Letsencrypt SSL on CPanel auto renew and update on remote web server

[jakeSC]

Hi
We are currently using a domain provider that is hosted on CPanel. We have a subdomain was provided free SSL Certificate from Letsencrypt on CPanel. That certificate will automatically renewed and reapplied in the SSL/TLS panel when the time comes.

On the other hand, on a remote web server. In order to use that certificate, I downloaded it and the key from file manager. Combined both with openssl and installed them in the Microsoft Windows Certification Store. Therefore, I was able to have SSL access to my site successfully.

However, due to the nature of Letsencrypt that cert will expire in April, does that mean I will have to retrieve the new key and cert from CPanel and redo everything? Is there anyway I can automate this? I would really appreciate some guidance.

Thank you
-Just an internee learning new things-

 

[andrew.n]

Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.

 

[cPRex]

Hey there! You're exactly correct - you would need to manually move over the new cert details to the remote location.

If you had root access to the system you could use the file located at /var/cpanel/ssl/apache_tls/domain.com/combined as that filename stays consistent across SSL updates, but just changes with the new certificate data when that gets updated.

 

[jakeSC]

Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.

Because these are client servers that we will probably not have access to so easily once we figure this out.
Therefore, having certbot per machine renewing its own cert is not that easy to manage if something goes wrong.

 

[jakeSC]

Hey there! You're exactly correct - you would need to manually move over the new cert details to the remote location.

If you had root access to the system you could use the file located at /var/cpanel/ssl/apache_tls/domain.com/combined as that filename stays consistent across SSL updates, but just changes with the new certificate data when that gets updated.

Thank you for the clarification, can you be more elaborate about your method? I would love to understand more about it.

 

[cPRex]

I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.

 

[jakeSC]

I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.

I think I might resort to using certbot or acme to make certs since Cpanel has the same provider anyway. Do you suggest any of the two? What validation method gives the best automation and long-term unattended work?
Thank you so much for your help me so far.

 

[cPRex]

I personally don't have a recommendation as I can't really comment on non-cPanel tools. Other users might have some thoughts though!

 

[jakeSC]

I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.

Welp thank you for your suggestions so far <3

 

[andrew.n]

then you would be having issues placing on those remotely as well There is no automatic way to renew and transfer the certificates. It might be possible with a script though which fetch the certificates from the cPanel server, place it on the windows one and restart/reload the services there to apply the changes. I think the easiest, most forward and most reliable solution is to get the cert renew directly from the destination server.

 

[jakeSC]

Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.

After further researching, I can understand better about your suggestion. I wish I could use certbot but the automation part requires install the certificates into Windows Certification Store machine-level.

This is why I am trying to get win-acme working. However, as noob as a person could be, I am really trying to get http-01 selfhosting method working. But it just seems to not work, not even manual DNS txt record would work.

 

[andrew.n]

There are even some online tools with which you can generate certificates like https://punchsalad.com/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy

 

[jakeSC]

There are even some online tools with which you can generate certificates like https://punchsalad.com/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy

Thanks to your suggestion about namecheap, my boss has decided to pick them up as our future approach to SSL managements. However, I did manage to get win-acme working on http-01 method which is very economical and sustainable but due to how cheap namecheap is, my boss favours this method more.

 

[andrew.n]

Very well!

 

[kyliejourney]

There are even some online tools with which you can generate certificates like https://punchsalad.com/employee monitoring software/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy

Thanks to your suggestion about namecheap, my boss has decided to pick them up as our future approach to SSL managements. However, I did manage to get win-acme working on http-01 method which is very economical and sustainable but due to how cheap namecheap is, my boss favours this method more.

We also used punch salad, and zerossl.com as well.
Can you please share what you and your company are up to?
Perhaps it would help us choose something more suitable
Thanks!

 

[jakeSC]

We also used punch salad, and zerossl.com as well.
Can you please share what you and your company are up to?
Perhaps it would help us choose something more suitable
Thanks!

I feel like andrew can answer this question much better than me my only situation i can give is that we offer a very small subset of businesses. And therfore we would usually look forward to simple methods of deploying yet cheap enough that it wouldnt be a burden

 

[kyliejourney]

I feel like andrew can answer this question much better than me my only situation i can give is that we offer a very small subset of businesses. And therfore we would usually look forward to simple methods of deploying yet cheap enough that it wouldnt be a burden

Anyway, thanks for your feedback, Jake!

 

[andrew.n]

@kyliejourney I'm just trying to help Jake here It's great though that you monitor the health of your ranges with those tools as well!