Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[How-To] Installing SSL from Let's Encrypt

Discussion in 'Security' started by cPMatthewV, Dec 4, 2015.

Thread Status:
Not open for further replies.
  1. timmmmyboy

    timmmmyboy Member

    Joined:
    Aug 26, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This script works perfectly for us with servers that are not running CloudLinux, however consistently fails on CloudLinux servers of ours with the same error as eminos here, error:
    Code:
    Creating virtual environment...
    Running virtualenv with interpreter /usr/bin/python2.7
    Traceback (most recent call last):
      File "/usr/lib/python2.6/site-packages/virtualenv.py", line 16, in <module>
        import tempfile
      File "/usr/lib64/python2.7/tempfile.py", line 32, in <module>
        import io as _io
      File "/usr/lib64/python2.7/io.py", line 51, in <module>
        import _io
    ImportError: /usr/lib64/python2.7/lib-dynload/_io.so: undefined symbol: _PyErr_ReplaceException
    Anyone run into that and manage to get it resolved?
     
  2. jrxpress

    jrxpress Registered

    Joined:
    Sep 26, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New York, United States
    cPanel Access Level:
    Root Administrator
    wow... this is perfect.. works like a charm... thank you so much for this amazing guide !!! happy 2016 folks :)
     
  3. BlackRain

    BlackRain Well-Known Member

    Joined:
    May 28, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews?
     
  4. kristofferR

    kristofferR Member

    Joined:
    Oct 20, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How do I get the installssl.pl script to work for the WHM cPanel Service SSL Certificates?

    I got Let's Encrypt working for the WHM SSL certs by running
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email server@domain.com certonly --renew-by-default --webroot --webroot-path /usr/local/apache/htdocs/ -d server.domain.com
    and copying the certificate/private key into the text boxes in WHM - Manage Service SSL Certificates manually, but having to do that at least every 90th day is a pain.
     
    #44 kristofferR, Jan 5, 2016
    Last edited: Jan 5, 2016
  5. TND

    TND Member

    Joined:
    Jul 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hello

    when i run root@cpanel [~/letsencrypt]# ./letsencrypt-auto --verbose

    i have this problem

    Updating letsencrypt and virtual environment dependencies...
    Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Collecting letsencrypt
    Could not find a version that satisfies the requirement letsencrypt (from versions: )
    No matching distribution found for letsencrypt

    how can i make this work?

    thank you
     
  6. richardjkeys

    richardjkeys Registered

    Joined:
    Oct 16, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Does each site still need a dedicated IP?
     
  7. zye

    zye Well-Known Member

    Joined:
    Dec 6, 2002
    Messages:
    112
    Likes Received:
    2
    Trophy Points:
    168
    no - no dedicated ip needed
     
  8. Alex Kovacic

    Alex Kovacic Registered

    Joined:
    Jan 14, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Monza
    cPanel Access Level:
    Root Administrator
    I have the exact same problem as timmmmyboy
    Running on a cloudlinux server and I get an error on
    Creating virtual environment...

    Any news on how to fix this?

    Thanks!
     
  9. Arcfives

    Arcfives Registered

    Joined:
    Jan 17, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    I have followed the steps and I'm also encountering problems with it.

    Type: urn:acme:error:unauthorized
    Detail: Invalid response from

    I'm running on centos 6 with apache. I've also tried to change the permission of the folder /.well-known since the folder is empty.

    I've also tried tried to visit the website gethttpsforfree and i also get the same error.

    Error: Account registration failed. Please start back at Step 1. {"type":"urn:acme:error:serverInternal","detail":"Error creating new registration","status":500}

    So I'm wondering is it perhaps some security setting that I have set? I adjusted the Cipher Protocols and took all the steps that CSF recommended.

    Any advice?
     
    #49 Arcfives, Jan 18, 2016
    Last edited: Jan 18, 2016
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Just a dumb question here. Is this so we get SSL certs for the cPanel Virtual Hosts listings in Apache's httpd.conf file? For example, webmail.example.com, cpanel.example.com, whm.example.com, etc?

    I've manually installed the SSL cert for all those virtual hosts using the --standalone plugin. It kind of sucks though because whenever I renew, I have to kill my Apache server, renew, then restart the Apache server. If this works for those virtual hosts without me needing to kill Apache, that'd be great!
     
