domain is using a certificate, you can set tweak settings to fall back to that domain's certificate pending it has one available.

 

[axel50397]

I think I just got exactly where we didn't understand each other.

We're not using the hostname at all. We're publicly using subdomains of our website for ftp, whm, cpanel, mail (imap/pop/smtp), etc... The server's hostname is only used internally.

As we're using ftp.website.com, whm.website.com (with service proxy), cpanel.website.com, etc... I needed a way to generate only one certificate for them all. Long story short, I can generate a wildcard certificate for *.website.com. By default, our website and cpanel will use the same certificate, but for WHM it's a manual process (WHM > Service Configuration > Manage Service SSL Certificates). And my second question was about a way to automatically install the same wildcard certificate on Services like WHM.

The function you suggested, installssl seems to allow me to install a certificate on an account, which AutoSSL already does for me. While install_service_ssl_certificate would allow me to install the account's wildcard certificate for the services.

I hope it's clearer for you. As of now, my questions were answered, and I thank you again for that