Skip to main content

[How-To] Installing SSL from Let's Encrypt

Comments

118 comments

  • Valetia
    yum -y install git python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius

    On CloudLinux 6.7, running the above line results in the following error:
    Transaction Check Error: file /usr/bin/2to3 from install of python27-tools-2.7.10-1.ius.el6.x86_64 conflicts with file from package python-tools-2.6.6-64.el6.x86_64
    0
  • cPMatthewV
    Hi Valetia This occurs because of the python-tools package from CentOS / CL 6.7. When this occurs you simply need to remove that package. I have updated the original entry to indicate this.
    0
  • eva2000
    nice @cPMatthewV love the perl script ! :cool: cmds for LE install look familiar :-D
    0
  • cPMatthewV
    nice @cPMatthewV love the perl script ! :cool: cmds for LE install look familiar :-D

    Thanks :D and yeah I got the install instructions from their site and simply included the repo commands. It's good that is as easy as that and not to complicated. Hopefully in the future we will add native support and installation for this.
    0
  • eva2000
    Thanks :D and yeah I got the install instructions from their site and simply included the repo commands.

    [PLAINhttps://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190[/PLAIN] :) @cPMatthewV you also might want to pass command --renew-by-default and go full text based so subsequent runs can use a cron schedule so you can renew the SSL certs and also use letsencrypt instead of letsencrypt-auto which auto updates dependencies every run :)
    /root/.local/share/letsencrypt/bin/letsencrypt certonly --text --agree-tos --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
    or pass email one time to register a LE account for expiry notifications etc + text only (or use cli.ini file)
    /root/.local/share/letsencrypt/bin/letsencrypt certonly --text --agree-tos --renew-by-default --email email@domain.com --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
    also can populate i.e. with email setting in a cli.ini config file so to pass less parameters on cmd line User Guide " Let's Encrypt 0.2.0.dev0 documentation HTH
    0
  • cPMatthewV
    It doesn't look like they have a standard client ./letsencrypt anymore and they just have ./letsencrypt-auto. I do agree it is quite annoying have to re-run those checks. Hopefully they will fix this.
    0
  • eva2000
    Ah you're looking in wrong directory. With above install instructions the non-auto binary will be at /root/.local/share/letsencrypt/bin/letsencrypt It's defined at [PLAINhttps://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt-auto#L13-L16[/PLAIN]
    /root/.local/share/letsencrypt/bin/letsencrypt --version letsencrypt 0.1.0

    /root/.local/share/letsencrypt/bin/letsencrypt --help webroot usage: letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins optional arguments: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE config file path (default: None) webroot: Webroot Authenticator -w WEBROOT_PATH, --webroot-path WEBROOT_PATH public_html / webroot path. This can be specified multiple times to handle different domains; each domain will have the webroot path that preceded it. For instance: `-w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.net -d m.thing.net` (default: None)

    ls -lah /root/.local/share/letsencrypt/bin/ total 72K drwxr-xr-x 2 root root 4.0K Dec 3 19:10 . drwxr-xr-x 5 root root 4.0K Nov 15 20:42 .. -rw-r--r-- 1 root root 2.2K Nov 15 20:42 activate -rw-r--r-- 1 root root 1.3K Nov 15 20:42 activate.csh -rw-r--r-- 1 root root 2.4K Nov 15 20:42 activate.fish -rw-r--r-- 1 root root 1.2K Nov 15 20:42 activate_this.py -rwxr-xr-x 1 root root 261 Dec 3 19:10 easy_install -rwxr-xr-x 1 root root 261 Dec 3 19:10 easy_install-2.7 -rwxr-xr-x 1 root root 245 Dec 3 19:10 jws -rwxr-xr-x 1 root root 245 Dec 3 19:10 letsencrypt -rwxr-xr-x 1 root root 249 Dec 3 19:10 letsencrypt-renewer -rwxr-xr-x 1 root root 368 Nov 15 20:42 ndg_httpclient -rwxr-xr-x 1 root root 242 Nov 15 20:42 pbr -rwxr-xr-x 1 root root 310 Nov 15 20:42 pip -rwxr-xr-x 1 root root 312 Nov 15 20:42 pip2 -rwxr-xr-x 1 root root 316 Nov 15 20:42 pip2.7 lrwxrwxrwx 1 root root 9 Nov 15 20:42 python -> python2.7 lrwxrwxrwx 1 root root 9 Nov 15 20:42 python2 -> python2.7 -rwxr-xr-x 1 root root 4.8K Nov 15 20:42 python2.7
    also corrected my above post with full path as i assumed ./letsencrypt was from /root/.local/share/letsencrypt/bin/
    0
  • ChristianSB
    Getting -bash: ./installssl.pl: /usr/local/cpanel/3rdparty/bin/perl^M: bad interpreter: No such file or directory when running the ./installssl.pl mydomain.tld Works now, used sed -i 's/\r//' installssl.pl
    0
  • pankajsystem
    This is great only yesterday I got the query from a client to install lets encryt ssl on cPanel server and I was trying to upgrade phython from 2.6 to 2.7 but that was not recommended hence I have stop working on it. I will try this new tutorial now and hopefully this will help me
    0
  • eminos
    I'm getting this error following the tutorial, after running the ./letsencrypt-auto --verbose command for the first time. I'm on CloudLinux 6.
    Creating virtual environment... Running virtualenv with interpreter /usr/bin/python2.7 Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/virtualenv.py", line 16, in import tempfile File "/usr/lib64/python2.7/tempfile.py", line 32, in import io as _io File "/usr/lib64/python2.7/io.py", line 51, in import _io ImportError: /usr/lib64/python2.7/lib-dynload/_io.so: undefined symbol: _PyErr_ReplaceException
    Also the packages python-virtualenv and cloudlinux' alt-python-virtualenv were in some conflict so I removed the alt-python-virtualenv which solved that issue.
    0
  • siriusb
    Hi. When I try to make a demo SSL, script doesn't create /etc/letsencrypt/live/$domain directory. So, I did it manually. If I execute it again, same error.
    cannot open file /etc/letsencrypt/live/zagas.com.ar/cert.pem at /root/installssl.pl line 29.

    root@eh-002 [~/scripts/letsencrypt]# pwd /root/scripts/letsencrypt root@eh-002 [~/scripts/letsencrypt]# ./letsencrypt-auto --text --agree-tos --email webmaster@$domain.com.ar --renew-by-default --webroot --webroot-path /home/$domain/public_html/ -d $domain.com.ar -d www.$domain.com.ar Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email webmaster@$domain.com.ar --renew-by-default --webroot --webroot-path /home/$domain/public_html/ -d $domain.com.ar -d www.$domain.com.ar No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually root@eh-002 [~/scripts/letsencrypt]# /root/installssl.pl $domain.com.ar cannot open file /etc/letsencrypt/live/$domain.com.ar/cert.pem at /root/installssl.pl line 29. root@eh-002 [~/scripts/letsencrypt]# find /etc/letsencrypt/ -type d /etc/letsencrypt/ /etc/letsencrypt/accounts /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory /etc/letsencrypt/live /etc/letsencrypt/live/$domain.com.ar root@eh-002 [~/scripts/letsencrypt]# find /etc/letsencrypt/ -type f /etc/letsencrypt/live/bundle.txt root@eh-002 [~/scripts/letsencrypt]# find . -iname "*$domain*" root@eh-002 [~/scripts/letsencrypt]#
    0
  • ThomasY
    I'm getting the same error as siriusb. It doesn't create the /etc/letsencrypt/ directory, so I tried to create before I could even create bundle.txt it manually but no luck. This is on CENTOS 6.7 Anyone got any ideas? Edit: Nevermind, apparently for whatever reason python wasn't installing 2.7 correctly. I did the following command and it was still showing only python 2.6
    whereis python
    After that I redid this.
    yum -y install python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius
    Afterwards I retried running the python script and it worked correctly.
    0
  • pankajsystem
    Hey I have followed the given tutorial and installed SSL successfully on the domain there is green pad lock appearing there so I have checked this and found that site have Insecure call. Found on line # 56 in file:
    0
  • mvirtue
    As instructed above, I removed the python tools...
    yum remove python-tools
    Just now I received an email from my WHM server with the subject "An update failure has occured." The body of the email included the line... Sysup: Needed system RPMs were not installed: python-tools
    I installed python-tools again, and got the same error above: file /usr/bin/2to3 from install of python-tools-2.6.6-64.el6.x86_64 conflicts with file from package python27-tools-2.7.10-1.ius.el6.x86_64
    So it seems I can either have the ability for WHM/cPanel to update itself, or I can have LetsEncrypt, but not both. Any thoughts?
    0
  • Mark. S
    Fantastic! Thank you for this :) I'm running this now via a PHP script (out on it's own, not web accessible) which I pass the initial arguments to (path, domains.) I'm aiming eventually to have this populate a table with the information of the certificate and when it should be renewed next (doing +60 days) and have only one script run via cron to query this, find out which ones need renewing, and only renew those (rather than multiple cron jobs for each domain.) I want to look into doing this with the main service SSL too (dovecot, exim, ftp, cpanel) and using the API here: WHM API 1 Functions - install_service_ssl_certificate - Software Development Kit - cPanel Documentation Is this last bit something you would recommend not doing?
    0
  • cPMatthewV
    As instructed above, I removed the python tools...
    yum remove python-tools
    Just now I received an email from my WHM server with the subject "An update failure has occured." The body of the email included the line... I installed python-tools again, and got the same error above: So it seems I can either have the ability for WHM/cPanel to update itself, or I can have LetsEncrypt, but not both. Any thoughts?

    After some additional testing the python27-tools package is not required and this will work without it. Feel free to remove this and reinstall python-tools for cPanel and Mailman. We apologize for any problems this step caused. We have updated the article to remove this.
    rpm -e --nodeps python27-tools yum -y install python-tools
    0
  • cPMatthewV
    Fantastic! Thank you for this :) I want to look into doing this with the main service SSL too (dovecot, exim, ftp, cpanel) and using the API here:
    0
  • procopius560
    The instructions worked with the addition of running sed -i 's/\r//' installssl.pl. I was very pleased to have an SSL site within 20 minutes in my test site! However, I have misgivings about entering the root password into a script. Shouldn't the script run as root anyway? Why is this necessary?
    0
  • cPMatthewV
    @procopius560 I am glad to hear this is working for you. The reason the root password needs to be provided is because this actually interacts with the API to install the SSL which requires authentication with WHM/cPanel. If you do now wish to place your password here there are other methods of authenticating which you can find in the
    0
  • Wootkit
    Hello there, am pretty sure your method can be modified for WHM's root account? I speaking about the WHM services, EXIM, Dovecot, FTP etc...
    0
  • eva2000
    Hello there, am pretty sure your method can be modified for WHM's root account? I speaking about the WHM services, EXIM, Dovecot, FTP etc...

    yeah probably something like WHM Certificates Are not Working
    0
  • webstandardcss
    I made some wrapper scripts to facilitate the installation and usage of Let's Encrypt and cpanel. The code is a small wrapper around the techniques listed in this tutorial. Thanks cPMatthewV for the code brother.
    0
  • webstandardcss
    I made some wrapper scripts to facilitate the installation and usage of Let's Encrypt and cpanel. The code is a small wrapper around the techniques listed in this tutorial. Thanks cPMatthewV for the code brother.

    Here is another version 2 of the wrapper that installs SSL certificates to your cPanel server and automatically renews them using the Let's Encrypt command line tool for cPanel and CentOS 6.x. If you need a different CentOS then edit the rpm line of letsencrypt-cpanel-install.sh and see this page for the correct entry. How to Enable EPEL Repository for RHEL/CentOS 7.x/6.x/5.x The script downloads and sets up your python environment to use Let's Encrypt with cPanel Then it installs Let's Encrypt into the /root directory Script generates the /root/installssl.pl and prompts for the root password which is inserted into the WHM api wrapper perl script. The SSL certificate is placed in the correct location when installing Let's Encrypt. There are three files which should be saved to /usr/local/sbin/
      ]
    • letsencrypt-cpanel-install.sh Run one time per dedicated server to install Lets Encrypt
    • letsencrypt-cpanel-first.sh $USERNAME $DOMAIN Run one time per domain to set up a cert. Assuming email address webmaster@$DOMAIN
    • letsencrypt-cpanel.sh $USERNAME $DOMAIN Usually run by cron for each domain once every 60 days to renew the ssl certificate, but can be manually run.
    I made some more changes and put awishlist in the issues for me or someone to fix. Instead of pasting a zip file again just here is the bitbucket. bitbucket.org/webstandardcss/lets-encrypt-for-cpanel-centos-6.x
    0
  • cPMatthewV
    Awesome script @webstandardcss, this will indeed make things easier for people who wish to try this, and we appreciate the efforts, however I must note that cPanel can only support or directly recommend our script. I have been meaning to get around to improving on this for a more automated experience but have been busy with support tickets. :D once we have more details on this we will be sure to update the posting. For now I would definitely recommend people use the method provided by cPanel in the initial post, especially if they have any concerns over third party scripts. While end users are welcome to create custom scripts or wrappers to make this easier or automated and are also welcome to purchase third party plugins, cPanel does not officialy support these methods and cannot assist with any issues caused by them. I would also like to note that cPanel's Development team is hard at work on bringing future support natively for Let's Encrypt without the need for extra scripts or steps. However it may be a little while before we get this added to the product since Let's Encrypt is still in Beta and there are a bunch of things for development to work on. But rest assured it is on its way.
    0
  • Radeonpower
    Thanks for your input cPMatthewV. I just wanted people to know about this alternative (I'm not affiliated with this in anyway btw). :)
    0
  • webstandardcss
    Thanks for your input cPMatthewV, I added some more features to the script. letsencrypt-cpanel-all.sh command installs the SSL certificate for every cPanel user on the server while respecting rate limiting. Best to open this in a screen session so you can detach the terminal bitbucket.org/webstandardcss/lets-encrypt-for-cpanel-centos-6.x And it works with CentOS 6 and 7 now Needs tested on CentOS 7 If you are a GitHub forker, I explained how I synced up letsencrypt-cpanel Bitbucket to Github. It was fun and easy! github.com/webstandardcss/letsencrypt-cpanel/wiki
    0
  • Ekushey
    Interesting, will give it a try. :)
    0
  • rekabis
    Unfortunately, for those of us who prefer standards, this cPanel script does not function properly. In particular, I have made my apache root at /var/www/ instead of /home/. It should really have been at /srv/ as per OpenSUSE and many other distros, but I do extensive partitioning of my file system anyhow -- /var/www/ is separate from the rest of /var/. Anyhow, my output is this:
    root@ns01 [/]# letsencrypt-cpanel domainnet www.domain.netwebmaster@domain.net[/EMAIL] Using email address domain@example.net[/EMAIL] Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --text --agree-tos --email webmaster@domain.net[/EMAIL] certonly --renew-by-default --webroot --webroot-path /home/domainnet/public_html/ -d www.domain.net -dwww.www.domain.net The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError('/home/domainnet/public_html/ does not exist or is not a directory',) cannot open file /etc/letsencrypt/live/www.domain.net/cert.pem at /root/installssl.pl line 28.
    Well, gee -- no wonder this doesn"t work. The correct path is /var/www/domainnet/public_html/
    0
  • Krowchuk
    I disabled root user for ssh and I managed to run the hg clone using sudo and then verify it as sudo. But, when I tried to run the letsencrypt-cpanel-install.sh without sudo it failed of course with permissions denied. So, I then tried sudo letsencrypt-cpanel-install.sh and it said that the file did not exist. This is centos 7
    0
  • cPMatthewV
    @rekabis I am sorry to see that you have had issues with this and your custom environment. Please note however that our script and instructions in the initial post are valid and inline with cPanel standards and the structure of our system which has been in place for years. We place all users under home and their Apache content under /home/user/public_html which is where this script checks. If users have a custom or additional home directory or custom path for their Apache content they would need to modify the script to set this. We will clear this up in the initial post to avoid any confusion and problems for users that use a custom / additional home directory.
    0

Please sign in to leave a comment.