Skip to main content

[How-To] Installing SSL from Let's Encrypt

Comments

118 comments

  • cPanelMichael
    Hello :) I'd like to point out that anyone can track the progress of official support for Let's Encrypt at: Provide Support for Let's Encrypt Automated Certificate Management/SSL This is useful for anyone that wants to wait for official support from cPanel instead of using a manual workaround. Thank you.
    0
  • challgren
    I've added support to use whmapi1 instead of requiring the root password. Along with support to use lets encrypt for the system services, it defaults to the hostname the server is running on. You can find the repo at bitbucket.org/challgren/lets-encrypt-for-cpanel-centos-6.x
    0
  • JonTheWong
    I've issues a new certificate today and noticed that they are being signed via LETS ENCRYPT AUTHORITY X3 The bundle.txt included in the above posts does not work with them. After looking at Certificates - Let's Encrypt - Free SSL/TLS Certificates does not currently have it listed. Source: Upcoming intermediate changes
    0
  • challgren
    I've issues a new certificate today and noticed that they are being signed via LETS ENCRYPT AUTHORITY X3 The bundle.txt included in the above posts does not work with them. After looking at Certificates - Let's Encrypt - Free SSL/TLS Certificates does not currently have it listed. Source: Upcoming intermediate changes

    If you run
    cat << "EOFFF" > /etc/letsencrypt/live/bundle.txt -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- EOFFF
    That should fix it for you I'll be updating the installer on my bitbucket project
    0
  • JonTheWong
    Thats perfect; thanks for the update.
    0
  • Specting
    Hello I've created the certificate with the same command that is publish in the initial entry of the post.
    IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain/fullchain.pem. Your cert will expire on 2016-06-25. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
    But the folder "/home/user/public_html/.well-known/" is empty When I run the script installssl.pl I've got this error:
    {"metadata":{"version":1,"reason":"The given CA bundle does not match the given certificate.","output":{"raw":"The given CA bundle does not match the given certificate."},"result":0,"command":"installssl"}}
    Could somebody confirm that the published certificate of the file /etc/letsencrypt/live/bundle.txt is right? Where is the issue?
    0
  • challgren
    See [How-To] Installing SSL from Let's Encrypt
    Hello I've created the certificate with the same command that is publish in the initial entry of the post.
    IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain/fullchain.pem. Your cert will expire on 2016-06-25. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
    But the folder "/home/user/public_html/.well-known/" is empty When I run the script installssl.pl I've got this error:
    {"metadata":{"version":1,"reason":"The given CA bundle does not match the given certificate.","output":{"raw":"The given CA bundle does not match the given certificate."},"result":0,"command":"installssl"}}
    Could somebody confirm that the published certificate of the file /etc/letsencrypt/live/bundle.txt is right? Where is the issue?

    0
  • Specting
    Finally I've modified the file /etc/letsencrypt/live/bundle.txt in my server with this certificate:
    0
  • visskiss
    Suggesting users store their root password in clear text is a huge no-no

    Couldn't agree more. I could not figure out where the hash was until you pointed it out. Thanks.
    0
  • devilslore
    Ok, I did this 4 days ago and it was working great, but now I seem to be getting a error
    Oh no! Peep had a problem while trying to do stuff. Please write up a bug report with the specifics so we can fix it: https://github.com/erikrose/peep/issues/new Here are some particulars you can copy and paste into the bug report: --- peep: (3, 1, 1) python: '2.7.11 (default, Dec 7 2015, 11:26:11) \n[GCC 4.4.7 20120313 (Red Hat 4.4.7-16)]' pip: '1.4.1' Command line: ['/tmp/tmp.XyjEek9Vwb/peep.py', 'install', '-r', '/tmp/tmp.XyjEek9Vwb/letsencrypt-auto-requirements.txt"> Traceback (most recent call last): File "/tmp/tmp.XyjEek9Vwb/peep.py", line 967, in exit(main()) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 939, in main return commands[argv[1]](argv[2:]) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 884, in peep_install req.install() File "/tmp/tmp.XyjEek9Vwb/peep.py", line 652, in install run_pip(['install"> + other_args + ['--no-deps', '-U', archive_path]) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 206, in run_pip status_code = pip.main(initial_args) File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/__init__.py", line 148, in main return command.main(args[1:], options) File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/basecommand.py", line 169, in main text = '\n'.join(complete_log) UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 36: ordinal not in range(128)
    Looking at the GitHub of letsencrpyt this is down to a problem with Peep as it is a old version and they have updated to use PipStrap but is not in the release yet, but is in the bleeding-edge version
    0
  • challgren
    Couldn't agree more. I could not figure out where the hash was until you pointed it out. Thanks.

