cPanel SSL certs + Let's Encrypt

Arvy

• January 25, 2016 09:31

Hi there! I'm looking for a way to use Let's Encrypt to generate system certificates, for cPanel, Exim, Dovecot and Pure-FTP, every 60 days. Manually I can run:
/opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d server.mydomain.com
My idea is create a bash script to override cert files and restart the services. From /etc/letsencrypt/live/server.mydomain.com I can "cat/concat" files to:
/var/cpanel/ssl/cpanel/mycpanel.cabundle /var/cpanel/ssl/cpanel/mycpanel.pem ... /var/cpanel/ssl/ftp/myftpd-rsa-key.pem /var/cpanel/ssl/ftp/myftpd-rsa.pem /var/cpanel/ssl/ftp/pure-ftpd.pem
and then restart the services everytime I update the certificates using a CRON entry. The problem is: on /var/cpanel/ssl I have files like:
-rw-r--r-- 1 root root 15 Jan 25 12:43 cpanel-CN -rw-r--r-- 1 root root 2832 Jan 25 12:43 cpanel-CRTINFO -rw-r--r-- 1 root root 15 Jan 25 12:43 cpanel-DOMAINS -rw-r--r-- 1 root root 10 Jan 25 12:43 cpanel-NOT_AFTER -rw-r--r-- 1 root root 1 Jan 25 12:43 cpanel-SIGNATURE_CHAIN_VERIFIED -rw-r--r-- 1 root root 15 Jan 25 12:43 dovecot-CN -rw-r--r-- 1 root root 2832 Jan 25 12:43 dovecot-CRTINFO -rw-r--r-- 1 root root 15 Jan 25 12:43 dovecot-DOMAINS -rw-r--r-- 1 root root 10 Jan 25 12:43 dovecot-NOT_AFTER -rw-r--r-- 1 root root 1 Jan 25 12:43 dovecot-SIGNATURE_CHAIN_VERIFIED -rw-r--r-- 1 root root 15 Jan 25 12:43 exim-CN -rw-r--r-- 1 root root 2832 Jan 25 12:43 exim-CRTINFO -rw-r--r-- 1 root root 15 Jan 25 12:43 exim-DOMAINS -rw-r--r-- 1 root root 10 Jan 25 12:43 exim-NOT_AFTER -rw-r--r-- 1 root root 1 Jan 25 12:43 exim-SIGNATURE_CHAIN_VERIFIED -rw-r--r-- 1 root root 15 Jan 25 12:42 ftp-CN -rw-r--r-- 1 root root 2832 Jan 25 12:42 ftp-CRTINFO -rw-r--r-- 1 root root 15 Jan 25 12:42 ftp-DOMAINS -rw-r--r-- 1 root root 10 Jan 25 12:42 ftp-NOT_AFTER -rw-r--r-- 1 root root 1 Jan 25 12:42 ftp-SIGNATURE_CHAIN_VERIFIED
I believe the files are for a cPanel internal control. Questions: my idea is correct, will work? The files above will be a problem after running my script? Can I broke cPanel or exim/dovecot/pureftp (considering I'll cat/concat files correctly). Thank you!

• 

  cPanelMichael

  • January 25, 2016 18:58

  Hello :) Replacing the data populated in those files should be all that's required. There's no script you need to run after manually updated those files. Please note this thread: [How-To] Installing SSL from Let's Encrypt Thank you.

  0
• 

  Arvy

  • January 26, 2016 17:20

  Hi Michael, yes, I already have Let's Encrypt working. The link is more for installing SSL on domains (HTTPS). Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right? Thanks!

  0
• 

  Arvy

  • January 29, 2016 13:03

  Ok, after testing a lot, I did a script to use Let's Encrypt certificates to cPanel services. NOTES: - I did for CentOS 6. For CentOS 7 or other Systemd, need to change "services" to proper "systemctl" - need to pre-install Let's Encrypt and run once to do the first basic configuration - script will back up previous certs on /root/ssl - chown is not really needed, just to be sure the owner is ok
  CRON:
  5 0 */75 * 6 /root/updcerts
  Will update every 75 days, only on saturdays SCRIPT:
  #!/bin/bash /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME /bin/mkdir /root/ssl \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem /sbin/service cpanel restart \cp -f /var/cpanel/ssl/exim/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.* /sbin/service exim restart \cp -f /var/cpanel/ssl/ftp/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem /bin/chown root:wheel /var/cpanel/ssl/ftp/* /sbin/service pure-ftpd restart \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.* /sbin/service dovecot restart
  Any suggestions, errors detected, ideas? Thanks.

  0
• 

  cPanelMichael

  • February 03, 2016 00:04

  Can you confirm if I write my own script to recreate certificate files every 60 days for each service (exim/dovecot/pureftp/cpanel) and restart them, based on files regenerated by each run of Let's Encrypt script, if cPanel will not alert me about expiration from the data generated last time I used WHM to manipulate the certificates? Means, if I work with the certificates directly, cPanel will not break or something, right?

  
  Yes, this should work as you expect it to. cPanel will not automatically overwrite these files before a 60-day window. Thank you.

  0
• 

  Arvy

  • February 11, 2016 10:26

  Here is my script, updated. Hope helps who wants to use LE's certs to basic cPanel services. You need to download the CA:
  wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem mv lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem
  New version will append CA to the certificates to be more compatible.
  #!/bin/bash /opt/letsencrypt/letsencrypt-auto --debug certonly -a webroot --agree-tos --webroot-path=/usr/local/apache/htdocs --renew-by-default -d $HOSTNAME /bin/mkdir /root/ssl \cp -f /var/cpanel/ssl/cpanel/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/cpanel/cpanel.pem /bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem /sbin/service cpanel restart /sbin/service httpd restart \cp -f /var/cpanel/ssl/exim/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/exim/exim.crt /bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.* /sbin/service exim restart \cp -f /var/cpanel/ssl/ftp/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem /bin/chown root:wheel /var/cpanel/ssl/ftp/* /sbin/service pure-ftpd restart \cp -f /var/cpanel/ssl/dovecot/* /root/ssl/ /bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key /bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem /etc/letsencrypt/live/$HOSTNAME/ca.pem > /var/cpanel/ssl/dovecot/dovecot.crt /bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.* /sbin/service dovecot restart
  Note, again: this is for CentOS 6-. Change as needed for other systems, or CentOS 7 (systemd).

  0
• 

  ChristianSB

  • March 05, 2016 13:20

  Do you have a version there works on CentOS 7 running DNS Only? :)

  0
• 

  nimonogi

  • May 22, 2016 04:57

  Do you have a version there works on CentOS 7 running DNS Only? :)

  
  I'm looking for the exact same thing.

  0
• 

  cPanelMichael

  • May 24, 2016 17:35

  Do you have a version there works on CentOS 7 running DNS Only? :)

  
  Could you elaborate on what in-particular is not working on the DNS-Only server when using this custom application? Thank you.

  0
• 

  BlackRain

  • May 29, 2016 19:14

  I bit the bullet and bought the Cpanel app for Lets Encrypt and it has worked seamlessly for awhile now.

  0

Please sign in to leave a comment.