I think I've figured it out ... don't have a solution... but I think I've figured it out.
For starters and to clear up some confusion. SSL installs work - WHM and cPanel. The reason I was getting sslinstall feature error was because I did not have the Tweak Setting setting for users to install their own certificate.
The issue has to do with the way I am issuing Let's Encrypt certificates.
I'm not using cPanel's AutoSSL for any of this. I wrote my own system to automatically issue Let's Encrypt certifictes using acme.sh (
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol) before cPanel released their AutoSSL. I liked my system better, so I kept it.
I don't know if you're familiar with acme.sh or not, but when you run it, it will automatically generate a CSR and request a certificate from Let's Encrypt (or any number of CA's) and the results will be a directory with the files:
ca.cer
fullchain.cer
%domain%.cer
%domain%.conf
%domain%.csr
%domain%.conf
%domain%.key
Then with a WHM API1 call to installssl you can install the certificate with the parameters domain=%domain% crt=%domain%.cer key=%domain%.key cab=ca.cer
(To be clear - you have to get the contents of %domain%.cer, %domain%.key, and ca.cer and urlencode those to be passed to each parameter)
Because the ca.cer is always retrieved correctly when a certificate is issued, you always have the latest and most up to date CA bundle.
The problem is - acme.sh is retrieving a ca.cer with two chains.
One is the;
Issuer: ISRG Root X1
Server Name: R3
The other is:
Issuer: DST Root CA X3
Server Name: ISRG Root X1
For whatever reason, if DST Root CA X3 is detected in the cab bundle passed to installssl, then the certificate does not get properly installed -
/var/cpanel/ssl/domain_tls/%domain% does not get created and is not properly populated, so that means no Dovecot or Exim for that certificate.
Now... for whatever reason, Apache is allowed to handle this just fine.
/var/cpanel/ssl/apache_tls/%domain%/combined will get filled with all of it:
KEY
CERT
ISRG Root X1
DST Root CA X3
If I create a file with just the ISRG Root X1 CA bundle and pass the contents of that file to cab in the installssl API call - everything works as it should. As a short term solution, I can make this work. But I don't like it long term because if the certificates are ever signed with a different CA Bundle - if I don't update the file that's passed to cab, then the certificates I install won't work. This was always the great thing about using the ca.cer that's given from acme.sh.
So this leads to two resolutions, either:
acme.sh is wrong to include the DST Root CA X3 CA Bundle in the ca.cer file that it retrieves.
OR
cPanel is blacklisting the DST Root CA X3 CA Bundle, partially, and not allowing it to be used in the creation of
/var/cpanel/ssl/domain_tls/%domain%
I kind of lean towards this being a cPanel issue. Because I would tend to trust what Let's Encrypt is sending is correct, since it's their system. Also the fact that cPanel allows the DST Root CA X3 CA Bundle in
/var/cpanel/ssl/apache_tls/%domain%/combined but somehow balks at it being present when creating the directory
/var/cpanel/ssl/domain_tls/%domain% and the resulting files. And with the fact that cPanel recently messed around with the Let's Encrypt CA bundles being installed. I think something cPanel did to "fix" this is a bit dodgy.