Letsencrypt SSL certificate for cPanel hostname?

coer

Registered
Apr 4, 2017
4
0
1
Ams
cPanel Access Level
Root Administrator
I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail.

I looked at Main >> Service Configuration >> Manage Service SSL Certificates but this only allows me to manually add a certificate, or use on of the existing self signed certificates.

I'm aware of this blog post announcing the official 'Letsencrypt with AutoSSL plugin'. I installed it and enabled Letsencrypt as provider. But this only works for domains, not for the main root login of Panel (https://ipaddress:2087).

Am I missing something? Is this possible? I can't find it on the feature list either, but maybe I'm not using the right search phrase.
I'd appreciate your help / insights / solutions.
 

coer

Registered
Apr 4, 2017
4
0
1
Ams
cPanel Access Level
Root Administrator
I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail.

I looked at Main >> Service Configuration >> Manage Service SSL Certificates but this only allows me to manually add a certificate, or use on of the existing self signed certificates.

I'm aware of this blog post announcing the official 'Letsencrypt with AutoSSL plugin'. I installed it and enabled Letsencrypt as provider. But this only works for domains, not for the main root login of Panel (https://ipaddress:2087).

Am I missing something? Is this possible? I can't find it on the feature list either, but maybe I'm not using the right search phrase.
I'd appreciate your help / insights / solutions.
For clarification, before someone explains you cannot get a Letsencrypt certificate for an IP address, which would be right ;-)
I of course have a qualifying domain name and an A-record pointing to the appropriate cPanel login at https://ipaddress:2087.
I can log in using my domain https://www.domain.com:2087, but get an SSL warning as it currently is a self-signed certificate. I'd like to use Letsencrypt instead.

I hope someone can help, I'm new at cPanel, I used DirectAdmin so far where I know my way.
 

mtindor

Well-Known Member
Sep 14, 2004
1,431
92
178
inside a catfish
cPanel Access Level
Root Administrator
cPanel will provide you with a free signed certificate [automatically] for your server hostname, or should, unless you have specifically done something to cause it not to.

See: Manage Service SSL Certificates - Documentation - cPanel Documentation
- scroll down to "Free cPanel-signed certificate"

Assuming you do not / have not created /var/cpanel/ssl/disable_auto_hostname_certificate and/or /var/cpanel/ssl/disable_service_certificate_management, then your server will automatically renew the hostname SSL certificate with a cPanel-signed SSL certificate before it expires.

Mike
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463

coer

Registered
Apr 4, 2017
4
0
1
Ams
cPanel Access Level
Root Administrator
Hi,
I'd really appreciate if someone could please answer my question regarding Letsencrypt.

"I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail."

Thanks!
 

mtindor

Well-Known Member
Sep 14, 2004
1,431
92
178
inside a catfish
cPanel Access Level
Root Administrator
Why would you want to install a LetsEncrypt SSL (which has to autorenew every three months) when you can install a cPanel signed certificate [for free] that will last the year and will autorenew on its own?

I don't think you can use a Letsencrypt SSL (at least not in any sort of automated fashion) on the server hostname. But again, there is no reason to. The free cPanel-signed (which is a bonafide SSL certificate that will not throw warnings in browsers) works just fine.

Mike
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
"I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail."
Hello,

The Let's Encrypt plugin for cPanel only integrates with the AutoSSL feature, which generates SSL certificates for cPanel accounts. It does not generate hostname certificates for your system's services. This is documented at:

The Let's Encrypt Plugin - cPanel Knowledge Base - cPanel Documentation

Is there any reason you prefer to not use the Comodo certificate that's offered by default for the hostname SSL? Also, note that if you enable Let's Encrypt for cPanel accounts, then the Domain TLS functionality will ensure that certificate is used when cPanel/WHM/Webmail is accessed directly from the domain name:

What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

Thank you.
 

coer

Registered
Apr 4, 2017
4
0
1
Ams
cPanel Access Level
Root Administrator
Hi,
Let's just say I'm a fan of LetsEncrypt, and not (at all!) of Comodo. In any case, my question was technical, and I would love for someone to help me accomplish it. I'm sure it's possible, its a matter of a script, a cPanel plugin or perhaps a series of SSH commands which someone may have figured out already, and could perhaps share to help.

So, here I go again:

Hi,
I'd really appreciate if someone could please answer my question regarding Letsencrypt.

"I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail."

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
"I would like to install a Letsencrypt SSL certificate which autorenews on the root login for cPanel/WHM.
In other words, a Letsencrypt SSL certificate for use by cPanel, the WebHost Manager, and Webmail."
Hello,

You could manually install a Let's Encrypt SSL certificate for each service via:

"WHM >> Manage Service SSL Certificates"

However, you'd need to first disable the free cPanel-signed hostname SSL certificate functionality per the instructions at:

Free cPanel-Signed Hostname Certificate - cPanel Knowledge Base - cPanel Documentation

Note that the automatic renewal of the Let's Encrypt certificate won't occur for the server's hostname because the free hostname SSL functionality does not support Let's Encrypt. I encourage you to open a feature request if you'd like to see support for this added to the product:

Submit A Feature Request

Thanks!
 

sevenokve

Member
Aug 11, 2020
9
2
3
Puerto La Cruz, Venezuela
cPanel Access Level
Root Administrator
This is an old thread, but in case anyone stumbles upon it, the correct doc URL about this topic is: Manage Service SSL Certificates | cPanel & WHM Documentation

If it servers someone, the issue I had was that the SSL certificate for the hostname was not being automatically installed even thou the nameserver was up and running and there was a self-signed SSL certificate installed.

I was able to "generate" de SSL certificate by running this maintenance script:

Code:
/usr/local/cpanel/scripts/upcp
Which generates and replaces the hostname SSL.
 

GoWilkes

Well-Known Member
Sep 26, 2006
647
29
178
cPanel Access Level
Root Administrator
I think that this is my issue right now... Sectigo isn't updating my server's certificates, so I changed the default provider to LE yesterday. I've had a lot of the certs for accounts update, but I'm still getting a warning that the certs for FTP, Exim, etc are expiring.

Would WHM > Manage Service SSL Certificates > Reset Certificate not do the trick? The warning it gives is super scary...
 

sevenokve

Member
Aug 11, 2020
9
2
3
Puerto La Cruz, Venezuela
cPanel Access Level
Root Administrator
I'm not sure, actually. I was tempted to click that button myself but for what I understood from the warning that only generates a self-signed certificate for the server, not a cPanel-signed cert. So at least for my and your case it has no use.

Try running the command I stated before:

Code:
/usr/local/cpanel/scripts/upcp
That command as stated in the documentation (among lots of other things) generates a new certificate and replaces the old one in several circumstances, including "if the former SSL is expired or close to expiring".

So that command should fix your issue.
 

vacancy

Well-Known Member
Sep 20, 2012
528
203
93
Turkey
cPanel Access Level
Root Administrator
There is no setting to allow the hostname certificate to be used as let's encrpyt certificate.

For this, 3rd party software should be used. Have a look at Fleetssl.
 
  • Like
Reactions: cPRex

GoWilkes

Well-Known Member
Sep 26, 2006
647
29
178
cPanel Access Level
Root Administrator
If I ignore the problem until Sectigo is fixed, would site users notice or would it only throw an error when I FTP in / check email?
 

jcn50

Member
Aug 11, 2007
5
2
53
You can check this tutorial, however the last 4 lines of the script are incorrect and should be replaced by:
/scripts/restartsrv_cpsrvd
/scripts/restartsrv_ftpd
/scripts/restartsrv_dovecot
/scripts/restartsrv_exim