Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[How-To] Installing SSL from Let's Encrypt

Discussion in 'Security' started by cPMatthewV, Dec 4, 2015.

Thread Status:
Not open for further replies.
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    For the Drupal 7 sites, in the .htaccess, do you have a line that shows something like this:
    Code:
    RewriteRule "(^|/)." - [F]
    
    If so, perhaps a line above that line, like this, might allow letsencrypt-auto to work for Drupal 7...

    Code:
    # Allow letsencrypt-auto access to the .well-known/acme-challenge directory...
    RewriteRule "^.well-known/acme-challenge" - [L]
    
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    The problem I see with the above posted fix (if it works for you) is that .htaccess can get over-written any time Drupal is updated. You'd have to find away to preserve the .htaccess file when you upgrade or try to automate the line always getting inserted. I do believe the Drupal developers are working on a patch to allow stuff like letsencrypt-auto to work.

    Support RFC 5785 by whitelisting the .well-known directory [#2408321] | Drupal.org
     
  3. bhargav

    bhargav Registered

    Joined:
    Feb 13, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Im accessing my accounts at yourdomain.com/whm, yourdomain.com/cpanel, yourdomain.com/webmail which redirects me to domain.com/2083 and so on. The subdomain service urls are throwing a name resolution error.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Could you paste the error message you're getting and the command you run? You can replace your real e-mail address and real domain names with fake stuff if you'd like.

    Also, have you tried creating the .well-known/acme-challenge/test file and making sure you can go to yourdomain.com/whm/.well-known/acme-challenge/test (for example)?
     
  5. Jose A. G.

    Jose A. G. Registered

    Joined:
    Mar 3, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Hello,
    I do not like hard code root password at script.
    Code:
    my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );
    I want to change it for some thing similar to hash method used here:
    digitz.org/blog/lets-encrypt-cpanel-script/

    (It is PHP and I want to write it in PERL)
    Code:
    my $hash_file = "/root/.accesshash";
    my $hash_WHM;
    open(my $hashfh, '<', $hash_file) or die "cannot open file $hash_file";
      {
      local $/;
      $hash_WHM = <$hashfh>;
      }
      close($hashfh);
    
    $hash_WHM =~ s/\r\n//g;
    my $auth = "WHM root:" . $hash_WHM;
    
    Do you think this line is well formed? Do you suggest a better wat for sanitize the string?
    Code:
    $hash_WHM =~ s/\r\n//g;
    I will appreciate if you can give me any advice.

    [EDIT]Im getting Access Denied:
    Code:
    {"cpanelresult":{"apiversion":"2","error":"Access denied","data":{"reason":"Access denied","result":"0"},"type":"text"}}
    I am confused with apiversion: 2, but the script provided uses: installssl?api.version=1
    Perhaps I am using an updated WHM not compatible?
    [EDITED]

    Thanks.
     
    #85 Jose A. G., Mar 3, 2016
    Last edited by a moderator: Mar 3, 2016
  6. Jose A. G.

    Jose A. G. Registered

    Joined:
    Mar 3, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I fixed the problem, I share my working modified version of the script.

    Remember to modify $hash with your accesshash. If your system has no .accesshash file feel free to Google and solve it in 30 seconds :)

    Code:
    #!/usr/local/cpanel/3rdparty/bin/perl
    
    use strict;
    use LWP::UserAgent;
    use LWP::Protocol::https;
    use MIME::Base64;
    use IO::Socket::SSL;
    use URI::Escape;
    
    my $user = "root";
    
    my $hash = "******CONTENT OF THE FILE /root/.accesshash ************";
    
    $hash =~ s/\n//g;
    
    my $auth = "WHM root:" . $hash;
    
    my $ua = LWP::UserAgent->new(
        ssl_opts   => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
    );
    
    my $dom = $ARGV[0];
    
    my $certfile = "/etc/letsencrypt/live/$dom/cert.pem";
    my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem";
    my $cafile =  "/etc/letsencrypt/live/bundle.txt";
    
    my $certdata;
    my $keydata;
    my $cadata;
    
    open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
        {
            local $/;
            $certdata = <$certfh>;
        }
        close($certfh);
    
    open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
        {
            local $/;
            $keydata = <$keyfh>;
        }
        close($keyfh);
    
    open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
        {
            local $/;
            $cadata = <$cafh>;
        }
        close($cafh);
    
    my $cert = uri_escape($certdata);
    my $key = uri_escape($keydata);
    my $ca = uri_escape($cadata);
    
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the FTP service
    print "\n\nAttempting to install the SSL certificate for the FTP service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=ftp&crt=$cert&cabund$
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    # Install the SSL certificate for the exim service
    print "\n\nAttempting to install the SSL certificate for the exim service...\n";
    my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=exim&crt=$cert&cabun$
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    

    This version of the script add SSL cert to FTP and EXIM as suggested at comment 54.
     
    kristofferR likes this.
  7. 3awh

    3awh Member

    Joined:
    Sep 1, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    WWW
    I followed the First post install worked great for my other 2 wordpress installs. OS is CentOS 6.6 install was a snap on the server then installing the cert for the first 2 sites went great.
    the last site not so great.
    when I put in
    Code:
    https://domain.com
    in the url in chrome its a white page with
    Code:
    SSL connection error
    
    
    ERR_SSL_PROTOCOL_ERROR
    
    firefox
    Secure Connection Failed
    
    An error occurred during a connection to www.example.net. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert)
    
        The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
        Please contact the website owners to inform them of this problem.
    
    Code:
    http://www.domain.com
    works. at first I changed the urls and was the same thing.
    Not sure how to proceed
     
    #87 3awh, Mar 8, 2016
    Last edited by a moderator: Mar 8, 2016
  8. 3awh

    3awh Member

    Joined:
    Sep 1, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    WWW
    How do I completly remove certs
    I have tried
    ./letsencrypt revoke --cert-path /etc/letsencrypt/archives/webmasteroncall.net/cert.pem/
    got
    letsencrypt: error: argument --cert-path: No such file or directory

    then I tried
    ./letsencrypt revoke --cert-path /etc/letsencrypt/live/webmasteroncall.net/cert.pem/
    got back
    Version: 1.1-20080819
    Version: 1.1-20080819

    At this point I like to remove everything. and Go with the Paid Cpanel plugin so all my users can use Lets Encrypt and it easier to setup for each domain.
    Stuck at this please help
     
  9. bellwood

    bellwood Member
    PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    14
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    Is there a reason the head of this thread is still telling people to put their root password in clear text?

    Code:
    my $accesshash;
    
    my $access_hash_file = '/root/.accesshash';
    sysopen (my $access_hash_file_fh, $access_hash_file, O_RDONLY) or
    die "unable to open root_access_hash_file $!\n";
    while (<$access_hash_file_fh>) {
    $accesshash .= $_;
    }
    close ($access_hash_file_fh);
    
    $accesshash =~ s/\n//g;
    
    my %opts = @ARGV;
    my $username = $opts{'user'};
    
    my $auth = "WHM root:" . $accesshash;
    $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;
    
    my $ua = LWP::UserAgent->new;
    my $request = HTTP::Request->new(
    GET =>
    "THE API CALL YOU NEED TO MAKE"
    );
    $request->header( Authorization => $auth );
    my $response = $ua->request($request);
    print $response->content;
    
    Suggesting users store their root password in clear text is a huge no-no
     
    visskiss likes this.
  10. davidpbj

    davidpbj Member

    Joined:
    Jul 14, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Phoenix, AZ
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for the directions, this is awesome!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. challgren

    challgren Member

    Joined:
    Sep 7, 2003
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Austin, TX
    cPanel Access Level:
    DataCenter Provider
    Instead of requiring a perl script to install the certs why not just call whmapi1 that way no passwords or access hashes have to be installed
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,928
    Likes Received:
    1,819
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. challgren

    challgren Member

    Joined:
    Sep 7, 2003
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Austin, TX
    cPanel Access Level:
    DataCenter Provider
    I've added support to use whmapi1 instead of requiring the root password. Along with support to use lets encrypt for the system services, it defaults to the hostname the server is running on. You can find the repo at bitbucket.org/challgren/lets-encrypt-for-cpanel-centos-6.x
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #93 challgren, Mar 22, 2016
    Last edited by a moderator: Mar 23, 2016
  14. JonTheWong

    JonTheWong Active Member

    Joined:
    Oct 8, 2013
    Messages:
    38
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Montreal, Quebec
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. challgren

    challgren Member

    Joined:
    Sep 7, 2003
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Austin, TX
    cPanel Access Level:
    DataCenter Provider

    If you run
    Code:
    cat << "EOFFF" > /etc/letsencrypt/live/bundle.txt
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
    GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
    q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
    SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
    Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
    a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
    /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
    AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
    CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
    bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
    c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
    VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
    ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
    MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
    Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
    AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
    uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
    wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
    X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
    PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
    -----END CERTIFICATE-----
    EOFFF
    
    
    That should fix it for you I'll be updating the installer on my bitbucket project
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #95 challgren, Mar 25, 2016
    Last edited by a moderator: Mar 31, 2016
    JonTheWong likes this.
  16. JonTheWong

    JonTheWong Active Member

    Joined:
    Oct 8, 2013
    Messages:
    38
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Montreal, Quebec
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thats perfect; thanks for the update.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    challgren likes this.
  17. Specting

    Specting Registered

    Joined:
    Mar 27, 2016
    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    mad
    cPanel Access Level:
    Root Administrator
    Hello
    I've created the certificate with the same command that is publish in the initial entry of the post.

    Code:
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
      /etc/letsencrypt/live/domain/fullchain.pem. Your cert will
      expire on 2016-06-25. To obtain a new version of the certificate in
      the future, simply run Let's Encrypt again.
    But the folder "/home/user/public_html/.well-known/" is empty

    When I run the script installssl.pl I've got this error:

    Code:
    {"metadata":{"version":1,"reason":"The given CA bundle does not match the given certificate.","output":{"raw":"The given CA bundle does not match the given certificate."},"result":0,"command":"installssl"}}
    Could somebody confirm that the published certificate of the file /etc/letsencrypt/live/bundle.txt is right?

    Where is the issue?
     
    #97 Specting, Mar 27, 2016
    Last edited by a moderator: Mar 27, 2016
    PunKeel likes this.
  18. challgren

    challgren Member

    Joined:
    Sep 7, 2003
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Austin, TX
    cPanel Access Level:
    DataCenter Provider
    See [How-To] Installing SSL from Let's Encrypt


     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #98 challgren, Mar 29, 2016
    Last edited by a moderator: Mar 31, 2016
  19. Specting

    Specting Registered

    Joined:
    Mar 27, 2016
    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    mad
    cPanel Access Level:
    Root Administrator
    Finally I've modified the file /etc/letsencrypt/live/bundle.txt in my server
    with this certificate: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

    {"data":{"statusmsg":"The SSL certificate is now installed onto the domain “domain.com” using the IP address “xx.xx.xx.xx”. Apache is restarting in the background.\n", ----

    Thank you
     
    massafiri likes this.
  20. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    51
    Couldn't agree more. I could not figure out where the hash was until you pointed it out. Thanks.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice