[How-To] Installing SSL from Let's Encrypt

Status
Not open for further replies.

timmmmyboy

Member
Aug 26, 2013
13
1
53
Fredericksburg, Virginia
cPanel Access Level
Root Administrator
Twitter
This script works perfectly for us with servers that are not running CloudLinux, however consistently fails on CloudLinux servers of ours with the same error as eminos here, error:
Code:
Creating virtual environment...
Running virtualenv with interpreter /usr/bin/python2.7
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/virtualenv.py", line 16, in <module>
    import tempfile
  File "/usr/lib64/python2.7/tempfile.py", line 32, in <module>
    import io as _io
  File "/usr/lib64/python2.7/io.py", line 51, in <module>
    import _io
ImportError: /usr/lib64/python2.7/lib-dynload/_io.so: undefined symbol: _PyErr_ReplaceException
Anyone run into that and manage to get it resolved?
 

kristofferR

Member
Oct 20, 2012
6
0
1
cPanel Access Level
Root Administrator
How do I get the installssl.pl script to work for the WHM cPanel Service SSL Certificates?

I got Let's Encrypt working for the WHM SSL certs by running
Code:
/root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /usr/local/apache/htdocs/ -d server.domain.com
and copying the certificate/private key into the text boxes in WHM - Manage Service SSL Certificates manually, but having to do that at least every 90th day is a pain.
 
Last edited:

TND

Member
Jul 9, 2012
10
0
1
cPanel Access Level
DataCenter Provider
Hello

when i run [email protected] [~/letsencrypt]# ./letsencrypt-auto --verbose

i have this problem

Updating letsencrypt and virtual environment dependencies...
Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Collecting letsencrypt
Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

how can i make this work?

thank you
 

Arcfives

Registered
Jan 17, 2016
2
0
1
United States
cPanel Access Level
Root Administrator
I have followed the steps and I'm also encountering problems with it.

Type: urn:acme:error:unauthorized
Detail: Invalid response from

I'm running on centos 6 with apache. I've also tried to change the permission of the folder /.well-known since the folder is empty.

I've also tried tried to visit the website gethttpsforfree and i also get the same error.

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500}

So I'm wondering is it perhaps some security setting that I have set? I adjusted the Cipher Protocols and took all the steps that CSF recommended.

Any advice?
 
Last edited:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Just a dumb question here. Is this so we get SSL certs for the cPanel Virtual Hosts listings in Apache's httpd.conf file? For example, webmail.example.com, cpanel.example.com, whm.example.com, etc?

I've manually installed the SSL cert for all those virtual hosts using the --standalone plugin. It kind of sucks though because whenever I renew, I have to kill my Apache server, renew, then restart the Apache server. If this works for those virtual hosts without me needing to kill Apache, that'd be great!
 
Last edited by a moderator:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I've successfully generated SSL certs for my domain, including the webmail.<mydomain>.com, cpanel.<mydomain>.com, whm.<mydomain>.com, <mydomain>.com, www.<mydomain>.com, etc. I did this manually. I made a copy of /var/cpanel/templates/apache2/main.default and called it main.local. I modified main.local so the cPanel / WHM VirtualHosts use the proper SSL certs. I than ran /usr/local/cpanel/bin/build_apache_conf and made sure it properly updated Apache's httpd.conf, it did.

So, then I went ahead and created the installssl.pl file and ran it manually:
Code:
perl /root/src/ssl/installssl.pl <mydomain>.com

Can't locate IO/Socket/SSL.pm in @INC) at /usr/local/share/perl5/Net/HTTPS.pm line 26.
Can't locate Net/SSL.pm in @INC (@INC contains: /home/spork/perl5/lib/perl5/5.10.1/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.1 /home/spork/perl5/lib/perl5/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.0 /home/spork/perl5/lib/perl5 /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/share/perl5/Net/HTTPS.pm line 30.
Compilation failed in require at /usr/share/perl5/LWP/Protocol/https.pm line 48.
Compilation failed in require at /root/src/ssl/installssl.pl line 5.
BEGIN failed--compilation aborted at /root/src/ssl/installssl.pl line 5.
I use my real domain in place of <mydomain>.com. Any suggestions on how to fix this?
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I'm getting further. I fixed that problem with the following command:
Code:
yum install perl-IO-Socket-SSL
Now, for some reason, the script doesn't like my password. It has some characters that tend to cause problems in Unix environments, like ! for example. This is the new error message:
Code:
Global symbol "<my_secret_password_minus_the_first_letter>" requires explicit package name at /root/src/ssl/installssl.pl line 11.
Execution of /root/src/ssl/installssl.pl aborted due to compilation errors.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I believe I fixed it. I think in the original installssl.pl file, this:
Code:
my $user = "root";
my $pass = "rootpass";
Should be replaced by this:
Code:
my $user = 'root';
my $pass = 'rootpass';
After I replaced the double quotes with single quotes there, it worked, kinda. I still had to choose the new SSL certs in WHM (Service Configuration -> Manage Service SSL Certificates). It showed it was still using the self signed certs until I picked the new ones from Let's Encrypt. Then it worked fine. I just wish there was a way to automate that, so each time a renewal came, I wouldn't have to go in there and manually pick the new certs each time.
 
Last edited:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I also modified the original script to actually install the certs for the various WHM services. Maybe other people would like this? I had to generate a cert for my hostname though. For example, my hostname is franklin. So I had to generate a cert for franklin.jetbbs.com...Here's the code I added to installssl.pl file. Maybe other people would find it handy? The "Install the SSL cert" part was already there, at the end of the file. I just added a comment to it saying Install the SSL cert and added the printf statement.

Code:
# Install the SSL cert
print "Attempting to install the SSL certificate to WHM...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the FTP service
print "\n\nAttempting to install the SSL certificate for the FTP service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=ftp&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the exim service
print "\n\nAttempting to install the SSL certificate for the exim service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=exim&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the dovecot service
print "\n\nAttempting to install the SSL certificate for the dovecot service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=dovecot&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the cpanel service
print "\n\nAttempting to install the SSL certificate for the cpanel service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=cpanel&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the courier service
#  NOTE: They removed the Courier mail server in cPanel & WHM version 54.
#  The Courier mail server only exists for cPanel & WHM version 11.52 and earlier.
#  If we try install the SSL cert for courier on a cPanel & WHM version 54 server,
#  the system returns the following message:
#    courier is not a known service.
#  This script should not cause any problems though, even if courier isn't installed.
print "\n\nAttempting to install the SSL certificate for the courier service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=courier&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I have followed the steps and I'm also encountering problems with it.

Type: urn:acme:error:unauthorized
Detail: Invalid response from

I'm running on centos 6 with apache. I've also tried to change the permission of the folder /.well-known since the folder is empty.

I've also tried tried to visit the website gethttpsforfree and i also get the same error.

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500}

So I'm wondering is it perhaps some security setting that I have set? I adjusted the Cipher Protocols and took all the steps that CSF recommended.

Any advice?
I might be able to help. Are you running Apache for your web server? This probably isn't the best solution because you need to stop your Apache server when you get the certs or whenever you renew and then start it up again. This is how I did it on my server (I go through GoDaddy and have a Virtual Private Server)...

You already have Let's Encrypt, so just go to the Let's Encrypt directory...

If you're running Apache, stop it.
Run letsencrypt-auto like this:

Code:
/etc/init.d/httpd stop

./letsencrypt-auto certonly --test-cert --standalone --email [email protected] -d yourdomain.com -d www.yourdomain.com -d yourhostname.yourdomain.com -d cpanel.yourdomain.com -d whm.yourdomain.com -d webmail.yourdomain.com -d webdisk.yourdomain.com -d cpcalendars.yourdomain.com -d cpcontacts.yourdomain.com

/etc/init.d/httpd start
See if that works for you. Make sure you use the --test-cert so you don't request too many and get denied new ones if this doesn't work and you have to try the command a few times. Replace [email protected] with your actual e-mail and domain name.

Replace all of the yourdomain's with your actual domain name. Replace hostname with your hostname.

You're also going to need to install the certs once you create them, either by using the script for the WHM stuff or editing the Apache config files. The script is the better way to go. Once you generate the test certs, I can try and help you with the other stuff.
 
Last edited:

thorny23

Registered
Oct 31, 2010
4
0
51
Hi all,

Sorry, im a little confused about the renewal - following the instructions I used the following:
Code:
./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
So how does renewal from here work, do I need to setup a cron in WHM?
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi all,

Sorry, im a little confused about the renewal - following the instructions I used the following:
Code:
./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
So how does renewal from here work, do I need to setup a cron in WHM?
Yes, according to the document located here ( User Guide — Let's Encrypt 0.2.1.dev0 documentation ):
Code:
If you’re sure that UI doesn’t prompt for any details you can add the command to crontab (make it less than every 90 days to avoid problems, say every month).
Also, according to that documentation, they're working on letsencrypt-auto doing some sort of auto-renewal but they say the tool isn't available yet. For my system, I created a bash script that ran the various commands and then put it in /etc/cron.daily. I had to use the stand-alone plugin though. So I have to shutdown Apache, try to renew, then restart Apache. I also call the modified cPanel script that I created, so whenever the certs do get updated, it'll automatically install and configure them for the various WHM / cPanel services.
 

thorny23

Registered
Oct 31, 2010
4
0
51
I created a bash script that ran the various commands and then put it in /etc/cron.daily. I had to use the stand-alone plugin though. So I have to shutdown Apache, try to renew, then restart Apache. I also call the modified cPanel script that I created, so whenever the certs do get updated, it'll automatically install and configure them for the various WHM / cPanel services.
Spork, are you able to share said bash script at all please? Would be greatly appreciated!
 

venomco

Registered
Jan 28, 2016
2
2
3
Sweden
cPanel Access Level
Root Administrator
Hi.

Having just set up my certs via a bit of trial and error and ignorinng doing
Code:
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
I found that this works perfectly nn CentOS 6 X64

Assuming everything is installed:
Turn of webserer (Apache) under servicesettings using WHM
Code:
./letsencrypt-auto certonly --debug
This will ignore the Python errors and bring up the blue screen
follow the instructions
When the script is done you will get a message saying the certificate is saved in
/etc/letsencrypt/live/domain.com/

Code:
cd /etc/letsencrypt/live/domain.com/
check the dir

Code:
ls
Code:
cert.pem  privkey.pem chain.pem  fullchain.pem
cert.pem is the certificate privkey.pem is the private key chain.pem is the Certificate Authority Bundle
fullchain.pem contains everything.

vi privkey.pem

copy the info into notepad (or whatever)
continue with each .pem.
If you want you can just copy the info in fullchain.pem but I chose to be thorough.
Now just go to WHM an install the cert go to SSL/TLS and install a.... copy an paste each .pem code.

Done. Without using any scripts or code
 
Status
Not open for further replies.