Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel + pfSense + Let's Encrypt + Curl

Discussion in 'Workarounds and Optimization' started by SeanLee, Sep 13, 2017.

  1. SeanLee

    SeanLee Well-Known Member

    May 23, 2004
    Likes Received:
    Trophy Points:
    I'm putting this in General Discussion, but if the mods want to move it, feel free.

    I had the dreaded “SSL certificate problem: unable to get local issuer certificate” problem when working with Let's Encrypt and scripts that were using CURL. My SSL certs for domains worked just fine in web browsers - it was only CURL that had the problems. I tried all the fixes involving editing php.ini and downloading the pem from, but nothing seemed to work.

    It seemed that in most cases, if you edit your php.ini file and provide the cainfo (curl.cainfo = "/path/to/cacert.pem") that seemed to fix most people's problems. My situation ended up being different, simply because I'm running my cPanel server behind a pfSense firewall using NAT. I spent about 4 days troubleshooting this, so I figured I'd share what I did, in case somebody else runs across it.

    1) Install the ACME package on my pfSense fw, and follow this HowTo very carefully (PDF attached in case link dies). Make sure you enable the new SSL cert, and that it shows up as valid (green) in a web browser.

    2) If you are using port 443 to access your pfSense admin area, change it (i.e. port 8443). Do this under System -> Advanced, under "webConfigurator", under the "TCP port" area. This configuration option allows you to change which port PFSense listens on. This is because you need to forward port 443 to your cPanel server.

    3) Make sure you have a NAT rule to forward the above port 443, to your (internal) cPanel server. Do this in PFSense, under Firewall -> NAT. You should change the following options on that screen:
    - Interface: WAN
    - Protocol: TCP
    - Destination: The VIP (external IP) that maps to your cPanel server
    - Destination port range: HTTPS (both from & to)
    - Redirect target IP: The main internal IP of your cPanel server
    - Redirect target port: HTTPS
    - Filter rule association: (create new rule)
    (all other options leave as default)

    4) This was the final step that got everything working for me. You need to follow Method 1 of this guide (PDF attached in case link dies) in order to enable Pure NAT reflection.

    You should now have a working version of Curl that uses your Let's Encrypt SSL certs on your cPanel server. Many thanks to Andrew, Laure, Seth and Chad at cPanel support for helping me with this.

    Attached Files:

    winncommllc likes this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    We've moved this thread to our "Workarounds" forum category.

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice