[How-To] Installing SSL from Let's Encrypt

[cPMatthewV]

UPDATE: As of cPanel and WHM version 58 the AutoSSL feature now includes Let's Encrypt support. This blog post will help you get set up there.

Anyone using the custom workaround on this thread may want to keep this in mind when using these steps.

The following below will show you how to install the Let's Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API using a custom workaround.

Installing the Let's Encrypt Client on CentOS 6.x
Please note: The Let's Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don't worry it won't break anything.

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum -y install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose

Installing the Let's Encrypt Client on CentOS 7.x

yum -y install git
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
./letsencrypt-auto --verbose

NOTE: The Let's Encrypt installer will create the /etc/letsencrypt/renewal and /etc/letsencrypt/csr directories as world readable. The administrator may want to tighten the readability of these directories to fit their requirements.

Generate an SSL
You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace "cPanelUser" with your actual username. This is require to allow the Let's Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.

cd /root/letsencrypt
./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.

cd /root/.local/share/letsencrypt/bin/
./letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel.

0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com

You can also generate an SSL certificate via Get HTTPS for free!, there are additional steps that are required however.

Script to automatically install the SSLs you generated
This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things.

1. You must replace "rootpass" with your actual root password.
2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.

#!/usr/local/cpanel/3rdparty/bin/perl

use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;

my $user = "root";
my $pass = "rootpass";

my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );

my $ua = LWP::UserAgent->new(
    ssl_opts   => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
);

my $dom = $ARGV[0];

my $certfile = "/etc/letsencrypt/live/$dom/cert.pem";
my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem";
my $cafile =  "/etc/letsencrypt/live/$dom/chain.pem";

my $certdata;
my $keydata;
my $cadata;

open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
    {
        local $/;
        $certdata = <$certfh>;
    }
    close($certfh);

open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
    {
        local $/;
        $keydata = <$keyfh>;
    }
    close($keyfh);

open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
    {
        local $/;
        $cadata = <$cafh>;
    }
    close($cafh);

my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);

my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

Add the Let's Encrypt CA Bundle
Let's Encrypt should now include the CA Bundle when generating certs. It will be saved as chain.pem

In the event that is missing or not created you can manually create the CA for use with the script below and change "my $cafile" in the script above to use this file instead.

vi /etc/letsencrypt/live/bundle.txt

When editing that file set the following below and save
Note: This has been updated with the Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Running the script
First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.

chmod +x installssl.pl
./installssl.pl domain.com

There you go you are all set and ready to generate and install SSLs from Let's Encrypt automatically via the command line.

 

[Valetia]

yum -y install git python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius

On CloudLinux 6.7, running the above line results in the following error:

Transaction Check Error:

  file /usr/bin/2to3 from install of python27-tools-2.7.10-1.ius.el6.x86_64 conflicts with file from package python-tools-2.6.6-64.el6.x86_64

 

[cPMatthewV]

Hi Valetia

This occurs because of the python-tools package from CentOS / CL 6.7. When this occurs you simply need to remove that package. I have updated the original entry to indicate this.

 

[eva2000]

nice @cPMatthewV love the perl script !

cmds for LE install look familiar

 

[cPMatthewV]

nice @cPMatthewV love the perl script !

cmds for LE install look familiar

Thanks :D and yeah I got the install instructions from their site and simply included the repo commands. It's good that is as easy as that and not to complicated. Hopefully in the future we will add native support and installation for this.

 

[eva2000]

Thanks :D and yeah I got the install instructions from their site and simply included the repo commands.

https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190

@cPMatthewV you also might want to pass command --renew-by-default and go full text based so subsequent runs can use a cron schedule so you can renew the SSL certs and also use letsencrypt instead of letsencrypt-auto which auto updates dependencies every run

/root/.local/share/letsencrypt/bin/letsencrypt certonly --text --agree-tos --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

or pass email one time to register a LE account for expiry notifications etc + text only (or use cli.ini file)

/root/.local/share/letsencrypt/bin/letsencrypt certonly --text --agree-tos --renew-by-default --email [email protected] --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

also can populate i.e. with email setting in a cli.ini config file so to pass less parameters on cmd line User Guide — Let's Encrypt 0.2.0.dev0 documentation

HTH

 

[cPMatthewV]

It doesn't look like they have a standard client ./letsencrypt anymore and they just have ./letsencrypt-auto. I do agree it is quite annoying have to re-run those checks. Hopefully they will fix this.

 

[eva2000]

Ah you're looking in wrong directory. With above install instructions the non-auto binary will be at /root/.local/share/letsencrypt/bin/letsencrypt

It's defined at https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt-auto#L13-L16

/root/.local/share/letsencrypt/bin/letsencrypt --version  
letsencrypt 0.1.0

/root/.local/share/letsencrypt/bin/letsencrypt --help webroot
usage:
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        config file path (default: None)

webroot:
  Webroot Authenticator

  -w WEBROOT_PATH, --webroot-path WEBROOT_PATH
                        public_html / webroot path. This can be specified
                        multiple times to handle different domains; each
                        domain will have the webroot path that preceded it.
                        For instance: `-w /var/www/example -d example.com -d
                        www.example.com -w /var/www/thing -d thing.net -d
                        m.thing.net` (default: None)

ls -lah /root/.local/share/letsencrypt/bin/
total 72K
drwxr-xr-x 2 root root 4.0K Dec  3 19:10 .
drwxr-xr-x 5 root root 4.0K Nov 15 20:42 ..
-rw-r--r-- 1 root root 2.2K Nov 15 20:42 activate
-rw-r--r-- 1 root root 1.3K Nov 15 20:42 activate.csh
-rw-r--r-- 1 root root 2.4K Nov 15 20:42 activate.fish
-rw-r--r-- 1 root root 1.2K Nov 15 20:42 activate_this.py
-rwxr-xr-x 1 root root  261 Dec  3 19:10 easy_install
-rwxr-xr-x 1 root root  261 Dec  3 19:10 easy_install-2.7
-rwxr-xr-x 1 root root  245 Dec  3 19:10 jws
-rwxr-xr-x 1 root root  245 Dec  3 19:10 letsencrypt
-rwxr-xr-x 1 root root  249 Dec  3 19:10 letsencrypt-renewer
-rwxr-xr-x 1 root root  368 Nov 15 20:42 ndg_httpclient
-rwxr-xr-x 1 root root  242 Nov 15 20:42 pbr
-rwxr-xr-x 1 root root  310 Nov 15 20:42 pip
-rwxr-xr-x 1 root root  312 Nov 15 20:42 pip2
-rwxr-xr-x 1 root root  316 Nov 15 20:42 pip2.7
lrwxrwxrwx 1 root root    9 Nov 15 20:42 python -> python2.7
lrwxrwxrwx 1 root root    9 Nov 15 20:42 python2 -> python2.7
-rwxr-xr-x 1 root root 4.8K Nov 15 20:42 python2.7

also corrected my above post with full path as i assumed ./letsencrypt was from /root/.local/share/letsencrypt/bin/

 

[ChristianSB]

Getting

-bash: ./installssl.pl: /usr/local/cpanel/3rdparty/bin/perl^M: bad interpreter: No such file or directory

when running the ./installssl.pl mydomain.tld

Works now, used
sed -i 's/\r//' installssl.pl

 

[pankajsystem]

This is great only yesterday I got the query from a client to install lets encryt ssl on cPanel server and I was trying to upgrade phython from 2.6 to 2.7 but that was not recommended hence I have stop working on it. I will try this new tutorial now and hopefully this will help me

 

[eminos]

I'm getting this error following the tutorial, after running the ./letsencrypt-auto --verbose command for the first time.
I'm on CloudLinux 6.

Creating virtual environment...
Running virtualenv with interpreter /usr/bin/python2.7
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/virtualenv.py", line 16, in <module>
    import tempfile
  File "/usr/lib64/python2.7/tempfile.py", line 32, in <module>
    import io as _io
  File "/usr/lib64/python2.7/io.py", line 51, in <module>
    import _io
ImportError: /usr/lib64/python2.7/lib-dynload/_io.so: undefined symbol: _PyErr_ReplaceException

Also the packages python-virtualenv and cloudlinux' alt-python-virtualenv were in some conflict so I removed the alt-python-virtualenv which solved that issue.

 

[siriusb]

Hi.

When I try to make a demo SSL , script doesn't create /etc/letsencrypt/live/$domain directory.
So, I did it manually.

If I execute it again, same error.

cannot open file /etc/letsencrypt/live/zagas.com.ar/cert.pem at /root/installssl.pl line 29.

[email protected] [~/scripts/letsencrypt]# pwd
/root/scripts/letsencrypt

[email protected] [~/scripts/letsencrypt]# ./letsencrypt-auto --text --agree-tos --email [email protected]$domain.com.ar --renew-by-default --webroot --webroot-path /home/$domain/public_html/ -d $domain.com.ar -d www.$domain.com.ar
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email [email protected]$domain.com.ar --renew-by-default --webroot --webroot-path /home/$domain/public_html/ -d $domain.com.ar -d www.$domain.com.ar
No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually

[email protected] [~/scripts/letsencrypt]# /root/installssl.pl $domain.com.ar
cannot open file /etc/letsencrypt/live/$domain.com.ar/cert.pem at /root/installssl.pl line 29.

