[How-To] Installing SSL from Let's Encrypt
UPDATE: As of cPanel and WHM version 58 the AutoSSL feature now includes Let's Encrypt support. This blog post will help you get set up there.
Anyone using the custom workaround on this thread may want to keep this in mind when using these steps.
The following below will show you how to install the Let's Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API using a custom workaround.
Installing the Let's Encrypt Client on CentOS 6.x
Please note: The Let's Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don't worry it won't break anything.
Installing the Let's Encrypt Client on CentOS 7.x
NOTE: The Let's Encrypt installer will create the /etc/letsencrypt/renewal and /etc/letsencrypt/csr directories as world readable. The administrator may want to tighten the readability of these directories to fit their requirements. Generate an SSL You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace "cPanelUser" with your actual username. This is require to allow the Let's Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.
By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel.
You can also generate an SSL certificate via Get HTTPS for free!, there are additional steps that are required however. Script to automatically install the SSLs you generated This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things. 1. You must replace "rootpass" with your actual root password. 2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
Add the Let's Encrypt CA Bundle Let's Encrypt should now include the CA Bundle when generating certs. It will be saved as chain.pem In the event that is missing or not created you can manually create the CA for use with the script below and change "my $cafile" in the script above to use this file instead.
When editing that file set the following below and save Note: This has been updated with the Let's Encrypt Authority X3
Running the script First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.
There you go you are all set and ready to generate and install SSLs from Let's Encrypt automatically via the command line.
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum -y install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose
Installing the Let's Encrypt Client on CentOS 7.x
yum -y install git
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
./letsencrypt-auto --verbose
NOTE: The Let's Encrypt installer will create the /etc/letsencrypt/renewal and /etc/letsencrypt/csr directories as world readable. The administrator may want to tighten the readability of these directories to fit their requirements. Generate an SSL You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace "cPanelUser" with your actual username. This is require to allow the Let's Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
cd /root/letsencrypt
./letsencrypt-auto --text --agree-tos --email email@domain.com certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.
cd /root/.local/share/letsencrypt/bin/
./letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel.
0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com
You can also generate an SSL certificate via Get HTTPS for free!, there are additional steps that are required however. Script to automatically install the SSLs you generated This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things. 1. You must replace "rootpass" with your actual root password. 2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
#!/usr/local/cpanel/3rdparty/bin/perl
use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;
my $user = "root";
my $pass = "rootpass";
my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );
my $ua = LWP::UserAgent->new(
ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
);
my $dom = $ARGV[0];
my $certfile = "/etc/letsencrypt/live/$dom/cert.pem";
my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem";
my $cafile = "/etc/letsencrypt/live/$dom/chain.pem";
my $certdata;
my $keydata;
my $cadata;
open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
{
local $/;
$certdata = <$certfh>;
}
close($certfh);
open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
{
local $/;
$keydata = <$keyfh>;
}
close($keyfh);
open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
{
local $/;
$cadata = <$cafh>;
}
close($cafh);
my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;
Add the Let's Encrypt CA Bundle Let's Encrypt should now include the CA Bundle when generating certs. It will be saved as chain.pem In the event that is missing or not created you can manually create the CA for use with the script below and change "my $cafile" in the script above to use this file instead.
vi /etc/letsencrypt/live/bundle.txt
When editing that file set the following below and save Note: This has been updated with the Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Running the script First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.
chmod +x installssl.pl
./installssl.pl domain.com
There you go you are all set and ready to generate and install SSLs from Let's Encrypt automatically via the command line.
-
Hello :) I'd like to point out that anyone can track the progress of official support for Let's Encrypt at: Provide Support for Let's Encrypt Automated Certificate Management/SSL This is useful for anyone that wants to wait for official support from cPanel instead of using a manual workaround. Thank you. 0 -
I've added support to use whmapi1 instead of requiring the root password. Along with support to use lets encrypt for the system services, it defaults to the hostname the server is running on. You can find the repo at bitbucket.org/challgren/lets-encrypt-for-cpanel-centos-6.x 0 -
I've issues a new certificate today and noticed that they are being signed via LETS ENCRYPT AUTHORITY X3 The bundle.txt included in the above posts does not work with them. After looking at Certificates - Let's Encrypt - Free SSL/TLS Certificates does not currently have it listed. Source: Upcoming intermediate changes 0 -
I've issues a new certificate today and noticed that they are being signed via LETS ENCRYPT AUTHORITY X3 The bundle.txt included in the above posts does not work with them. After looking at Certificates - Let's Encrypt - Free SSL/TLS Certificates does not currently have it listed. Source: Upcoming intermediate changes
If you runcat << "EOFFF" > /etc/letsencrypt/live/bundle.txt -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- EOFFF
That should fix it for you I'll be updating the installer on my bitbucket project0 -
Thats perfect; thanks for the update. 0 -
Hello I've created the certificate with the same command that is publish in the initial entry of the post. IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain/fullchain.pem. Your cert will expire on 2016-06-25. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
But the folder "/home/user/public_html/.well-known/" is empty When I run the script installssl.pl I've got this error:{"metadata":{"version":1,"reason":"The given CA bundle does not match the given certificate.","output":{"raw":"The given CA bundle does not match the given certificate."},"result":0,"command":"installssl"}}
Could somebody confirm that the published certificate of the file /etc/letsencrypt/live/bundle.txt is right? Where is the issue?0 -
See [How-To] Installing SSL from Let's Encrypt Hello I've created the certificate with the same command that is publish in the initial entry of the post.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain/fullchain.pem. Your cert will expire on 2016-06-25. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
But the folder "/home/user/public_html/.well-known/" is empty When I run the script installssl.pl I've got this error:{"metadata":{"version":1,"reason":"The given CA bundle does not match the given certificate.","output":{"raw":"The given CA bundle does not match the given certificate."},"result":0,"command":"installssl"}}
Could somebody confirm that the published certificate of the file /etc/letsencrypt/live/bundle.txt is right? Where is the issue?0 -
Suggesting users store their root password in clear text is a huge no-no
Couldn't agree more. I could not figure out where the hash was until you pointed it out. Thanks.0 -
Ok, I did this 4 days ago and it was working great, but now I seem to be getting a error Oh no! Peep had a problem while trying to do stuff. Please write up a bug report with the specifics so we can fix it: https://github.com/erikrose/peep/issues/new Here are some particulars you can copy and paste into the bug report: --- peep: (3, 1, 1) python: '2.7.11 (default, Dec 7 2015, 11:26:11) \n[GCC 4.4.7 20120313 (Red Hat 4.4.7-16)]' pip: '1.4.1' Command line: ['/tmp/tmp.XyjEek9Vwb/peep.py', 'install', '-r', '/tmp/tmp.XyjEek9Vwb/letsencrypt-auto-requirements.txt"> Traceback (most recent call last): File "/tmp/tmp.XyjEek9Vwb/peep.py", line 967, in exit(main()) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 939, in main return commands[argv[1]](argv[2:]) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 884, in peep_install req.install() File "/tmp/tmp.XyjEek9Vwb/peep.py", line 652, in install run_pip(['install"> + other_args + ['--no-deps', '-U', archive_path]) File "/tmp/tmp.XyjEek9Vwb/peep.py", line 206, in run_pip status_code = pip.main(initial_args) File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/__init__.py", line 148, in main return command.main(args[1:], options) File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/basecommand.py", line 169, in main text = '\n'.join(complete_log) UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 36: ordinal not in range(128)
Looking at the GitHub of letsencrpyt this is down to a problem with Peep as it is a old version and they have updated to use PipStrap but is not in the release yet, but is in the bleeding-edge version0 -
Couldn't agree more. I could not figure out where the hash was until you pointed it out. Thanks.
