[How-To] Installing SSL from Let's Encrypt

[timmmmyboy]

This script works perfectly for us with servers that are not running CloudLinux, however consistently fails on CloudLinux servers of ours with the same error as eminos here, error:

Creating virtual environment...
Running virtualenv with interpreter /usr/bin/python2.7
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/virtualenv.py", line 16, in <module>
    import tempfile
  File "/usr/lib64/python2.7/tempfile.py", line 32, in <module>
    import io as _io
  File "/usr/lib64/python2.7/io.py", line 51, in <module>
    import _io
ImportError: /usr/lib64/python2.7/lib-dynload/_io.so: undefined symbol: _PyErr_ReplaceException

Anyone run into that and manage to get it resolved?

 

[jrxpress]

wow... this is perfect.. works like a charm... thank you so much for this amazing guide !!! happy 2016 folks

 

[BlackRain]

There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews?

 

[kristofferR]

How do I get the installssl.pl script to work for the WHM cPanel Service SSL Certificates?

I got Let's Encrypt working for the WHM SSL certs by running

/root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /usr/local/apache/htdocs/ -d server.domain.com

and copying the certificate/private key into the text boxes in WHM - Manage Service SSL Certificates manually, but having to do that at least every 90th day is a pain.

 

[TND]

Hello

when i run [email protected] [~/letsencrypt]# ./letsencrypt-auto --verbose

i have this problem

Updating letsencrypt and virtual environment dependencies...
Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
Collecting letsencrypt
Could not find a version that satisfies the requirement letsencrypt (from versions: )
No matching distribution found for letsencrypt

how can i make this work?

thank you

 

[richardjkeys]

Does each site still need a dedicated IP?

 

[zye]

Does each site still need a dedicated IP?

no - no dedicated ip needed

 

[Alex Kovacic]

I have the exact same problem as timmmmyboy
Running on a cloudlinux server and I get an error on
Creating virtual environment...

Any news on how to fix this?

Thanks!

 

[Arcfives]

I have followed the steps and I'm also encountering problems with it.

Type: urn:acme:error:unauthorized
Detail: Invalid response from

I'm running on centos 6 with apache. I've also tried to change the permission of the folder /.well-known since the folder is empty.

I've also tried tried to visit the website gethttpsforfree and i also get the same error.

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500}

So I'm wondering is it perhaps some security setting that I have set? I adjusted the Cipher Protocols and took all the steps that CSF recommended.

Any advice?

 

[Spork Schivago]

Just a dumb question here. Is this so we get SSL certs for the cPanel Virtual Hosts listings in Apache's httpd.conf file? For example, webmail.example.com, cpanel.example.com, whm.example.com, etc?

I've manually installed the SSL cert for all those virtual hosts using the --standalone plugin. It kind of sucks though because whenever I renew, I have to kill my Apache server, renew, then restart the Apache server. If this works for those virtual hosts without me needing to kill Apache, that'd be great!

 

[Spork Schivago]

I've successfully generated SSL certs for my domain, including the webmail.<mydomain>.com, cpanel.<mydomain>.com, whm.<mydomain>.com, <mydomain>.com, www.<mydomain>.com, etc. I did this manually. I made a copy of /var/cpanel/templates/apache2/main.default and called it main.local. I modified main.local so the cPanel / WHM VirtualHosts use the proper SSL certs. I than ran /usr/local/cpanel/bin/build_apache_conf and made sure it properly updated Apache's httpd.conf, it did.

So, then I went ahead and created the installssl.pl file and ran it manually:

perl /root/src/ssl/installssl.pl <mydomain>.com

Can't locate IO/Socket/SSL.pm in @INC) at /usr/local/share/perl5/Net/HTTPS.pm line 26.
Can't locate Net/SSL.pm in @INC (@INC contains: /home/spork/perl5/lib/perl5/5.10.1/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.1 /home/spork/perl5/lib/perl5/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.0 /home/spork/perl5/lib/perl5 /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/share/perl5/Net/HTTPS.pm line 30.
Compilation failed in require at /usr/share/perl5/LWP/Protocol/https.pm line 48.
Compilation failed in require at /root/src/ssl/installssl.pl line 5.
BEGIN failed--compilation aborted at /root/src/ssl/installssl.pl line 5.

I use my real domain in place of <mydomain>.com. Any suggestions on how to fix this?

 

[Spork Schivago]

I'm getting further. I fixed that problem with the following command:

yum install perl-IO-Socket-SSL

Now, for some reason, the script doesn't like my password. It has some characters that tend to cause problems in Unix environments, like ! for example. This is the new error message:

Global symbol "<my_secret_password_minus_the_first_letter>" requires explicit package name at /root/src/ssl/installssl.pl line 11.
Execution of /root/src/ssl/installssl.pl aborted due to compilation errors.

 

[Spork Schivago]

I believe I fixed it. I think in the original installssl.pl file, this:

my $user = "root";
my $pass = "rootpass";

Should be replaced by this:

my $user = 'root';
my $pass = 'rootpass';

After I replaced the double quotes with single quotes there, it worked, kinda. I still had to choose the new SSL certs in WHM (Service Configuration -> Manage Service SSL Certificates). It showed it was still using the self signed certs until I picked the new ones from Let's Encrypt. Then it worked fine. I just wish there was a way to automate that, so each time a renewal came, I wouldn't have to go in there and manually pick the new certs each time.

