Arvy

Well-Known Member
Oct 3, 2006
139
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Hi there!

I'm looking for a way to use Let's Encrypt to generate system certificates, for cPanel, Exim, Dovecot and Pure-FTP, every 60 days. Manually I can run:

Code:
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d server.mydomain.com
My idea is create a bash script to override cert files and restart the services.

From /etc/letsencrypt/live/server.mydomain.com I can "cat/concat" files to:

Code:
/var/cpanel/ssl/cpanel/mycpanel.cabundle
/var/cpanel/ssl/cpanel/mycpanel.pem
...
/var/cpanel/ssl/ftp/myftpd-rsa-key.pem
/var/cpanel/ssl/ftp/myftpd-rsa.pem
/var/cpanel/ssl/ftp/pure-ftpd.pem
and then restart the services everytime I update the certificates using a CRON entry.

The problem is: on /var/cpanel/ssl I have files like:

Code:
-rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 cpanel-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 cpanel-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 cpanel-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 dovecot-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 dovecot-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 dovecot-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:43 exim-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 exim-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 exim-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 exim-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 exim-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:42 ftp-CN
-rw-r--r--  1 root root 2832 Jan 25 12:42 ftp-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:42 ftp-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:42 ftp-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:42 ftp-SIGNATURE_CHAIN_VERIFIED
I believe the files are for a cPanel internal control.

Questions: my idea is correct, will work? The files above will be a problem after running my script? Can I broke cPanel or exim/dovecot/pureftp (considering I'll cat/concat files correctly).

Thank you!
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello :)

Replacing the data populated in those files should be all that's required. There's no script you need to run after manually updated those files. Please note this thread:

[How-To] Installing SSL from Let's Encrypt

Thank you.
 
  • Like
Reactions: internationaldumb

Arvy

Well-Known Member
Oct 3, 2006
139
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Hi Michael,

yes, I already have Let's Encrypt working. The link is more for installing SSL on domains (HTTPS).

Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

Thanks!
 

Arvy

Well-Known Member
Oct 3, 2006
139
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Ok, after testing a lot, I did a script to use Let's Encrypt certificates to cPanel services.

NOTES:
- I did for CentOS 6. For CentOS 7 or other Systemd, need to change "services" to proper "systemctl"
- need to pre-install Let's Encrypt and run once to do the first basic configuration
- script will back up previous certs on /root/ssl
- chown is not really needed, just to be sure the owner is ok
CRON:
Code:
5 0 */75 * 6 /root/updcerts
Will update every 75 days, only on saturdays

SCRIPT:
Code:
#!/bin/bash
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME

/bin/mkdir /root/ssl

\cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem
/bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
/sbin/service cpanel restart

\cp -f /var/cpanel/ssl/exim/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt
/bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
/sbin/service exim restart

\cp -f /var/cpanel/ssl/ftp/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
/bin/chown root:wheel /var/cpanel/ssl/ftp/*
/sbin/service pure-ftpd restart

\cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt
/bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
/sbin/service dovecot restart
Any suggestions, errors detected, ideas?

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?
Yes, this should work as you expect it to. cPanel will not automatically overwrite these files before a 60-day window.

Thank you.
 

Arvy

Well-Known Member
Oct 3, 2006
139
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Here is my script, updated. Hope helps who wants to use LE's certs to basic cPanel services.

You need to download the CA:

Code:
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
mv lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem
New version will append CA to the certificates to be more compatible.

Code:
#!/bin/bash
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME

/bin/mkdir /root/ssl

\cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/cpanel/cpanel.pem
/bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
/sbin/service cpanel restart
/sbin/service httpd restart

\cp -f /var/cpanel/ssl/exim/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/exim/exim.crt
/bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
/sbin/service exim restart

\cp -f /var/cpanel/ssl/ftp/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
/bin/chown root:wheel /var/cpanel/ssl/ftp/*
/sbin/service pure-ftpd restart

\cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/dovecot/dovecot.crt
/bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
/sbin/service dovecot restart
Note, again: this is for CentOS 6-. Change as needed for other systems, or CentOS 7 (systemd).
 
  • Like
Reactions: ethix

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Do you have a version there works on CentOS 7 running DNS Only? :)
Could you elaborate on what in-particular is not working on the DNS-Only server when using this custom application?

Thank you.