Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Let's Encrypt For cPanel DNSOnly

Discussion in 'Security' started by MajorLancelot, Dec 13, 2016.

  1. MajorLancelot

    MajorLancelot Active Member

    Joined:
    Dec 17, 2014
    Messages:
    33
    Likes Received:
    4
    Trophy Points:
    83
    Location:
    Shinjuku-ku, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    Since cPanel doesn't offer SSL for DNS servers, can Let's Encrypt be installed on cPanel DNSOnly using the same script?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    cPanel DNS-Only is designed for DNS management purposes. Domain-validated SSL certificate providers such as Let's Encrypt depend on the domain name resolving to the server where the certificate is requested to complete the validation process. Since cPanel DNS-Only is used for DNS hosting and doesn't include the Apache service, AutoSSL functionality isn't offered.

    Instead, you'd install the SSL certificate on the cPanel server that hosts the domain name.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. MajorLancelot

    MajorLancelot Active Member

    Joined:
    Dec 17, 2014
    Messages:
    33
    Likes Received:
    4
    Trophy Points:
    83
    Location:
    Shinjuku-ku, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    I totally understand the reason why AutoSSL is not part of DNSOnly package.

    However, we have all gotten used to not having those pesky browser warnings.
    But your reason is also understandable.

    Say Michael, beyond 53, 2087, 25/26, UDP 123 what are the others ports that ought to be open (inbound and outside) DNSOnly needs to function 100% properly in a cluster?

    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    One of the current prerequisites for the free hostname SSL certificate is a cPanel license, and thus it's not offered on DNS-Only installations due to a lack of a cPanel license on those systems. That said, I encourage you to open a feature request if you'd like to see AutoSSL support for the server's hostname with cPanel DNS-Only:

    Submit A Feature Request

    Ports 53 and 2087 are sufficient, however you'd also want port 25 open for email notifications. Additionally, you should allow connections from the port SSH is configured on in the event you need to access the system via the command line.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. MajorLancelot

    MajorLancelot Active Member

    Joined:
    Dec 17, 2014
    Messages:
    33
    Likes Received:
    4
    Trophy Points:
    83
    Location:
    Shinjuku-ku, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    Thank you so much for the update, Micheal.
    I have done as you requested.
     
    cPanelMichael likes this.
  6. jwogrady

    jwogrady Member

    Joined:
    Jul 9, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    @cPanelMichael, while I appreciate the straightforward answer, this is a terrible business decision. Do you guys not care that admins have to make a browser exception to trust an unsigned certificate to administer the DNS server? Yeah, it's secure, but we all know it is bad practice. If you tolerate this security issue makes me wonder what else you give a pass.... I really hope cPanel/WHM rethinks this... You guys should be generating a trusted certificate on every install by default.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @jwogrady,

    You can find additional discussion of this topic, including a potential workaround, on the following feature request:

    Automatic SSL for DNSOnly

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. rangka_kacang

    rangka_kacang Active Member

    Joined:
    Jan 31, 2018
    Messages:
    35
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    Hello.

    I used this last week.

    FleetSSL DNSONLY - Free SSL for cPanel® DNSONLY using Let's Encrypt™

    Everything was fine, until I reinstalled my cpanel-dnsonly server yesterday. I can no longer use the certificate and
    acmetool gave me an error (something related to listen to port 80 maybe it's my ipv6 configuration) even when I try to install it again on the same hostname. I don't think this is a cPanel issue but just sharing. I'm just too lazy to troubleshoot and make it work again if someone read this and know the fix, please guide with me.

    Thank you.

    EDIT: I found the problem, my /etc/resolv.conf was not set correctly. I changed from using Google 8.8.8.8 and 8.8.4.4 to OpenDNS 208.67.222.222 and 208.67.220.220 and I can install my certificate already.
     
    #8 rangka_kacang, Feb 6, 2018
    Last edited by a moderator: Feb 12, 2018
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice