Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel SSL certs + Let's Encrypt

Discussion in 'Workarounds and Optimization' started by Arvy, Jan 25, 2016.

  1. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi there!

    I'm looking for a way to use Let's Encrypt to generate system certificates, for cPanel, Exim, Dovecot and Pure-FTP, every 60 days. Manually I can run:

    Code:
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d server.mydomain.com
    My idea is create a bash script to override cert files and restart the services.

    From /etc/letsencrypt/live/server.mydomain.com I can "cat/concat" files to:

    Code:
    /var/cpanel/ssl/cpanel/mycpanel.cabundle
    /var/cpanel/ssl/cpanel/mycpanel.pem
    ...
    /var/cpanel/ssl/ftp/myftpd-rsa-key.pem
    /var/cpanel/ssl/ftp/myftpd-rsa.pem
    /var/cpanel/ssl/ftp/pure-ftpd.pem
    and then restart the services everytime I update the certificates using a CRON entry.

    The problem is: on /var/cpanel/ssl I have files like:

    Code:
    -rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 cpanel-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 cpanel-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 cpanel-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 dovecot-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 dovecot-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 dovecot-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:43 exim-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:43 exim-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:43 exim-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:43 exim-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:43 exim-SIGNATURE_CHAIN_VERIFIED
    -rw-r--r--  1 root root  15 Jan 25 12:42 ftp-CN
    -rw-r--r--  1 root root 2832 Jan 25 12:42 ftp-CRTINFO
    -rw-r--r--  1 root root  15 Jan 25 12:42 ftp-DOMAINS
    -rw-r--r--  1 root root  10 Jan 25 12:42 ftp-NOT_AFTER
    -rw-r--r--  1 root root  1 Jan 25 12:42 ftp-SIGNATURE_CHAIN_VERIFIED
    
    
    I believe the files are for a cPanel internal control.

    Questions: my idea is correct, will work? The files above will be a problem after running my script? Can I broke cPanel or exim/dovecot/pureftp (considering I'll cat/concat files correctly).

    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 Arvy, Jan 25, 2016
    Last edited by a moderator: Jan 29, 2016
    jalal and internationaldumb like this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,491
    Likes Received:
    1,964
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Replacing the data populated in those files should be all that's required. There's no script you need to run after manually updated those files. Please note this thread:

    [How-To] Installing SSL from Let's Encrypt

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    internationaldumb likes this.
  3. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Michael,

    yes, I already have Let's Encrypt working. The link is more for installing SSL on domains (HTTPS).

    Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ok, after testing a lot, I did a script to use Let's Encrypt certificates to cPanel services.

    NOTES:
    CRON:
    Code:
    5 0 */75 * 6 /root/updcerts
    Will update every 75 days, only on saturdays

    SCRIPT:
    Code:
    #!/bin/bash
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME
    
    /bin/mkdir /root/ssl
    
    \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem
    /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
    /sbin/service cpanel restart
    
    \cp -f /var/cpanel/ssl/exim/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt
    /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
    /sbin/service exim restart
    
    \cp -f /var/cpanel/ssl/ftp/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
    /bin/chown root:wheel /var/cpanel/ssl/ftp/*
    /sbin/service pure-ftpd restart
    
    \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt
    /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
    /sbin/service dovecot restart
    
    Any suggestions, errors detected, ideas?

    Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,491
    Likes Received:
    1,964
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, this should work as you expect it to. cPanel will not automatically overwrite these files before a 60-day window.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Arvy

    Arvy Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    92
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Here is my script, updated. Hope helps who wants to use LE's certs to basic cPanel services.

    You need to download the CA:

    Code:
    wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
    mv lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem
    New version will append CA to the certificates to be more compatible.

    Code:
    #!/bin/bash
    /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME
    
    /bin/mkdir /root/ssl
    
    \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/cpanel/cpanel.pem
    /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
    /sbin/service cpanel restart
    /sbin/service httpd restart
    
    \cp -f /var/cpanel/ssl/exim/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/exim/exim.crt
    /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
    /sbin/service exim restart
    
    \cp -f /var/cpanel/ssl/ftp/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
    /bin/chown root:wheel /var/cpanel/ssl/ftp/*
    /sbin/service pure-ftpd restart
    
    \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
    /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/dovecot/dovecot.crt
    /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
    /sbin/service dovecot restart
    
    Note, again: this is for CentOS 6-. Change as needed for other systems, or CentOS 7 (systemd).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    ethix likes this.
  7. ChristianSB

    ChristianSB Registered

    Joined:
    Sep 23, 2015
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Do you have a version there works on CentOS 7 running DNS Only? :)
     
  8. nimonogi

    nimonogi Member

    Joined:
    Mar 11, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    51
    I'm looking for the exact same thing.
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,491
    Likes Received:
    1,964
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you elaborate on what in-particular is not working on the DNS-Only server when using this custom application?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. BlackRain

    BlackRain Well-Known Member

    Joined:
    May 28, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I bit the bullet and bought the Cpanel app for Lets Encrypt and it has worked seamlessly for awhile now.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice