Skip to main content

AutoSSL with Let's Encrypt on Load Balanced System

Comments

4 comments

  • cPanelMichael
    Hello, Load balancing is unsupported, and thus it's not an environment we test AutoSSL functionality on. Since the domain name isn't resolving to an IP address associated with the specific cPanel server it's configured on, the validation process will fail. You'd likely want to setup Let's Encrypt manually for this to work. Thank you.
    0
  • marklm
    Thanks for your response, Michael. I've installed certbot, and I found a script on github that automates the DNS challenge process with Route 53 using the AWS CLI: github.com/jed/certbot-route53 I've generated the SSL certificates I need for my domain, but I'm not sure exactly what I need to do "install" them and get them to work with my domain. I know I can go into WHM and copy-paste the certificate there to install it, but because the let's encrypt certificate renews every 90 days, it needs to be something I can automate with cron. Here's what I've done so far: I've added a custom httpd.conf include file under: /usr/local/apache/conf/userdata/std/2_4/example/example.com/custom.conf with this content: SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem Then I ran: /scripts/ensure_vhost_includes --all-users and httpd.conf updated to comment out the line that includes custom conf files. But, the certificate isn't working. What else do I need to do to make it work? Thank you! EDIT: I did restart apache after updating the config files.
    0
  • marklm
    Ok, I figured out what the problem is, but I don't know how to fix it using the include files. At the top of the virtual host directive in httpd.conf that I was modifying with the include file is: And when I change this to: The SSL certificate works and my domain is secured. But, this file says not to modify it, because it's automatically generated, to use the include files. Anyone know how I can add port 443 to the virtualhost definition using the include files, or some other way?
    0
  • marklm
    I've found a full solution to this, in case this is helpful for anyone else. The right way to do this is not to modify the httpd configuration using include files, but to use WHM's API in order to run the SSL certificate install, which will automatically add the port 443 virtual host to your httpd configuration files. Here is a perl script I found that does this on CentOS 7: checknotes.wordpress.com/2016/01/23/letss-encrypt-with-centos-7/ So, here is a rundown of my full solution for Let's Encrypt on load-balanced cPanel servers:
      ]
    • Designate one of your servers as the "central auth" server. On this server, install certbot (certbot.eff.org/). I'm running apache, but I didn't install the "python-certbot-apache" package that certbot suggests, because it needs mod_ssl, and apparently there is some conflict between this and cPanel. I selected 'None of the above' on certbot's instructions dropdown, and just installed: yum install certbot.
    • I also installed the Amazon CLI tools, because I'm using Route 53 for DNS, and used this script to automate the challenge process: github.com/jed/certbot-route53
    • Now I have certificates under /etc/letsencrypt for my domain. I used the perl script above (checknotes.wordpress.com/2016/01/23/letss-encrypt-with-centos-7/) to install these certficates, and it worked.
    • Now I have to just copy the certificates over to the other load balanced servers, and run the same script as in #3 to install them. I can use cron to manage the renewal process, and incron to watch for changes in the certificate directory, and when the certificates change, scp them to replace the certificates on the other servers, and run the install perl script again.
    0

Please sign in to leave a comment.