The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel SSL certs + Let's Encrypt

Discussion in 'Workarounds and Optimization' started by Arvy, Jan 25, 2016.

  1. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi there!

    I'm looking for a way to use Let's Encrypt to generate system certificates, for cPanel, Exim, Dovecot and Pure-FTP, every 60 days. Manually I can run:

    Code:
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d server.mydomain.com
    My idea is create a bash script to override cert files and restart the services.

    From /etc/letsencrypt/live/server.mydomain.com I can "cat/concat" files to:

    Code:
    /var/cpanel/ssl/cpanel/mycpanel.cabundle
    /var/cpanel/ssl/cpanel/mycpanel.pem
    ...
    /var/cpanel/ssl/ftp/myftpd-rsa-key.pem
    /var/cpanel/ssl/ftp/myftpd-rsa.pem
    /var/cpanel/ssl/ftp/pure-ftpd.pem
    and then restart the services everytime I update the certificates using a CRON entry.

    The problem is: on /var/cpanel/ssl I have files like:

    Code:
    -rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 cpanel-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 cpanel-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 cpanel-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 dovecot-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 dovecot-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 dovecot-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:43 exim-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 exim-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 exim-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 exim-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 exim-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:42 ftp-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:42 ftp-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:42 ftp-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:42 ftp-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:42 ftp-SIGNATURE_CHAIN_VERIFIED
    
    
    I believe the files are for a cPanel internal control.

    Questions: my idea is correct, will work? The files above will be a problem after running my script? Can I broke cPanel or exim/dovecot/pureftp (considering I'll cat/concat files correctly).

    Thank you!
     
    #1 Arvy, Jan 25, 2016
    Last edited by a moderator: Jan 29, 2016
    jalal and internationaldumb like this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Replacing the data populated in those files should be all that's required. There's no script you need to run after manually updated those files. Please note this thread:

    [How-To] Installing SSL from Let's Encrypt

    Thank you.
     
    internationaldumb likes this.
  3. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Michael,

    yes, I already have Let's Encrypt working. The link is more for installing SSL on domains (HTTPS).

    Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

    Thanks!
     
  4. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ok, after testing a lot, I did a script to use Let's Encrypt certificates to cPanel services.

    NOTES:
    CRON:
    Code:
    5 0 */75 * 6 /root/updcerts
    Will update every 75 days, only on saturdays

    SCRIPT:
    Code:
    #!/bin/bash
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME
    
    /bin/mkdir /root/ssl
    
    \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem
    /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
    /sbin/service cpanel restart
    
    \cp -f /var/cpanel/ssl/exim/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt
    /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
    /sbin/service exim restart
    
    \cp -f /var/cpanel/ssl/ftp/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
    /bin/chown root:wheel /var/cpanel/ssl/ftp/*
    /sbin/service pure-ftpd restart
    
    \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt
    /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
    /sbin/service dovecot restart
    
    Any suggestions, errors detected, ideas?

    Thanks.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, this should work as you expect it to. cPanel will not automatically overwrite these files before a 60-day window.

    Thank you.
     
  6. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Here is my script, updated. Hope helps who wants to use LE's certs to basic cPanel services.

    You need to download the CA:

    Code:
    wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
    mv lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem
    New version will append CA to the certificates to be more compatible.

    Code:
    #!/bin/bash
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME
    
    /bin/mkdir /root/ssl
    
    \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/cpanel/cpanel.pem
    /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
    /sbin/service cpanel restart
    /sbin/service httpd restart
    
    \cp -f /var/cpanel/ssl/exim/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/exim/exim.crt
    /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
    /sbin/service exim restart
    
    \cp -f /var/cpanel/ssl/ftp/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
    /bin/chown root:wheel /var/cpanel/ssl/ftp/*
    /sbin/service pure-ftpd restart
    
    \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/dovecot/dovecot.crt
    /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
    /sbin/service dovecot restart
    
    Note, again: this is for CentOS 6-. Change as needed for other systems, or CentOS 7 (systemd).
     
    ethix likes this.
  7. ChristianSB

    ChristianSB Registered

    Joined:
    Sep 23, 2015
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Do you have a version there works on CentOS 7 running DNS Only? :)
     
  8. nimonogi

    nimonogi Member

    Joined:
    Mar 11, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I'm looking for the exact same thing.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on what in-particular is not working on the DNS-Only server when using this custom application?

    Thank you.
     
  10. BlackRain

    BlackRain Well-Known Member

    Joined:
    May 28, 2003
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I bit the bullet and bought the Cpanel app for Lets Encrypt and it has worked seamlessly for awhile now.
     
Loading...

Share This Page