Using cPanel generated SSL certs with stunnel

[BassTeQ]

I'm trying to configure stunnel, and need to provide a cert and key (see below)

cert = /etc/example/fullchain.pem
key = /etc/example/privkey.pem

I'd like to use the existing certificates generated by cPanel under /var/cpanel/ssl/domain_tls/subdomain.example.com

certificates
certificates.cache
combined
combined.cache

Would I need the configuration to be;

cert = /var/cpanel/ssl/domain_tls/subdomain.example.com/certificates
key = not sure what to use?

Thanks!

 

[cPanelLauren]

The following should get you this information: https://documentation.cpanel.net/display/DD/UAPI+Functions+-+SSL::fetch_cert_info certificate details are stored in /home/$user/ssl/

 

[BassTeQ]

The following should get you this information: https://documentation.cpanel.net/display/DD/UAPI+Functions+-+SSL::fetch_cert_info certificate details are stored in /home/$user/ssl/

Thanks @cPanelLauren for the reply, I see the certificate is easy enough to locate as it is has the subdomain in the filename. However in the "keys" directory there are multiple key files, how do I know which one is linked to a certain subdomain?

Thanks

 

[BassTeQ]

I managed to get this working, using the command line tool 'uapi', then parsing the output YAML in perl to extract the private key and then save it to a file.

 

[BassTeQ]

Just stuck with another issue.
If I generate a cert with letsencrypt and run the command below it generates a bundle.pem file which works well with the application

cat /etc/letsencrypt/live/domain.example.com/fullchain.pem /etc/letsencrypt/live/domain.example.com/privkey.pem > /etc/certs/bundle.pem

I'm trying to work out how to do this with the data returned from the cpanel application "uapi"
The data returned is
- cabundle
- certificate
- key

I've tried writing out cabundle followed by key, but the bundle.pem wasn't valid.

Appreciate any help.

Thanks

 

[cPanelLauren]

Well, the cabundle for all of let's encrypt certificates would be the same. What is it you're trying to do with this?

 

[BassTeQ]

Well, the cabundle for all of let's encrypt certificates would be the same. What is it you're trying to do with this?

I'm trying to use the certificate for an icecast server.
Update: I've managed to get it working now, found a bug in my script which was causing an issue.

On another note, is there a way I can run a custom script after a cPanel SSL cert has been updated for a particular sub-domain?

Thanks

 

[cPanelLauren]

That would qualify as a hookable event http://documentation.cpanel.net:8090/display/DD/Guide+to+Standardized+Hooks

 

[BassTeQ]

That would qualify as a hookable event http://documentation.cpanel.net:8090/display/DD/Guide+to+Standardized+Hooks

So SSL certs are updated as part of "upcp" ? If I was to add something like the below, this would be executed after a "upcp" runs?

/usr/local/cpanel/bin/manage_hooks add script /path/to/postupcpscript.php --manual --category System --event upcp --stage post

Thanks

 

[cPanelLauren]

Yep, cPanel's maintenance includes checking for SSL certificates. But upcp wouldn't be the only instance in which this occurs, adding a domain, or creating an account also trigger an autossl run for the account.

 

[techguide]

The following should get you this information: https://documentation.cpanel.net/display/DD/UAPI+Functions+-+SSL::fetch_cert_info certificate details are stored in /home/$user/ssl/

How to you find what the "friendly name" (or "ID" ) of the certificate is to use in the uapi code? I've tried various combinations of the domain name but get the error "no certificates match that search term". Looking at the files in the /home/$user/ssl directory doesn't seem to offer any clues. Thanks!

 

[cPRex]

@techguide - this call will show the friendly name for the certificate:

Return all SSL certificates

This function lists an account's certificates. **Important:** When you disable the Calendars and Contacts, Receive Mail, Web Disk, Webmail, and Web Server [roles](https://go.cpanel.net/howtouseserverprofiles#roles), the system **disables** this function.

api.docs.cpanel.net

Let me know if that helps!