[email protected] [~/scripts/letsencrypt]# find /etc/letsencrypt/ -type d
/etc/letsencrypt/
/etc/letsencrypt/accounts
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/live
/etc/letsencrypt/live/$domain.com.ar

[email protected] [~/scripts/letsencrypt]# find /etc/letsencrypt/ -type f
/etc/letsencrypt/live/bundle.txt

[email protected] [~/scripts/letsencrypt]# find . -iname "*$domain*"
[email protected] [~/scripts/letsencrypt]#

 

[ThomasY]

I'm getting the same error as siriusb.
It doesn't create the /etc/letsencrypt/ directory, so I tried to create before I could even create bundle.txt it manually but no luck.

This is on CENTOS 6.7

Anyone got any ideas?

Edit: Nevermind, apparently for whatever reason python wasn't installing 2.7 correctly.

I did the following command and it was still showing only python 2.6

whereis python

After that I redid this.

yum -y install python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius

Afterwards I retried running the python script and it worked correctly.

 

[pankajsystem]

Hey I have followed the given tutorial and installed SSL successfully on the domain http://www.example.in but when I accessed https://www.example.in there is green pad lock appearing there so I have checked this and found that site have

Insecure <form> call.
Found on line # 56 in file: http://www.example.in/index.html

I have checked other forums and they said that your certificate may be using outdated protocols like sha1 or sha2 hence it is not showing that green padlock

so is this free SSL not so secured ? I'm worried

 

[mvirtue]

As instructed above, I removed the python tools...

yum remove python-tools

Just now I received an email from my WHM server with the subject "An update failure has occured."
The body of the email included the line...

Sysup: Needed system RPMs were not installed: python-tools

I installed python-tools again, and got the same error above:

file /usr/bin/2to3 from install of python-tools-2.6.6-64.el6.x86_64 conflicts with file from package python27-tools-2.7.10-1.ius.el6.x86_64

So it seems I can either have the ability for WHM/cPanel to update itself, or I can have LetsEncrypt, but not both.

Any thoughts?

 

[Mark. S]

Fantastic! Thank you for this

I'm running this now via a PHP script (out on it's own, not web accessible) which I pass the initial arguments to (path, domains.) I'm aiming eventually to have this populate a table with the information of the certificate and when it should be renewed next (doing +60 days) and have only one script run via cron to query this, find out which ones need renewing, and only renew those (rather than multiple cron jobs for each domain.)

I want to look into doing this with the main service SSL too (dovecot, exim, ftp, cpanel) and using the API here: WHM API 1 Functions - install_service_ssl_certificate - Software Development Kit - cPanel Documentation

Is this last bit something you would recommend not doing?

 

[cPMatthewV]

As instructed above, I removed the python tools...

yum remove python-tools

Just now I received an email from my WHM server with the subject "An update failure has occured."
The body of the email included the line...
I installed python-tools again, and got the same error above:
So it seems I can either have the ability for WHM/cPanel to update itself, or I can have LetsEncrypt, but not both.

Any thoughts?

After some additional testing the python27-tools package is not required and this will work without it. Feel free to remove this and reinstall python-tools for cPanel and Mailman. We apologize for any problems this step caused. We have updated the article to remove this.

rpm -e --nodeps python27-tools
yum -y install python-tools

 

[cPMatthewV]

Fantastic! Thank you for this

I want to look into doing this with the main service SSL too (dovecot, exim, ftp, cpanel) and using the API here: WHM API 1 Functions - install_service_ssl_certificate - Software Development Kit - cPanel Documentation

Is this last bit something you would recommend not doing?

Hi Mark,

There should be no issue with installing this to the service SSL and I would actually recommend having a signed SSL there. Just make sure you renew this every 90 days. In the event you don't however cPanel should generate self-signed certificates for the servers hostname to avoid any problem with those services ssl certificates.

 

[procopius560]

The instructions worked with the addition of running sed -i 's/\r//' installssl.pl. I was very pleased to have an SSL site within 20 minutes in my test site! However, I have misgivings about entering the root password into a script. Shouldn't the script run as root anyway? Why is this necessary?

 

[cPMatthewV]

@procopius560 I am glad to hear this is working for you. The reason the root password needs to be provided is because this actually interacts with the API to install the SSL which requires authentication with WHM/cPanel. If you do now wish to place your password here there are other methods of authenticating which you can find in the Guide to API Authentication,namely connecting with an SSH key / access hash.