    This has actually been fixed and now it uses whmapi instead of asking for the root password
    0
  • Richard Franklin
    There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews?
    0
  • aichkg
    There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews?

    No but I have installed this free one and it seems to work OK. letsencrypt for cPanel/WHM - Linux - e-diary But the bash script/cron job solution from cPanel support is pretty good. I will go with that. A GUI is nice but then I have to install a third party add-on with root privs thus place tremendous trust in that third party. Better wait for official GUI support with version 58 or later.
    0
  • massafiri
    Hi Mark, There should be no issue with installing this to the service SSL and I would actually recommend having a signed SSL there. Just make sure you renew this every 90 days. In the event you don't however cPanel should generate self-signed certificates for the servers hostname to avoid any problem with those services ssl certificates.

    Hey Matt, sorry for replying to an old comment. If I had a shared hosting environment but wish to provide SSL for SMTP across multiple domains (eg: mail.example1.com, mail.example2.com) - how can this be done with cPanel and Let's encrypt? I've tried to spin up a SSL certificate for mail.example.com, but I receive an error because
    0
  • rinogo
    How can the method and `installssl.pl` script in the first post in this thread be adapted to work for the "main" cPanel/WHM domain? That is, if my cPanel login is at
    0
  • Deventer
    Hi, I'm having some troubles with the Python version. Check the error below:
    root@vps [~/letsencrypt]# ./letsencrypt-auto --verbose Bootstrapping dependencies for RedHat-based OSes... yum is /usr/bin/yum Geladen plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.mirror.transip.nl * epel: ftp.nluug.nl * extras: centos.mirror.transip.nl * ius: mirror.amsiohosting.net * updates: centos.mirror.transip.nl Pakket python-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Pakket python-devel-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Pakket python-tools-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Oplossen van afhankelijkheden --> Transactiecontrole uitvoeren ---> Pakket python-pip.noarch 0:7.1.0-1.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python(abi) = 2.6 voor pakket: python-pip-7.1.0-1.el6.noarch ---> Pakket python-virtualenv.noarch 0:1.10.1-2.el7 wordt ge"nstalleerd --> Klaar met oplossen afhankelijkheden Fout: Pakket: python-pip-7.1.0-1.el6.noarch (epel) Vereist: python(abi) = 2.6 Ge"nstalleerd: python-2.7.5-34.el7.x86_64 (@TransIP) python(abi) = 2.7 python(abi) = 2.7 Beschikbaar: python27-2.7.11-1.ius.el6.x86_64 (ius) python(abi) = 2.7 Beschikbaar: python32-3.2.6-1.ius.el6.x86_64 (ius) python(abi) = 3.2 Beschikbaar: python33-3.3.6-2.ius.el6.x86_64 (ius) python(abi) = 3.3 Beschikbaar: python34u-3.4.4-2.ius.el6.x86_64 (ius) python(abi) = 3.4 Beschikbaar: python35u-3.5.1-3.ius.el6.x86_64 (ius) python(abi) = 3.5 Je zou kunnen proberen met behulp van --skip-broken het probleem te omzeilen Je zou kunnen proberen: rpm -Va --nofiles --nodigest Geladen plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.mirror.transip.nl * epel: ftp.nluug.nl * extras: centos.mirror.transip.nl * ius: mirror.amsiohosting.net * updates: centos.mirror.transip.nl Oplossen van afhankelijkheden --> Transactiecontrole uitvoeren ---> Pakket python27.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python27-libs(x86-64) = 2.7.11-1.ius.el6 voor pakket: python27-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-devel.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd ---> Pakket python27-pip.noarch 0:8.0.3-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python27-setuptools voor pakket: python27-pip-8.0.3-1.ius.el6.noarch ---> Pakket python27-tools.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: tkinter27 = 2.7.11-1.ius.el6 voor pakket: python27-tools-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-virtualenv.noarch 0:14.0.6-1.ius.el6 wordt ge"nstalleerd --> Transactiecontrole uitvoeren ---> Pakket python27-libs.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: libgdbm.so.2()(64bit) voor pakket: python27-libs-2.7.11-1.ius.el6.x86_64 --> Verwerking afhankelijkheid: libffi.so.5()(64bit) voor pakket: python27-libs-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-setuptools.noarch 0:19.7-1.ius.el6 wordt ge"nstalleerd ---> Pakket tkinter27.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Klaar met oplossen afhankelijkheden Fout: Pakket: python27-libs-2.7.11-1.ius.el6.x86_64 (ius) Vereist: libffi.so.5()(64bit) Fout: Pakket: python27-libs-2.7.11-1.ius.el6.x86_64 (ius) Vereist: libgdbm.so.2()(64bit) Je zou kunnen proberen met behulp van --skip-broken het probleem te omzeilen Je zou kunnen proberen: rpm -Va --nofiles --nodigest Could not install Python dependencies. Aborting bootstrap! root@vps [~/letsencrypt]# whereis python python: /usr/bin/python2.7 /usr/bin/python /usr/bin/python2.7-config /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /usr/share/man/man1/python.1.gz
    Any thoughs on this problem? I've got Python 2.7 installed, but Let's Encrypt is searching for Python 2.6 for some reason. I'm Using CentOS 7.2.1511.
    0
  • joako
    Can I just install the certificate in WHM the first time, and then create a symlink for the renewals?
    0
  • Brooky A
    Can anyone help? As the script is run as root the files written to the web root have root file permissions. This means that a 404 not found is delivered back to letsencrypt instead of 200 with hash so authentication fails. Can I either; - Allow Apache to server files with root ownership - Get Letsencrypt set the correct owner/group on the example.com/.well-known/acme-challenge/xxx file.
    0
  • joako
    404 not found isn't a permissions error. Check that there isn't a conflict in your .htaccess or even elsewhere.
    0
  • cPanelMichael
    Hello, I'd like to note a thread regarding the official cPanel plugin for Let's Encrypt is open at: Let's Encrypt Support Anyone using the custom workaround on this thread may want to keep in mind the official plugin is planned for release when cPanel 58 hits the "Current" build tier, tentatively around two months from now. Thank you.
    0
  • tss
    The problem I see with the above posted fix (if it works for you) is that .htaccess can get over-written any time Drupal is updated. You'd have to find away to preserve the .htaccess file when you upgrade or try to automate the line always getting inserted. I do believe the Drupal developers are working on a patch to allow stuff like letsencrypt-auto to work. Support RFC 5785 by whitelisting the .well-known directory [#2408321] | Drupal.org

    @Spork Schivago: Thanks for the reference. The patch has been released and works like a charm. I know because my D7 sites didn't get renewed the first time I tried it. After I applied the patch everything was perfect. It can't get much easier than renewing all your domains with a single command: [~/letsencrypt]# ./letsencrypt-auto renew Perhaps other cPanel users that run Drupal will come across this very helpful thread.
    0
  • tss
    How can the method and `installssl.pl` script in the first post in this thread be adapted to work for the "main" cPanel/WHM domain? That is, if my cPanel login is at
    I"d like to know too. Not only that, but how can we install certs for the "mail" subdomain? Also for all the cPanel and WHM instances of individual domains, and specifically for the
    0
  • Chanadian
    I've made a few simple changes to the perl script to account for subdomains. It takes the previous suggestions about the root password into account, and adds a newline character to all output. I've also created some cron jobs for automatic renewal and installation for subdomains: Perl Script
    #!/usr/local/cpanel/3rdparty/bin/perl use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; my $accesshash; my $access_hash_file = '/root/.accesshash'; sysopen (my $access_hash_file_fh, $access_hash_file, O_RDONLY) or die "unable to open root_access_hash_file $!\n"; while (<$access_hash_file_fh>) { $accesshash .= $_; } close ($access_hash_file_fh); $accesshash =~ s/\n//g; my $user = "WHM root"; my $auth = $user . ":" . $accesshash; my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my ($dom, $domdir) = @ARGV; if (not defined $dom) { die "Please specify domain\n"; } if (not defined $domdir) { $domdir = $dom; } my $certfile = "/etc/letsencrypt/live/$domdir/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$domdir/privkey.pem"; my $cafile = "/etc/letsencrypt/live/$domdir/chain.pem"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile\n"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile\n"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile\n"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" ); $request->header( Authorization => $auth ); my $response = $ua->request($request); print $response->content . "\n";
    Usage: /root/installssl.pl [domain (letsencrypt directory name)] If only the first argument is supplied, it will use that domain to find the directory. If both are supplied, it uses the first to install the certificate, and the second to find the directory. Cron Jobs Here are the cron jobs, which run once every 60 days:
    0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /path/to/your/webroot -d yourfirstdomain.com -d www.yourfirstdomain.com; /root/installssl.pl yourfirstdomain.com 0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /path/to/your/webroot -d yourseconddomain.com -d www.yourseconddomain.com -d subdomaina.yourseconddomain.com -d subdomainb.yourseconddomain.com -d subdomainc.yourseconddomain.com -d subdomaind.yourseconddomain.com; /root/installssl.pl yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomaina.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomainb.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomainc.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomaind.yourseconddomain.com yourseconddomain.com
    0
  • visskiss
    For some reason, the api command for installing an ssl certificate for a service does not install the cabundle. Any ideas? When I install via whm "service ssl certificates" the cabundle installs properly, but via api, it doesn't Here is my script
    #!/usr/local/cpanel/3rdparty/bin/perl use strict; use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; use Fcntl; my $user = "root"; my $accesshash; my $access_hash_file = '/root/.accesshash'; sysopen (my $access_hash_file_fh, $access_hash_file, O_RDONLY) or die "unable to open root_access_hash_file $!\n"; while (<$access_hash_file_fh>) { $accesshash .= $_; } close ($access_hash_file_fh); $accesshash =~ s/\n//g; my $auth = "WHM root:".$accesshash; my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my $dom = $ARGV[0]; my $service = $ARGV[1]; my $certfile = "/etc/letsencrypt/live/$dom/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem"; my $cafile = "/etc/letsencrypt/live/bundle.txt"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=$service&crt=$cert&key=$key&cab=$ca " ); $request->header( Authorization => $auth ); my $response = $ua->request($request); print $response->content;
    My workaround is ignoring the cabundle and using fullchain.pem instead of cert.pem (which installs the full chain as the cert)
    0
  • iSpeakVideo
    Any help is appreciated. I installed SSL on several domains on cloud server with cpanel. They were fine. They expired and I tried to update. With renew. But they didn't update update in cpanel. So, I deleted and tried to reinstall with installssl.pl but I get this error: {"cpanelresult":{"apiversion":"2","error":"Access denied","data":{"reason":"Access denied","result":"0"},"type":"text"}} Thanks.
    0
  • kitchin
    Might be worth mentioning that the hostname cert in WHM since cPanel 56 is fully valid and no longer causes a browser warning. It's issued by "cPanel, Inc. Certification Authority" instead of being self-signed. I was surprised to see that when my Let's Encrypt for the hostname ran out after 90 days. Of course, if you are using Let's Encrypt for other domains, please ignore this slightly off-topic thread.
    0
  • trs
    Has anyone faced any down sides for using this workaround?
    0
  • cPanelMichael
    Has anyone faced any down sides for using this workaround?

    It's important to keep in mind this is a third-party plugin. Users should consider waiting for cPanel version 58 (It includes free DV certificates from cPanel (through Comodo) and future support for "Let's Encrpyt" via an official plugin. Thank you.
    0

Please sign in to leave a comment.