This has actually been fixed and now it uses whmapi instead of asking for the root password0 -
There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews? 0 -
There is a paid cpanel plugin for let's encrypt, has anyone used it yet? Any reviews?
No but I have installed this free one and it seems to work OK. letsencrypt for cPanel/WHM - Linux - e-diary But the bash script/cron job solution from cPanel support is pretty good. I will go with that. A GUI is nice but then I have to install a third party add-on with root privs thus place tremendous trust in that third party. Better wait for official GUI support with version 58 or later.0 -
Hi Mark, There should be no issue with installing this to the service SSL and I would actually recommend having a signed SSL there. Just make sure you renew this every 90 days. In the event you don't however cPanel should generate self-signed certificates for the servers hostname to avoid any problem with those services ssl certificates.
Hey Matt, sorry for replying to an old comment. If I had a shared hosting environment but wish to provide SSL for SMTP across multiple domains (eg: mail.example1.com, mail.example2.com) - how can this be done with cPanel and Let's encrypt? I've tried to spin up a SSL certificate for mail.example.com, but I receive an error because0 -
Hi, I'm having some troubles with the Python version. Check the error below: root@vps [~/letsencrypt]# ./letsencrypt-auto --verbose Bootstrapping dependencies for RedHat-based OSes... yum is /usr/bin/yum Geladen plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.mirror.transip.nl * epel: ftp.nluug.nl * extras: centos.mirror.transip.nl * ius: mirror.amsiohosting.net * updates: centos.mirror.transip.nl Pakket python-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Pakket python-devel-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Pakket python-tools-2.7.5-34.el7.x86_64 is reeds ge"nstalleerd en de meest recente versie Oplossen van afhankelijkheden --> Transactiecontrole uitvoeren ---> Pakket python-pip.noarch 0:7.1.0-1.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python(abi) = 2.6 voor pakket: python-pip-7.1.0-1.el6.noarch ---> Pakket python-virtualenv.noarch 0:1.10.1-2.el7 wordt ge"nstalleerd --> Klaar met oplossen afhankelijkheden Fout: Pakket: python-pip-7.1.0-1.el6.noarch (epel) Vereist: python(abi) = 2.6 Ge"nstalleerd: python-2.7.5-34.el7.x86_64 (@TransIP) python(abi) = 2.7 python(abi) = 2.7 Beschikbaar: python27-2.7.11-1.ius.el6.x86_64 (ius) python(abi) = 2.7 Beschikbaar: python32-3.2.6-1.ius.el6.x86_64 (ius) python(abi) = 3.2 Beschikbaar: python33-3.3.6-2.ius.el6.x86_64 (ius) python(abi) = 3.3 Beschikbaar: python34u-3.4.4-2.ius.el6.x86_64 (ius) python(abi) = 3.4 Beschikbaar: python35u-3.5.1-3.ius.el6.x86_64 (ius) python(abi) = 3.5 Je zou kunnen proberen met behulp van --skip-broken het probleem te omzeilen Je zou kunnen proberen: rpm -Va --nofiles --nodigest Geladen plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.mirror.transip.nl * epel: ftp.nluug.nl * extras: centos.mirror.transip.nl * ius: mirror.amsiohosting.net * updates: centos.mirror.transip.nl Oplossen van afhankelijkheden --> Transactiecontrole uitvoeren ---> Pakket python27.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python27-libs(x86-64) = 2.7.11-1.ius.el6 voor pakket: python27-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-devel.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd ---> Pakket python27-pip.noarch 0:8.0.3-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: python27-setuptools voor pakket: python27-pip-8.0.3-1.ius.el6.noarch ---> Pakket python27-tools.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: tkinter27 = 2.7.11-1.ius.el6 voor pakket: python27-tools-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-virtualenv.noarch 0:14.0.6-1.ius.el6 wordt ge"nstalleerd --> Transactiecontrole uitvoeren ---> Pakket python27-libs.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Verwerking afhankelijkheid: libgdbm.so.2()(64bit) voor pakket: python27-libs-2.7.11-1.ius.el6.x86_64 --> Verwerking afhankelijkheid: libffi.so.5()(64bit) voor pakket: python27-libs-2.7.11-1.ius.el6.x86_64 ---> Pakket python27-setuptools.noarch 0:19.7-1.ius.el6 wordt ge"nstalleerd ---> Pakket tkinter27.x86_64 0:2.7.11-1.ius.el6 wordt ge"nstalleerd --> Klaar met oplossen afhankelijkheden Fout: Pakket: python27-libs-2.7.11-1.ius.el6.x86_64 (ius) Vereist: libffi.so.5()(64bit) Fout: Pakket: python27-libs-2.7.11-1.ius.el6.x86_64 (ius) Vereist: libgdbm.so.2()(64bit) Je zou kunnen proberen met behulp van --skip-broken het probleem te omzeilen Je zou kunnen proberen: rpm -Va --nofiles --nodigest Could not install Python dependencies. Aborting bootstrap! root@vps [~/letsencrypt]# whereis python python: /usr/bin/python2.7 /usr/bin/python /usr/bin/python2.7-config /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /usr/share/man/man1/python.1.gz
Any thoughs on this problem? I've got Python 2.7 installed, but Let's Encrypt is searching for Python 2.6 for some reason. I'm Using CentOS 7.2.1511.0 -
Can I just install the certificate in WHM the first time, and then create a symlink for the renewals? 0 -
Can anyone help? As the script is run as root the files written to the web root have root file permissions. This means that a 404 not found is delivered back to letsencrypt instead of 200 with hash so authentication fails. Can I either; - Allow Apache to server files with root ownership - Get Letsencrypt set the correct owner/group on the example.com/.well-known/acme-challenge/xxx file. 0 -
404 not found isn't a permissions error. Check that there isn't a conflict in your .htaccess or even elsewhere. 0 -
Hello, I'd like to note a thread regarding the official cPanel plugin for Let's Encrypt is open at: Let's Encrypt Support Anyone using the custom workaround on this thread may want to keep in mind the official plugin is planned for release when cPanel 58 hits the "Current" build tier, tentatively around two months from now. Thank you. 0 -
The problem I see with the above posted fix (if it works for you) is that .htaccess can get over-written any time Drupal is updated. You'd have to find away to preserve the .htaccess file when you upgrade or try to automate the line always getting inserted. I do believe the Drupal developers are working on a patch to allow stuff like letsencrypt-auto to work. Support RFC 5785 by whitelisting the .well-known directory [#2408321] | Drupal.org
@Spork Schivago: Thanks for the reference. The patch has been released and works like a charm. I know because my D7 sites didn't get renewed the first time I tried it. After I applied the patch everything was perfect. It can't get much easier than renewing all your domains with a single command: [~/letsencrypt]# ./letsencrypt-auto renew Perhaps other cPanel users that run Drupal will come across this very helpful thread.0 -
How can the method and `installssl.pl` script in the first post in this thread be adapted to work for the "main" cPanel/WHM domain? That is, if my cPanel login is at
I"d like to know too. Not only that, but how can we install certs for the "mail" subdomain? Also for all the cPanel and WHM instances of individual domains, and specifically for the0 -
I've made a few simple changes to the perl script to account for subdomains. It takes the previous suggestions about the root password into account, and adds a newline character to all output. I've also created some cron jobs for automatic renewal and installation for subdomains: Perl Script #!/usr/local/cpanel/3rdparty/bin/perl use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; my $accesshash; my $access_hash_file = '/root/.accesshash'; sysopen (my $access_hash_file_fh, $access_hash_file, O_RDONLY) or die "unable to open root_access_hash_file $!\n"; while (<$access_hash_file_fh>) { $accesshash .= $_; } close ($access_hash_file_fh); $accesshash =~ s/\n//g; my $user = "WHM root"; my $auth = $user . ":" . $accesshash; my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my ($dom, $domdir) = @ARGV; if (not defined $dom) { die "Please specify domain\n"; } if (not defined $domdir) { $domdir = $dom; } my $certfile = "/etc/letsencrypt/live/$domdir/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$domdir/privkey.pem"; my $cafile = "/etc/letsencrypt/live/$domdir/chain.pem"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile\n"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile\n"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile\n"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" ); $request->header( Authorization => $auth ); my $response = $ua->request($request); print $response->content . "\n";
Usage: /root/installssl.pl [domain (letsencrypt directory name)] If only the first argument is supplied, it will use that domain to find the directory. If both are supplied, it uses the first to install the certificate, and the second to find the directory. Cron Jobs Here are the cron jobs, which run once every 60 days:0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /path/to/your/webroot -d yourfirstdomain.com -d www.yourfirstdomain.com; /root/installssl.pl yourfirstdomain.com 0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /path/to/your/webroot -d yourseconddomain.com -d www.yourseconddomain.com -d subdomaina.yourseconddomain.com -d subdomainb.yourseconddomain.com -d subdomainc.yourseconddomain.com -d subdomaind.yourseconddomain.com; /root/installssl.pl yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomaina.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomainb.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomainc.yourseconddomain.com yourseconddomain.com 0 0 */60 * * /root/installssl.pl subdomaind.yourseconddomain.com yourseconddomain.com
0 -
For some reason, the api command for installing an ssl certificate for a service does not install the cabundle. Any ideas? When I install via whm "service ssl certificates" the cabundle installs properly, but via api, it doesn't Here is my script #!/usr/local/cpanel/3rdparty/bin/perl use strict; use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; use Fcntl; my $user = "root"; my $accesshash; my $access_hash_file = '/root/.accesshash'; sysopen (my $access_hash_file_fh, $access_hash_file, O_RDONLY) or die "unable to open root_access_hash_file $!\n"; while (<$access_hash_file_fh>) { $accesshash .= $_; } close ($access_hash_file_fh); $accesshash =~ s/\n//g; my $auth = "WHM root:".$accesshash; my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my $dom = $ARGV[0]; my $service = $ARGV[1]; my $certfile = "/etc/letsencrypt/live/$dom/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem"; my $cafile = "/etc/letsencrypt/live/bundle.txt"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=$service&crt=$cert&key=$key&cab=$ca " ); $request->header( Authorization => $auth ); my $response = $ua->request($request); print $response->content;
My workaround is ignoring the cabundle and using fullchain.pem instead of cert.pem (which installs the full chain as the cert)0 -
Any help is appreciated. I installed SSL on several domains on cloud server with cpanel. They were fine. They expired and I tried to update. With renew. But they didn't update update in cpanel. So, I deleted and tried to reinstall with installssl.pl but I get this error: {"cpanelresult":{"apiversion":"2","error":"Access denied","data":{"reason":"Access denied","result":"0"},"type":"text"}} Thanks. 0 -
Might be worth mentioning that the hostname cert in WHM since cPanel 56 is fully valid and no longer causes a browser warning. It's issued by "cPanel, Inc. Certification Authority" instead of being self-signed. I was surprised to see that when my Let's Encrypt for the hostname ran out after 90 days. Of course, if you are using Let's Encrypt for other domains, please ignore this slightly off-topic thread. 0 -
Has anyone faced any down sides for using this workaround? 0 -
Has anyone faced any down sides for using this workaround?
It's important to keep in mind this is a third-party plugin. Users should consider waiting for cPanel version 58 (It includes free DV certificates from cPanel (through Comodo) and future support for "Let's Encrpyt" via an official plugin. Thank you.0
Please sign in to leave a comment.
Comments
118 comments