SOLVED Replacing Let's Encrypt hostname certificate with the free Comodo cert

[MoreK]

I'm using Let's Encrypt certificate for Services (Dovecot, Exim, SFTP...). It works fine but every 3 months I have to run a clumsy Python script to renew the certificate.

So, to get everything automated, I have tried to replace the certificate with the free cPanel provided Comodo certificate:

1. In WHM panel, go to Manage Service SSL Certificates
2. Click "Reset Certificate" for one of the services
3. Run /usr/local/cpanel/bin/checkallsslcerts on console to speed up the process to update Self-Signed cert with Comodo.

However, when I run "checkallsslcerts" on console, it reverts back to Let's Encrypt certificate for the service. In "Browse Certificates" I can see the new certificate, but it's still Self-Signed.

And I'm stuck here. Is it possible that I have broke something? I tried to install free cert multiple times earlier, then removed them in SSL Storage Manager. Then tried again.

Oh, and one challenge is to keep services working for all existing users. Preferrably with no down-time for mail and ftp users. So, is there a way to get Comodo hostname certificate in the background, and THEN install when it's available?

Any advice appreciated! Thanks...

 

[cPanelMichael]

Hello,

Can you verify if you are using "Let's Encrypt" as the AutoSSL provider in "WHM >> Manage AutoSSL" in the scenario you have described?

Thank you.

 

[MoreK]

Hi,
Yes, correct, I'm using Let's Encrypt as the AutoSSL provider. And for all accounts and web domains it works great. I'm just strugling with the hostname certificate (Manage Service SSL Certificates) to get it automated too.

 

[MoreK]

Hi again. I may have a clue what the problems is. The documentation (Free cPanel-Signed Hostname Certificate - cPanel Knowledge Base - cPanel Documentation) says that "checkallsslcerts" command uses "dig +trace host.server.tld" command to resolve P address of the hostname. I assume it tries to get public IP?

I tried the command on the server console. It returned internal IP address. I guess that is not the purpose? Btw I also tried out "dig +short host.server.tld" which returned the public IP.

Could this be a problem? If yes, what can I do to fix it?

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.

 

[MoreK]

A quick update. I didn't open a support ticket, but I tried now again with the three steps in my first post. It worked just fine!

Just to clarify my setup, in case anyone else is wondering how to make 100% automated certificates to work:
- One server box, host name server1.domain.tld
- AutoSSL configured with Let's Encrypt provider
- domain.tld added as an account -> this gives me Let's Encrypt SSL secured whm.domain.tld for WHM access
- And now, finally, free cPanel provided Comodo certificate for Service SSL - for IMAP and SMTP mainly in my case (on Manage Service SSL Certificates page)

All good now, email works, WHM works, cPanel works, client web sites work - all with automated certificate renewals. I'm happy