UPDATE: As of cPanel and WHM version 58 the AutoSSL feature now includes Let's Encrypt support. This blog post will help you get set up there.
Anyone using the custom workaround on this thread may want to keep this in mind when using these steps.
The following below will show you how to install the Let's Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API using a custom workaround.
Installing the Let's Encrypt Client on CentOS 6.x
Please note: The Let's Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don't worry it won't break anything.
Installing the Let's Encrypt Client on CentOS 7.x
NOTE: The Let's Encrypt installer will create the /etc/letsencrypt/renewal and /etc/letsencrypt/csr directories as world readable. The administrator may want to tighten the readability of these directories to fit their requirements.
Generate an SSL
You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace "cPanelUser" with your actual username. This is require to allow the Let's Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.
By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel.
You can also generate an SSL certificate via Get HTTPS for free!, there are additional steps that are required however.
Script to automatically install the SSLs you generated
This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things.
1. You must replace "rootpass" with your actual root password.
2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
Add the Let's Encrypt CA Bundle
Let's Encrypt should now include the CA Bundle when generating certs. It will be saved as chain.pem
In the event that is missing or not created you can manually create the CA for use with the script below and change "my $cafile" in the script above to use this file instead.
When editing that file set the following below and save
Note: This has been updated with the Let's Encrypt Authority X3
Running the script
First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.
There you go you are all set and ready to generate and install SSLs from Let's Encrypt automatically via the command line.
Anyone using the custom workaround on this thread may want to keep this in mind when using these steps.
The following below will show you how to install the Let's Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API using a custom workaround.
Installing the Let's Encrypt Client on CentOS 6.x
Please note: The Let's Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don't worry it won't break anything.
Code:
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum -y install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose
Code:
yum -y install git
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
./letsencrypt-auto --verbose
Generate an SSL
You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace "cPanelUser" with your actual username. This is require to allow the Let's Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
Code:
cd /root/letsencrypt
./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
Code:
cd /root/.local/share/letsencrypt/bin/
./letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
Code:
0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com
Script to automatically install the SSLs you generated
This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things.
1. You must replace "rootpass" with your actual root password.
2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
Code:
#!/usr/local/cpanel/3rdparty/bin/perl
use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;
my $user = "root";
my $pass = "rootpass";
my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );
my $ua = LWP::UserAgent->new(
ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
);
my $dom = $ARGV[0];
my $certfile = "/etc/letsencrypt/live/$dom/cert.pem";
my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem";
my $cafile = "/etc/letsencrypt/live/$dom/chain.pem";
my $certdata;
my $keydata;
my $cadata;
open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
{
local $/;
$certdata = <$certfh>;
}
close($certfh);
open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
{
local $/;
$keydata = <$keyfh>;
}
close($keyfh);
open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
{
local $/;
$cadata = <$cafh>;
}
close($cafh);
my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;
Let's Encrypt should now include the CA Bundle when generating certs. It will be saved as chain.pem
In the event that is missing or not created you can manually create the CA for use with the script below and change "my $cafile" in the script above to use this file instead.
Code:
vi /etc/letsencrypt/live/bundle.txt
Note: This has been updated with the Let's Encrypt Authority X3
Code:
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Running the script
First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.
Code:
chmod +x installssl.pl
./installssl.pl domain.com
Last edited: