Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to change SSL cert for WHM server itself?

Discussion in 'Security' started by jason404, Aug 30, 2018.

  1. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    Hi. I am setting up an WHM server on AWS for a client. I've never used WHM/cPanel before, but I am experienced with Linux servers.

    The server has automatically installed an SSL/TLS certificate for the server's hostname, but I want to install a free wildcard cert from Let's Encrypt.

    $ sudo /scripts/install_lets_encrypt_autossl_provider

    I ran that script and selected Let's Encrypt as the certificate provider. Now what do I do to replace the server's own certificate? When I try the regular way in the terminal using CertBot I get an error saying that mod_ssl is not enabled in Apache, even though it is enabled in WHM, but I cannot alter the Apache configuration because of WHM.
     
  2. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    The only way I can think of so far is to change DNS records so that the domain is used on another non-WHM server and to make the certificates there and then change the records back and somehow install them on the WHM server (using the web interface), but I would like to avoid having to do that.
     
    #2 jason404, Aug 31, 2018
    Last edited: Aug 31, 2018
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,163
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @jason404,

    You can install a new certificate for your server's services using the following option:

    WHM Home » Service Configuration » Manage Service SSL Certificates

    However, by default the SSL certificate for the server's hostname is assigned a free signed certificate from Comodo (we don't currently support the use of Let's Encrypt for the hostname certificate). Can you elaborate on the reason you need to use a wildcard Let's Encrypt certificate for the hostname?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    It's so that some subdomains can be used, like mail.domain.com, whmcs.domain.com and cpanel.domain.com, some using SRV records pointing to the server services.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,163
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    With AutoSSL, you shouldn't need that because the free signed SSL certificates installed on each domain name are automatically setup and utilized by default. You can read more about this at:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    Is there something preventing the use of AutoSSL on your domain names?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    But, for example, currently when I go to https://cpanel.domain.com I get a Not Secure warning in Chrome, as the current certificate doesn't include that subdomain.

    (for this example, it's a lot easier than remembering port numbers)
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,163
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    AutoSSL should automatically include the proxy subdomains (e.g. cpanel.domain.tld) in the SSL certificate. Can you browse to the Logs tab in WHM >> Manage AutoSSL and see if you notice any specific errors in the log for one of the affected accounts?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    There are no errors in the log and currently there are no accounts.

    As the subdomains I have created so far only exist as SRV records, I guess that making them as dummy websites in WHM/cPanel would be the way to having the subdomains included in the AutoSSL certificate? How would I do that?

    Thanks.
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,163
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'd need to enable Proxy Subdomains feature under the Domains tab in WHM >> Tweak Settings. Then, to populate the subdomain A records for existing domain names, you'd run the following command:

    Code:
    /scripts/proxydomains add --domain=domain.tld
    Or, for all existing domain names on the server:

    Code:
    /scripts/proxydomains add
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    This seems to be what I was looking for, at least for the SRV records, but it doesn't seem to be working.

    At the moment, the server's FQDN hostname is hostname.domain.tld. WHM is accessed using https://hostname.domain.tld. The only domain in WHM >> DNS Function >> Edit DNS Zones is hostname.domain.tld and, for some reason, the four nameservers at AWS Route 53 (can these be deleted?).

    Going to https://domain.tld shows an error message saying that there is no site there.

    Both "Proxy subdomains" and "Proxy subdomain creation" are enabled by default in Tweak Settings.

    This is what happens when I try to use the script:

    Code:
    # /scripts/proxydomains add --domain=domain.tld
    Adding proxy subdomains for domain domain.tld.
    The domain domain.tld is does not belong to any user on this system
    
    # /scripts/proxydomains add --domain=hostname.domain.tld
    Adding proxy subdomains for domain hostname.domain.tld.
    The domain hostname.domain.tld is does not belong to any user on this system
    
    # /scripts/proxydomains add --domain=domain.tld --subdomain=cpanel
    Adding proxy subdomains for domain domain.tld.
    The domain domain.tld is does not belong to any user on this system
    
    # /scripts/proxydomains add --subdomain=cpanel
    Adding proxy subdomains for all users.
    This may take several minutes if there are many accounts on the system.
    Nothing seems to have changed anywhere I look. Thanks.
     
    #10 jason404, Sep 1, 2018
    Last edited by a moderator: Sep 1, 2018
  11. jason404

    jason404 Member

    Joined:
    Aug 22, 2018
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nambia
    cPanel Access Level:
    Root Administrator
    Okay, I deleted the DNS zone for hostname.domain.tld and made a new one for domain.tld and made an A record for hostname within that zone.

    Code:
    # /scripts/proxydomains add --domain=domain.tld
    Adding proxy subdomains for domain domain.tld.
    domain.tld                   [ADD:A@cpcalendars:[B]127.0.0.1[/B], ADD:A@cpanel:[B]127.0.0.1[/B], ADD:A@whm:[B]127.0.0.1[/B], ADD:A@cpcontacts:[B]127.0.0.1[/B], ADD:A@webmail:[B]127.0.0.1[/B], ADD:A@webdisk:[B]127.0.0.1[/B]]
    So these DNS records have been added. Do I just wait and the SSL certificate will be updated to include these subdomains?

    Thanks.
     
    #11 jason404, Sep 1, 2018
    Last edited: Sep 1, 2018
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,335
    Likes Received:
    2,163
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @jason404,

    Have you created any cPanel accounts using WHM >> Create A New Account on this server? If not, you'll need to do this for any domain that you want to setup with it's own account for hosting website content and accessing the cPanel interface.

    Remove the existing DNS zone that you manually created for "domain.tld" and instead create a new cPanel account for "domain.tld". This will automatically setup the domain's DNS zone.

    You'll then want to browse to WHM >> Change Hostname and click on Change under the existing hostname entry. While you don't need to change the hostname, this action will prompt you to setup the correct A record and issue a request for the service SSL certificates.

    Once you've done this, the SSL certificates for the hostname, the domain name, and the domain name's subdomains will be issued through AutoSSL (though it can take a few hours for the validation process to finish).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice