Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[How-To] Installing SSL from Let's Encrypt

Discussion in 'Security' started by cPMatthewV, Dec 4, 2015.

Thread Status:
Not open for further replies.
  1. Taubin

    Taubin Registered

    Joined:
    Jul 13, 2015
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Auckland, NZ
    cPanel Access Level:
    Website Owner
    I've been banging my head against the wall trying to get this to install properly. I have a new Centos7 droplet on Digital Ocean. I've installed Cpanel/WHM with no problem, however, when I attempt to install LetsEncrypt, I receiving the following error:

    Code:
    root@drink [~/letsencrypt]# sudo ./letsencrypt-auto --verbose
    Updating letsencrypt and virtual environment dependencies...
    Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Requirement already up-to-date: pip in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Requirement already up-to-date: letsencrypt in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Requirement already up-to-date: letsencrypt-apache in /root/.local/share/letsencrypt/lib/python2.7/site-packages
    Requirement already up-to-date: zope.interface in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: setuptools in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: python2-pythondialog>=3.2.2rc1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: PyOpenSSL in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: acme==0.3.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: ConfigArgParse>=0.9.3 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: parsedatetime in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: configobj in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: pytz in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: psutil>=2.1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: six in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: cryptography>=0.7 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: zope.component in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: mock in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: pyrfc3339 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt)
    Requirement already up-to-date: python-augeas in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from letsencrypt-apache)
    Requirement already up-to-date: requests in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.3.0->letsencrypt)
    Requirement already up-to-date: pyasn1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.3.0->letsencrypt)
    Requirement already up-to-date: ndg-httpsclient in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.3.0->letsencrypt)
    Requirement already up-to-date: werkzeug in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from acme==0.3.0->letsencrypt)
    Requirement already up-to-date: idna>=2.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
    Requirement already up-to-date: enum34 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
    Requirement already up-to-date: ipaddress in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
    Requirement already up-to-date: cffi>=1.4.1 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography>=0.7->letsencrypt)
    Requirement already up-to-date: zope.event in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from zope.component->letsencrypt)
    Requirement already up-to-date: funcsigs in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
    Requirement already up-to-date: pbr>=0.11 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from mock->letsencrypt)
    Requirement already up-to-date: pycparser in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cffi>=1.4.1->cryptography>=0.7->letsencrypt)
    Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --verbose
    
                ┌──────────────────────────────────────────────────────────────────────┐
                │ Saving debug log to /var/log/letsencrypt/letsencrypt.log             │
    
    
    No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually
    
    
    The log is as follows:

    Code:
    016-01-30 23:48:33,726:DEBUG:letsencrypt.cli:Root logging level set at 20
    2016-01-30 23:48:33,726:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2016-01-30 23:48:33,733:DEBUG:letsencrypt.cli:letsencrypt version: 0.3.0
    2016-01-30 23:48:33,733:DEBUG:letsencrypt.cli:Arguments: ['--verbose']
    2016-01-30 23:48:33,734:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
    2016-01-30 23:48:33,738:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
    2016-01-30 23:48:33,748:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
        self._initialized.prepare()
      File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 150, in prepare
        raise errors.NoInstallationError
    NoInstallationError
    2016-01-30 23:48:33,749:DEBUG:letsencrypt.display.ops:No candidate plugin
    2016-01-30 23:48:33,749:DEBUG:letsencrypt.cli:Selected authenticator None and installer None
    
    Any help would be greatly appreciated.
     
  2. thapame

    thapame Member

    Joined:
    Jul 6, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I tried to follow the instructions from @cPMatthewV on my dedicated server having Cloud Linux 7 but it somehow does not work (see Support Request Id 7449827).

    Now I want to remove it completely from my system.
    I have already executed "yum erase python-virtualenv" and "rm -fr ~/letsencrypt".

    Could some let me know what I need to do further to remove it's files.
     
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    The message is saying there's no installer available for your OS you must generate the certificate manually and install it. You do this by running:
    Code:
    ./letsencrypt-auto certonly -d <domainname>
    
    Replace <domainname> with your domain name. Use one -d <domainname> per domain name. So if you have two domain names and they're called mydomain.com and www.mydomain.com, you'd type something like:
    Code:
    ./letsencrypt-auto certonly -d mydomain.com -d www.mydomain.com
    
    You might also want to try using the --test-cert option until you're sure you have everything figured out and working properly.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    You could check to see if any certs were generated or if Let's Encrypt created the /etc/letsencrypt directory. If the /etc/letsencrypt directory exists, you could remove that. Let's Encrypt shouldn't of installed anything anywheres else besides the /root/letsencrypt directory, to my knowledge at least. Hope that helps a little.
     
  5. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    96
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi I have two questions.
    Currently I have a multi domain certificate from COMODO on a dedicated server.
    1)Does Let's encrypt issue multi domain certificates?
    2)If not, how will I be able to issue a certificate for each website without the need of a dedicated IP for each website? The multidomain certificate I have right now needs only one dedicated IP

    Thank you
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello EneTar,

    I know this probably isn't the answer you're looking for, but if someone here might not be able to answer your two questions, you might have better luck asking on the Let's Encrypt Community Support Forum ( Let's Encrypt Community Support ). They're pretty good with answering questions like this and they're great people. Some of the developers hang out there as well. You might want to try asking over there and seeing what they say.

    Best of luck to you.
     
  7. bhargav

    bhargav Registered

    Joined:
    Feb 13, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    How can we install letsencrypt certs on Service SSL Certificates (whm/cpanel/webmail) ?
     
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello bhargav. Have you already generated the SSL certs for the various services? You know, whm.yourdomain.com, cpanel.yourdomain.com, webmail.yourdomain.com, etc?
     
  9. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Anyone else getting "The client lacks sufficient authorization" ?

    I am trying this on CENTOS 7.2 x86_64 virtuozzo, WHM 54.0 (build 15)
    Domain is setup correctly and resolving fine,
    There is no .htaccess file in the path,
    I can't see any file created at /home/username/public_html/.well-known/acme-challenge/
    Folders ".well-known" & "acme-challenge" are there, but no file.
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Could you share your let's encrypt command line that you run to generate these certs? I might have an idea as to what's going on. For whatever domains you're trying to generate certs for (ie, www.mydomain.com and mydomain.com), create a file inside the .well-known/acme-challenge directory, something like test that just has something like test inside of it, and then see if you can view that file by going to www.mydomain.com/.well-known/acme-challenge/test and mydomain.com/.well-known/acme-challenge/test Do that for every domain you're trying to create the certs for.
     
  11. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Commandline is
    Code:
    cd /root/letsencrypt
    ./letsencrypt-auto --text --agree-tos --email admin@mydomain.com certonly --renew-by-default --webroot --webroot-path /home/user/public_html/ -d mydomain.com -d www.mydomain.com

    Already checked that URL www.mydomain.com/.well-known/acme-challenge/test and mydomain.com/.well-known/acme-challenge/test are working fine.
     
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Are you running version 0.4 of Let's Encrypt?
     
  13. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Yes it is
    letsencrypt 0.4.0
     
  14. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    This might not help, but do you think you could try posting what
    Code:
    ls -l /home/user/public_html/.well-known
    ls -l /home/user/public_html/.well-known/acme-challenge
    
    shows? Also, did you try the .well-known/acme-challenge/test file before you ran Let's Encrypt? I'm wondering if maybe you created the .well-known / .well-known/acme-challenge directory and it has the wrong permissions so Let's Encrypt can't create the necessary files. If this is the case, perhaps something like:
    Code:
    chmod -R 0755 /home/user/public_html/.well-known
    
    might fix the issue.. For my .well-known directories that Let's Encrypt created, I have:
    Code:
    drwxr-xr-x 3 root root 4096 Feb 15 22:09 .well-known/
    
    However, for the acme-challenge directory, I see that the file is owned by my user (the user that owns the /home/my_real_user/ directory....and I see for the group, it's owned by nobody. Permissions are the same as the .well-known directory, just the owner and group are different.

    You can hide your username if you want when you post your ls command output.
     
  15. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Spork, thanks for your efforts and time.

    As you were writing, I was also testing things and found that the challenge file created is owned by root, folder
    .well-known is owned by root, while folder acme-challenge is owned by user.

    Testing the URL was working as I was creating challenge file as user and it was working, but letsencrypt webroot plugin creates the file as root (on my server owner/group for challenge file is root), hence it was not being served by Apache (mod_ruid2).

    I was able to get a certificate using
    Code:
    cd /root/letsencrypt
    ./letsencrypt-auto certonly --manual
    Created the challenge files manually as instructed by letsencrypt process and it worked.
     
    Spork Schivago likes this.
  16. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm glad you figured it out. Maybe you'd want to let the people on the Let's Encrypt forum about the problem, why you think it was happening, how you think it should work, and what you had to do to work around the problem. Then perhaps they'll update the program so it works for people who have a similar setup? The community forum is located at: Let's Encrypt Community Support

    Congrats by the way!
     
  17. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Thanks for the suggestion, created this at
    Suggestion - flag to set challenge file owner/permission
     
  18. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Vinayak,

    I see they submitted your suggestion as an issue, that's great news! Hopefully it's implemented in the near future. Thanks!
     
  19. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    270
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Spork, thanks for supporting my suggestion there.
     
    Spork Schivago likes this.
  20. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    522
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I just so happened to think it was a great suggestion! I really can see how it could help a lot of people. I wish people could figure out how to keep the cPanel / WHM proxy's enabled and use Let's Encrypt without having to shutdown the web servers for the various cPanel services (webmail, webdisk, etc). The webroot plugin would work but when I create the test file and try going to something like webmail.mydomain.com/.well-known/acme-challenge/test it fails because of some missing security token or something.

    Only way I found around it was to disable the proxy subdomain redirects and manually create subdomain redirects myself.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page