    #50 Spork Schivago, Jan 21, 2016
    Last edited by a moderator: Jan 21, 2016
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I've successfully generated SSL certs for my domain, including the webmail.<mydomain>.com, cpanel.<mydomain>.com, whm.<mydomain>.com, <mydomain>.com, www.<mydomain>.com, etc. I did this manually. I made a copy of /var/cpanel/templates/apache2/main.default and called it main.local. I modified main.local so the cPanel / WHM VirtualHosts use the proper SSL certs. I than ran /usr/local/cpanel/bin/build_apache_conf and made sure it properly updated Apache's httpd.conf, it did.

    So, then I went ahead and created the installssl.pl file and ran it manually:
    Code:
    perl /root/src/ssl/installssl.pl <mydomain>.com
    
    Can't locate IO/Socket/SSL.pm in @INC) at /usr/local/share/perl5/Net/HTTPS.pm line 26.
    Can't locate Net/SSL.pm in @INC (@INC contains: /home/spork/perl5/lib/perl5/5.10.1/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.1 /home/spork/perl5/lib/perl5/x86_64-linux-thread-multi /home/spork/perl5/lib/perl5/5.10.0 /home/spork/perl5/lib/perl5 /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/share/perl5/Net/HTTPS.pm line 30.
    Compilation failed in require at /usr/share/perl5/LWP/Protocol/https.pm line 48.
    Compilation failed in require at /root/src/ssl/installssl.pl line 5.
    BEGIN failed--compilation aborted at /root/src/ssl/installssl.pl line 5.
    
    
    I use my real domain in place of <mydomain>.com. Any suggestions on how to fix this?
     
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm getting further. I fixed that problem with the following command:
    Code:
    yum install perl-IO-Socket-SSL
    
    Now, for some reason, the script doesn't like my password. It has some characters that tend to cause problems in Unix environments, like ! for example. This is the new error message:
    Code:
    Global symbol "<my_secret_password_minus_the_first_letter>" requires explicit package name at /root/src/ssl/installssl.pl line 11.
    Execution of /root/src/ssl/installssl.pl aborted due to compilation errors.
    
     
  13. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I believe I fixed it. I think in the original installssl.pl file, this:
    Code:
    my $user = "root";
    my $pass = "rootpass";
    
    Should be replaced by this:
    Code:
    my $user = 'root';
    my $pass = 'rootpass';
    
    After I replaced the double quotes with single quotes there, it worked, kinda. I still had to choose the new SSL certs in WHM (Service Configuration -> Manage Service SSL Certificates). It showed it was still using the self signed certs until I picked the new ones from Let's Encrypt. Then it worked fine. I just wish there was a way to automate that, so each time a renewal came, I wouldn't have to go in there and manually pick the new certs each time.
     
    #53 Spork Schivago, Jan 22, 2016
    Last edited: Jan 22, 2016
  14. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I also modified the original script to actually install the certs for the various WHM services. Maybe other people would like this? I had to generate a cert for my hostname though. For example, my hostname is franklin. So I had to generate a cert for franklin.jetbbs.com...Here's the code I added to installssl.pl file. Maybe other people would find it handy? The "Install the SSL cert" part was already there, at the end of the file. I just added a comment to it saying Install the SSL cert and added the printf statement.

    Code:
    # Install the SSL cert
    print "Attempting to install the SSL certificate to WHM...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the FTP service
    print "\n\nAttempting to install the SSL certificate for the FTP service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=ftp&crt=$cert&cabundle=$ca&key=$key" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the exim service
    print "\n\nAttempting to install the SSL certificate for the exim service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=exim&crt=$cert&cabundle=$ca&key=$key" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the dovecot service
    print "\n\nAttempting to install the SSL certificate for the dovecot service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=dovecot&crt=$cert&cabundle=$ca&key=$key" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the cpanel service
    print "\n\nAttempting to install the SSL certificate for the cpanel service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=cpanel&crt=$cert&cabundle=$ca&key=$key" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the courier service
    #  NOTE: They removed the Courier mail server in cPanel & WHM version 54.
    #  The Courier mail server only exists for cPanel & WHM version 11.52 and earlier.
    #  If we try install the SSL cert for courier on a cPanel & WHM version 54 server,
    #  the system returns the following message:
    #    courier is not a known service.
    #  This script should not cause any problems though, even if courier isn't installed.
    print "\n\nAttempting to install the SSL certificate for the courier service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=courier&crt=$cert&cabundle=$ca&key=$key" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
     
  15. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I might be able to help. Are you running Apache for your web server? This probably isn't the best solution because you need to stop your Apache server when you get the certs or whenever you renew and then start it up again. This is how I did it on my server (I go through GoDaddy and have a Virtual Private Server)...

    You already have Let's Encrypt, so just go to the Let's Encrypt directory...

    If you're running Apache, stop it.
    Run letsencrypt-auto like this:

    Code:
    /etc/init.d/httpd stop
    
    ./letsencrypt-auto certonly --test-cert --standalone --email your_email@yourdomain.com -d yourdomain.com -d www.yourdomain.com -d yourhostname.yourdomain.com -d cpanel.yourdomain.com -d whm.yourdomain.com -d webmail.yourdomain.com -d webdisk.yourdomain.com -d cpcalendars.yourdomain.com -d cpcontacts.yourdomain.com
    
    /etc/init.d/httpd start
    
    See if that works for you. Make sure you use the --test-cert so you don't request too many and get denied new ones if this doesn't work and you have to try the command a few times. Replace your_email@yourdomain.com with your actual e-mail and domain name.

    Replace all of the yourdomain's with your actual domain name. Replace hostname with your hostname.

    You're also going to need to install the certs once you create them, either by using the script for the WHM stuff or editing the Apache config files. The script is the better way to go. Once you generate the test certs, I can try and help you with the other stuff.
     
    #55 Spork Schivago, Jan 22, 2016
    Last edited: Jan 22, 2016
  16. thorny23

    thorny23 Registered

    Joined:
    Oct 31, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    Hi all,

    Sorry, im a little confused about the renewal - following the instructions I used the following:
    Code:
    ./letsencrypt-auto --text --agree-tos --email email@domain.com certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
    
    So how does renewal from here work, do I need to setup a cron in WHM?
     
  17. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Yes, according to the document located here ( User Guide — Let's Encrypt 0.2.1.dev0 documentation ):
    Code:
    If you’re sure that UI doesn’t prompt for any details you can add the command to crontab (make it less than every 90 days to avoid problems, say every month).
    
    Also, according to that documentation, they're working on letsencrypt-auto doing some sort of auto-renewal but they say the tool isn't available yet. For my system, I created a bash script that ran the various commands and then put it in /etc/cron.daily. I had to use the stand-alone plugin though. So I have to shutdown Apache, try to renew, then restart Apache. I also call the modified cPanel script that I created, so whenever the certs do get updated, it'll automatically install and configure them for the various WHM / cPanel services.
     
  18. thorny23

    thorny23 Registered

    Joined:
    Oct 31, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    Spork, are you able to share said bash script at all please? Would be greatly appreciated!
     
  19. MaxFein

    MaxFein Member

    Joined:
    Jul 29, 2015
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Portland, Oregon
    cPanel Access Level:
    Root Administrator
  20. venomco

    venomco Registered

    Joined:
    Jan 28, 2016
    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Sweden
    cPanel Access Level:
    Root Administrator
    Hi.

    Having just set up my certs via a bit of trial and error and ignorinng doing
    Code:
    sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
    I found that this works perfectly nn CentOS 6 X64

    Assuming everything is installed:
    Turn of webserer (Apache) under servicesettings using WHM
    Code:
    ./letsencrypt-auto certonly --debug
    This will ignore the Python errors and bring up the blue screen
    follow the instructions
    When the script is done you will get a message saying the certificate is saved in
    /etc/letsencrypt/live/domain.com/

    Code:
    cd /etc/letsencrypt/live/domain.com/
    check the dir

    Code:
    ls
    Code:
    cert.pem  privkey.pem chain.pem  fullchain.pem 
    cert.pem is the certificate privkey.pem is the private key chain.pem is the Certificate Authority Bundle
    fullchain.pem contains everything.

    vi privkey.pem

    copy the info into notepad (or whatever)
    continue with each .pem.
    If you want you can just copy the info in fullchain.pem but I chose to be thorough.
    Now just go to WHM an install the cert go to SSL/TLS and install a.... copy an paste each .pem code.

    Done. Without using any scripts or code
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice