Letsencrypt SSL on CPanel auto renew and update on remote web server

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
Hi
We are currently using a domain provider that is hosted on CPanel. We have a subdomain was provided free SSL Certificate from Letsencrypt on CPanel. That certificate will automatically renewed and reapplied in the SSL/TLS panel when the time comes.

On the other hand, on a remote web server. In order to use that certificate, I downloaded it and the key from file manager. Combined both with openssl and installed them in the Microsoft Windows Certification Store. Therefore, I was able to have SSL access to my site successfully.

However, due to the nature of Letsencrypt that cert will expire in April, does that mean I will have to retrieve the new key and cert from CPanel and redo everything? Is there anyway I can automate this? I would really appreciate some guidance.

Thank you
-Just an internee learning new things-
 
Last edited by a moderator:

andrew.n

Well-Known Member
Jun 9, 2020
581
158
43
EU
cPanel Access Level
Root Administrator
Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.
 
  • Like
Reactions: cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,327
689
313
cPanel Access Level
Root Administrator
Hey there! You're exactly correct - you would need to manually move over the new cert details to the remote location.

If you had root access to the system you could use the file located at /var/cpanel/ssl/apache_tls/domain.com/combined as that filename stays consistent across SSL updates, but just changes with the new certificate data when that gets updated.
 

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.
Because these are client servers that we will probably not have access to so easily once we figure this out.
Therefore, having certbot per machine renewing its own cert is not that easy to manage if something goes wrong.
 

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
Hey there! You're exactly correct - you would need to manually move over the new cert details to the remote location.

If you had root access to the system you could use the file located at /var/cpanel/ssl/apache_tls/domain.com/combined as that filename stays consistent across SSL updates, but just changes with the new certificate data when that gets updated.
Thank you for the clarification, can you be more elaborate about your method? I would love to understand more about it.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,327
689
313
cPanel Access Level
Root Administrator
I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.
 

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.
I think I might resort to using certbot or acme to make certs since Cpanel has the same provider anyway. Do you suggest any of the two? What validation method gives the best automation and long-term unattended work?
Thank you so much for your help me so far.
 

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
I didn't mean to imply I have an actual method that is pre-built to do this work, but I just wanted to point out that file already uses the combined style of certificates. You could use that file to setup some type of automation on your end so you could skip the step of combining the certificate files with your current process, if that makes things easier.
Welp thank you for your suggestions so far <3
 
  • Like
Reactions: cPRex

andrew.n

Well-Known Member
Jun 9, 2020
581
158
43
EU
cPanel Access Level
Root Administrator
then you would be having issues placing on those remotely as well :) There is no automatic way to renew and transfer the certificates. It might be possible with a script though which fetch the certificates from the cPanel server, place it on the windows one and restart/reload the services there to apply the changes. I think the easiest, most forward and most reliable solution is to get the cert renew directly from the destination server.
 
  • Like
Reactions: cPRex

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
Correct however as I understand you host the site on Windows? You can download certbot on Windows and generate the certificate directly there rather than on a cPanel based linux server.
After further researching, I can understand better about your suggestion. I wish I could use certbot but the automation part requires install the certificates into Windows Certification Store machine-level.

This is why I am trying to get win-acme working. However, as noob as a person could be, I am really trying to get http-01 selfhosting method working. But it just seems to not work, not even manual DNS txt record would work.
 

andrew.n

Well-Known Member
Jun 9, 2020
581
158
43
EU
cPanel Access Level
Root Administrator
There are even some online tools with which you can generate certificates like https://punchsalad.com/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy :(
 
  • Like
Reactions: cPRex

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
There are even some online tools with which you can generate certificates like https://punchsalad.com/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy :(
Thanks to your suggestion about namecheap, my boss has decided to pick them up as our future approach to SSL managements. However, I did manage to get win-acme working on http-01 method which is very economical and sustainable but due to how cheap namecheap is, my boss favours this method more.
 
  • Like
Reactions: andrew.n

kyliejourney

Registered
Feb 11, 2021
2
0
1
Ontario. Canada
cPanel Access Level
Website Owner
There are even some online tools with which you can generate certificates like https://punchsalad.com/employee monitoring software/ssl-certificate-generator/ but paid ones are like 5-6$ per year so it might worth just to pay for it then spending hours to get this working on Windows if you are not tech savvy
Thanks to your suggestion about namecheap, my boss has decided to pick them up as our future approach to SSL managements. However, I did manage to get win-acme working on http-01 method which is very economical and sustainable but due to how cheap namecheap is, my boss favours this method more.

We also used punch salad, and zerossl.com as well.
Can you please share what you and your company are up to?
Perhaps it would help us choose something more suitable
Thanks!
 

jakeSC

Member
Jan 21, 2021
8
3
3
Finland
cPanel Access Level
Website Owner
We also used punch salad, and zerossl.com as well.
Can you please share what you and your company are up to?
Perhaps it would help us choose something more suitable
Thanks!
I feel like andrew can answer this question much better than me my only situation i can give is that we offer a very small subset of businesses. And therfore we would usually look forward to simple methods of deploying yet cheap enough that it wouldnt be a burden
 
  • Like
Reactions: kyliejourney

andrew.n

Well-Known Member
Jun 9, 2020
581
158
43
EU
cPanel Access Level
Root Administrator
@kyliejourney I'm just trying to help Jake here :) It's great though that you monitor the health of your ranges with those tools as well!