 

[Spork Schivago]

I also modified the original script to actually install the certs for the various WHM services. Maybe other people would like this? I had to generate a cert for my hostname though. For example, my hostname is franklin. So I had to generate a cert for franklin.jetbbs.com...Here's the code I added to installssl.pl file. Maybe other people would find it handy? The "Install the SSL cert" part was already there, at the end of the file. I just added a comment to it saying Install the SSL cert and added the printf statement.

# Install the SSL cert
print "Attempting to install the SSL certificate to WHM...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the FTP service
print "\n\nAttempting to install the SSL certificate for the FTP service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=ftp&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the exim service
print "\n\nAttempting to install the SSL certificate for the exim service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=exim&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the dovecot service
print "\n\nAttempting to install the SSL certificate for the dovecot service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=dovecot&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the cpanel service
print "\n\nAttempting to install the SSL certificate for the cpanel service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=cpanel&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the courier service
#  NOTE: They removed the Courier mail server in cPanel & WHM version 54.
#  The Courier mail server only exists for cPanel & WHM version 11.52 and earlier.
#  If we try install the SSL cert for courier on a cPanel & WHM version 54 server,
#  the system returns the following message:
#    courier is not a known service.
#  This script should not cause any problems though, even if courier isn't installed.
print "\n\nAttempting to install the SSL certificate for the courier service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=courier&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

 

[Spork Schivago]

I have followed the steps and I'm also encountering problems with it.

Type: urn:acme:error:unauthorized
Detail: Invalid response from

I'm running on centos 6 with apache. I've also tried to change the permission of the folder /.well-known since the folder is empty.

I've also tried tried to visit the website gethttpsforfree and i also get the same error.

Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500}

So I'm wondering is it perhaps some security setting that I have set? I adjusted the Cipher Protocols and took all the steps that CSF recommended.

Any advice?

I might be able to help. Are you running Apache for your web server? This probably isn't the best solution because you need to stop your Apache server when you get the certs or whenever you renew and then start it up again. This is how I did it on my server (I go through GoDaddy and have a Virtual Private Server)...

You already have Let's Encrypt, so just go to the Let's Encrypt directory...

If you're running Apache, stop it.
Run letsencrypt-auto like this:

/etc/init.d/httpd stop

./letsencrypt-auto certonly --test-cert --standalone --email [email protected] -d yourdomain.com -d www.yourdomain.com -d yourhostname.yourdomain.com -d cpanel.yourdomain.com -d whm.yourdomain.com -d webmail.yourdomain.com -d webdisk.yourdomain.com -d cpcalendars.yourdomain.com -d cpcontacts.yourdomain.com

/etc/init.d/httpd start

See if that works for you. Make sure you use the --test-cert so you don't request too many and get denied new ones if this doesn't work and you have to try the command a few times. Replace [email protected] with your actual e-mail and domain name.

Replace all of the yourdomain's with your actual domain name. Replace hostname with your hostname.

You're also going to need to install the certs once you create them, either by using the script for the WHM stuff or editing the Apache config files. The script is the better way to go. Once you generate the test certs, I can try and help you with the other stuff.

 

[thorny23]

Hi all,

Sorry, im a little confused about the renewal - following the instructions I used the following:

./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

So how does renewal from here work, do I need to setup a cron in WHM?

 

[Spork Schivago]

Hi all,

Sorry, im a little confused about the renewal - following the instructions I used the following:

./letsencrypt-auto --text --agree-tos --email [email protected] certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com

So how does renewal from here work, do I need to setup a cron in WHM?

Yes, according to the document located here ( User Guide — Let's Encrypt 0.2.1.dev0 documentation ):

If you’re sure that UI doesn’t prompt for any details you can add the command to crontab (make it less than every 90 days to avoid problems, say every month).

Also, according to that documentation, they're working on letsencrypt-auto doing some sort of auto-renewal but they say the tool isn't available yet. For my system, I created a bash script that ran the various commands and then put it in /etc/cron.daily. I had to use the stand-alone plugin though. So I have to shutdown Apache, try to renew, then restart Apache. I also call the modified cPanel script that I created, so whenever the certs do get updated, it'll automatically install and configure them for the various WHM / cPanel services.

 

[thorny23]

I created a bash script that ran the various commands and then put it in /etc/cron.daily. I had to use the stand-alone plugin though. So I have to shutdown Apache, try to renew, then restart Apache. I also call the modified cPanel script that I created, so whenever the certs do get updated, it'll automatically install and configure them for the various WHM / cPanel services.

Spork, are you able to share said bash script at all please? Would be greatly appreciated!

 

[MaxFein]

Does each site still need a dedicated IP?

Server Name Indication - Wikipedia, the free encyclopedia

 

[venomco]

Hi.

Having just set up my certs via a bit of trial and error and ignorinng doing

sed -i "s|--python python2|--python python2.7|" letsencrypt-auto

I found that this works perfectly nn CentOS 6 X64

Assuming everything is installed:
Turn of webserer (Apache) under servicesettings using WHM

./letsencrypt-auto certonly --debug

This will ignore the Python errors and bring up the blue screen
follow the instructions
When the script is done you will get a message saying the certificate is saved in
/etc/letsencrypt/live/domain.com/

cd /etc/letsencrypt/live/domain.com/

check the dir

ls

cert.pem  privkey.pem chain.pem  fullchain.pem

cert.pem is the certificate privkey.pem is the private key chain.pem is the Certificate Authority Bundle
fullchain.pem contains everything.

vi privkey.pem

copy the info into notepad (or whatever)
continue with each .pem.
If you want you can just copy the info in fullchain.pem but I chose to be thorough.
Now just go to WHM an install the cert go to SSL/TLS and install a.... copy an paste each .pem code.

Done. Without using any scripts or code