cPanel SSL certs + Let's Encrypt

[Arvy]

Hi there!

I'm looking for a way to use Let's Encrypt to generate system certificates, for cPanel, Exim, Dovecot and Pure-FTP, every 60 days. Manually I can run:

/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d server.mydomain.com

My idea is create a bash script to override cert files and restart the services.

From /etc/letsencrypt/live/server.mydomain.com I can "cat/concat" files to:

/var/cpanel/ssl/cpanel/mycpanel.cabundle
/var/cpanel/ssl/cpanel/mycpanel.pem
...
/var/cpanel/ssl/ftp/myftpd-rsa-key.pem
/var/cpanel/ssl/ftp/myftpd-rsa.pem
/var/cpanel/ssl/ftp/pure-ftpd.pem

and then restart the services everytime I update the certificates using a CRON entry.

The problem is: on /var/cpanel/ssl I have files like:

-rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 cpanel-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 cpanel-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 cpanel-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 cpanel-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 dovecot-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 dovecot-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 dovecot-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 dovecot-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:43 exim-CN
-rw-r--r--  1 root root 2832 Jan 25 12:43 exim-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:43 exim-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:43 exim-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:43 exim-SIGNATURE_CHAIN_VERIFIED
-rw-r--r--  1 root root  15 Jan 25 12:42 ftp-CN
-rw-r--r--  1 root root 2832 Jan 25 12:42 ftp-CRTINFO
-rw-r--r--  1 root root  15 Jan 25 12:42 ftp-DOMAINS
-rw-r--r--  1 root root  10 Jan 25 12:42 ftp-NOT_AFTER
-rw-r--r--  1 root root  1 Jan 25 12:42 ftp-SIGNATURE_CHAIN_VERIFIED

I believe the files are for a cPanel internal control.

Questions: my idea is correct, will work? The files above will be a problem after running my script? Can I broke cPanel or exim/dovecot/pureftp (considering I'll cat/concat files correctly).

Thank you!

 

[cPanelMichael]

Hello

Replacing the data populated in those files should be all that's required. There's no script you need to run after manually updated those files. Please note this thread:

[How-To] Installing SSL from Let's Encrypt

Thank you.

 

[Arvy]

Hi Michael,

yes, I already have Let's Encrypt working. The link is more for installing SSL on domains (HTTPS).

Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

Thanks!

 

[Arvy]

Ok, after testing a lot, I did a script to use Let's Encrypt certificates to cPanel services.

NOTES:

- I did for CentOS 6. For CentOS 7 or other Systemd, need to change "services" to proper "systemctl"
- need to pre-install Let's Encrypt and run once to do the first basic configuration
- script will back up previous certs on /root/ssl
- chown is not really needed, just to be sure the owner is ok

CRON:

5 0 */75 * 6 /root/updcerts

Will update every 75 days, only on saturdays

SCRIPT:

#!/bin/bash
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME

/bin/mkdir /root/ssl

\cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem
/bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
/sbin/service cpanel restart

\cp -f /var/cpanel/ssl/exim/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt
/bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
/sbin/service exim restart

\cp -f /var/cpanel/ssl/ftp/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
/bin/chown root:wheel /var/cpanel/ssl/ftp/*
/sbin/service pure-ftpd restart

\cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt
/bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
/sbin/service dovecot restart

Any suggestions, errors detected, ideas?

Thanks.

 

[cPanelMichael]

Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

Yes, this should work as you expect it to. cPanel will not automatically overwrite these files before a 60-day window.

Thank you.

 

[Arvy]

Here is my script, updated. Hope helps who wants to use LE's certs to basic cPanel services.

You need to download the CA:

wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
mv lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem

New version will append CA to the certificates to be more compatible.

#!/bin/bash
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME

/bin/mkdir /root/ssl

\cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/cpanel/cpanel.pem
/bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
/sbin/service cpanel restart
/sbin/service httpd restart

\cp -f /var/cpanel/ssl/exim/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/exim/exim.crt
/bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
/sbin/service exim restart

\cp -f /var/cpanel/ssl/ftp/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
/bin/chown root:wheel /var/cpanel/ssl/ftp/*
/sbin/service pure-ftpd restart

\cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/dovecot/dovecot.crt
/bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
/sbin/service dovecot restart

Note, again: this is for CentOS 6-. Change as needed for other systems, or CentOS 7 (systemd).

 

[ChristianSB]

Do you have a version there works on CentOS 7 running DNS Only?

 

[nimonogi]

Do you have a version there works on CentOS 7 running DNS Only?

I'm looking for the exact same thing.

 

[cPanelMichael]

Do you have a version there works on CentOS 7 running DNS Only?

Could you elaborate on what in-particular is not working on the DNS-Only server when using this custom application?

Thank you.

 

[BlackRain]

I bit the bullet and bought the Cpanel app for Lets Encrypt and it has worked seamlessly for awhile now.