How to change SSL cert for WHM server itself?

[jason404]

Hi. I am setting up an WHM server on AWS for a client. I've never used WHM/cPanel before, but I am experienced with Linux servers.

The server has automatically installed an SSL/TLS certificate for the server's hostname, but I want to install a free wildcard cert from Let's Encrypt.

$ sudo /scripts/install_lets_encrypt_autossl_provider

I ran that script and selected Let's Encrypt as the certificate provider. Now what do I do to replace the server's own certificate? When I try the regular way in the terminal using CertBot I get an error saying that mod_ssl is not enabled in Apache, even though it is enabled in WHM, but I cannot alter the Apache configuration because of WHM.

 

[jason404]

The only way I can think of so far is to change DNS records so that the domain is used on another non-WHM server and to make the certificates there and then change the records back and somehow install them on the WHM server (using the web interface), but I would like to avoid having to do that.

 

[cPanelMichael]

Hello @jason404,

You can install a new certificate for your server's services using the following option:

WHM Home » Service Configuration » Manage Service SSL Certificates

However, by default the SSL certificate for the server's hostname is assigned a free signed certificate from Comodo (we don't currently support the use of Let's Encrypt for the hostname certificate). Can you elaborate on the reason you need to use a wildcard Let's Encrypt certificate for the hostname?

Thank you.

 

[jason404]

It's so that some subdomains can be used, like mail.domain.com, whmcs.domain.com and cpanel.domain.com, some using SRV records pointing to the server services.

 

[cPanelMichael]

It's so that some subdomains can be used, like mail.domain.com, whmcs.domain.com and cpanel.domain.com, some using SRV records pointing to the server services.

With AutoSSL, you shouldn't need that because the free signed SSL certificates installed on each domain name are automatically setup and utilized by default. You can read more about this at:

What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

Is there something preventing the use of AutoSSL on your domain names?

Thank you.

 

[jason404]

But, for example, currently when I go to https://cpanel.domain.com I get a Not Secure warning in Chrome, as the current certificate doesn't include that subdomain.

(for this example, it's a lot easier than remembering port numbers)

 

[cPanelMichael]

But, for example, currently when I go to https://cpanel.domain.com I get a Not Secure warning in Chrome, as the current certificate doesn't include that subdomain.

(for this example, it's a lot easier than remembering port numbers)

Hello,

AutoSSL should automatically include the proxy subdomains (e.g. cpanel.domain.tld) in the SSL certificate. Can you browse to the Logs tab in WHM >> Manage AutoSSL and see if you notice any specific errors in the log for one of the affected accounts?

Thank you.

 

[jason404]

There are no errors in the log and currently there are no accounts.

As the subdomains I have created so far only exist as SRV records, I guess that making them as dummy websites in WHM/cPanel would be the way to having the subdomains included in the AutoSSL certificate? How would I do that?

Thanks.

 

[cPanelMichael]

As the subdomains I have created so far only exist as SRV records, I guess that making them as dummy websites in WHM/cPanel would be the way to having the subdomains included in the AutoSSL certificate?

You'd need to enable Proxy Subdomains feature under the Domains tab in WHM >> Tweak Settings. Then, to populate the subdomain A records for existing domain names, you'd run the following command:

/scripts/proxydomains add --domain=domain.tld

Or, for all existing domain names on the server:

/scripts/proxydomains add

Thank you.

 

[jason404]

This seems to be what I was looking for, at least for the SRV records, but it doesn't seem to be working.

At the moment, the server's FQDN hostname is hostname.domain.tld. WHM is accessed using https://hostname.domain.tld. The only domain in WHM >> DNS Function >> Edit DNS Zones is hostname.domain.tld and, for some reason, the four nameservers at AWS Route 53 (can these be deleted?).

Going to https://domain.tld shows an error message saying that there is no site there.

Both "Proxy subdomains" and "Proxy subdomain creation" are enabled by default in Tweak Settings.

This is what happens when I try to use the script:

# /scripts/proxydomains add --domain=domain.tld
Adding proxy subdomains for domain domain.tld.
The domain domain.tld is does not belong to any user on this system

# /scripts/proxydomains add --domain=hostname.domain.tld
Adding proxy subdomains for domain hostname.domain.tld.
The domain hostname.domain.tld is does not belong to any user on this system

# /scripts/proxydomains add --domain=domain.tld --subdomain=cpanel
Adding proxy subdomains for domain domain.tld.
The domain domain.tld is does not belong to any user on this system

# /scripts/proxydomains add --subdomain=cpanel
Adding proxy subdomains for all users.
This may take several minutes if there are many accounts on the system.

Nothing seems to have changed anywhere I look. Thanks.

 

[jason404]

Okay, I deleted the DNS zone for hostname.domain.tld and made a new one for domain.tld and made an A record for hostname within that zone.

# /scripts/proxydomains add --domain=domain.tld
Adding proxy subdomains for domain domain.tld.
domain.tld                   [ADD:[email protected]:[B]127.0.0.1[/B], ADD:[email protected]:[B]127.0.0.1[/B], ADD:[email protected]:[B]127.0.0.1[/B], ADD:[email protected]:[B]127.0.0.1[/B], ADD:[email protected]:[B]127.0.0.1[/B], ADD:[email protected]:[B]127.0.0.1[/B]]

So these DNS records have been added. Do I just wait and the SSL certificate will be updated to include these subdomains?

Thanks.

 

[cPanelMichael]

At the moment, the server's FQDN hostname is hostname.domain.tld. WHM is accessed using https://hostname.domain.tld. The only domain in WHM >> DNS Function >> Edit DNS Zones is hostname.domain.tld and, for some reason, the four nameservers at AWS Route 53 (can these be deleted?).

Hello @jason404,

Have you created any cPanel accounts using WHM >> Create A New Account on this server? If not, you'll need to do this for any domain that you want to setup with it's own account for hosting website content and accessing the cPanel interface.

Remove the existing DNS zone that you manually created for "domain.tld" and instead create a new cPanel account for "domain.tld". This will automatically setup the domain's DNS zone.

You'll then want to browse to WHM >> Change Hostname and click on Change under the existing hostname entry. While you don't need to change the hostname, this action will prompt you to setup the correct A record and issue a request for the service SSL certificates.

Once you've done this, the SSL certificates for the hostname, the domain name, and the domain name's subdomains will be issued through AutoSSL (though it can take a few hours for the validation process to finish).

Thank you.