AlmaLinux 8 + Certbot + cPanel + Cloudflare DNS

I want to install Certbot on AlmaLinux 8 with cPanel and AlmaLinux 8 is not listed as an option on the Certbot instructions page. Would it be OK if I use instructions for some other Linux distribution, like CentOS 7?

Welcome to the Let's Encrypt Community.

Thanks for linking your topic here in your Cloudflare topic.

Yes. Alma Linux 8 is a CentOS fork (of sorts).

If you are using cPanel, it might make the most sense to use their AutoSSL with the Let's Encrypt CA.

This plugin, unfortunately, doesn't support DNS-01 for third-party DNS hosting.

You cannot use this plugin to obtain certificates for wildcard domains if you use third-party DNS hosting. You must host DNS on your local cPanel & WHM server or within the server’s DNS cluster.

If nothing else works...
And depending on how much access you have to the system [and your skillset and willingness...], you might be able to run an ACME client and manually insert the cert into the web service.

Picking the right ACME client is going to depend on how you want to use it. You have identified your DNS-01 challenge and third-party nameservers requirements.

Do you need subscriber access, or will you be the only one managing the certificates?

I have root access, so that's not the problem. I'm the only one managing the certs. I've been advised to install the Certbot and Cloudflare DNS plugin since I host my DNS on Cloudflare, which is where the DNS-01 challenge record will be performed:

1. Certbot Instructions | Certbot
2. Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

I'm running a VPS server with cPanel, which means when I add a domain to it, the system creates everything needed for a domain to function, DNS records, VirtualHost, and root folder. Then I host its DNS on Cloudflare. Certbot should help me install the cert and automatically renew it. It would be nice if the Certbot would detect the added domain and request the cert issuance automatically but manually is fine if that's not possible.

I'm concerned about whether the cPanel will be able to use the cert for internal purposes since Certbot probably has its unique location for cert installation. BTW, I know where and how cPanel installs certs.

Actually, cPanel should do that for you [with maybe certbot under the hood].
Going around cPanel isn't an ideal path.
And I would only suggest it:

Procedurally, I have no idea what that means, even though I get it logically. I don't want to go around cPanel. I never worked with ACME software before, nor I'm skilled in working with Linux.

But what I do know is why I don't want to use cPanel's Let's Encrypt automatic provider (AutoSSL).

Is there an advice on where to start? As I said, I'm on AlmaLinux 8, and I've been recommended the tools I mentioned earlier. On Certbot's site, there isn't an instruction for AlmaLinux 8 installation, but there is for CentOS 7 and 8. Should I start with one of these and install the Certbot and Cloudflare DNS plugin?

That sounds like an uphill battle.
You'd be better of switching to another panel that uses an ACME client you like.

Actually, that seems like worse advice than the thing you are trying to advise me against. I don't think there is a panel that works ideally with third-party DNS hosting. Most of them are a mess with no intention in mind to make our lives easier. I'm not scared of taking the custom path. Just in the last two months, I've discovered at least 5 huge inconsistencies and irregularities in cPanel's structure for which they now opened cases. That gives me the confidence to proceed and maybe show them how to do this.

Maybe you are capable of winning that battle!
Maybe you are even capable of writing your own panel...
I have no idea.
I'm only trying to provide advice I feel would fit the largest possible audience [including you].

As much as it makes no sense for me to advise for you to write your own panel, it also makes little sense for you to think that I would know precisely what is best for you in your specific situation. At best, I can only guess OR simply tell you what I would do. I choose to do the latter; I would definitely look for another panel despite your statement:

I think that if you never look for one you will very likely never find one.

I appreciate the intention.

OK, here's the deal:

1. I'm using third-party DNS hosting on Cloudflare.
2. cPanel's default ACME client (AutoSSL) for Let's Encrypt allows only the HTTP-01 challenge, so the DNS-01 is not an option, and consequentially, wildcard coverage is not possible.
3. AutoSSL has a terrible way of handling lists of covered hostnames in certs. For example, if you only have one domain with 5 subdomains, the CN (Common Name) field will almost always list one of the subdomains and not a domain. This is not a deal breaker, but it's ugly. Things get complicated if you have multiple domains. Then, domain A's CN will be a subdomain of domain C, and domain B's CN will be a subdomain of domain Z. It mixes hostnames across all domains you have. SAN field, which is the one that matters for coverage, on the other hand, gets it right.
4. Cloudflare works as a proxy for my DNS records. But there are some DNS records that I need to turn off the proxy for, like nameservers', PTRs', and mail servers' A records (FYI, these are all subdomains). These records need to be resolved to the IPs of services on my hosting server, not to Cloudflare's IPs, which is why the proxy for them is disabled. A consequence of that is that AutoSSL doesn't cover them so they are left unprotected. This is where I'm stuck!

One way of solving this is to create these as regular subdomains in cPanel. Then, cPanel creates virtual hosts for each and they get included in the cert. This means much more customization on Cloudflare because I'm stuck with the HTTP-01 ACME challenge. All my custom rules need to exclude the /.well-known/acme-challenge/ path. I have a lot of domains and this takes forever unless I write a script to use with their API - again, more work.

The DNS-01 challenge would be easier for Cloudflare, but tougher on cPanel. Installing a Certbot and performing a DNS-01 on Cloudflare is not a big deal as I've heard. Making sure installed certs cooperate with cPanel is what I'm here for.

Although my first solution works, it's not pretty and requires a lot of effort. I'm just trying to explore the other option. Something tells me that it can be simpler.

You lost me on the first step of your explanation.
What exactly is "third-party DNS hosting on Cloudflare"?

That is more a cPanel question/answer than an LE one.
You could ask the same thing from any other CA - they wouldn't be expected to know either.

Something tells me that cPanel is not suited for your needs.
OR
You need to split things into:

• those things that work well with cPanel
• those things that don't work with cPanel

And use multiple systems [or docker] to separate them from each other.

Web, DNS, mail... can be hosted with different companies. I host websites on my server (AlmaLinux 8 + cPanel) while hosting their DNS zones on Cloudflare - colloquially referred to as third-party DNS hosting.

Certbot's site lists this forum as a helpful resource. This is why I'm here. Talking to cPanel for now has gotten me nowhere. Talking to Cloudflare, again, the same. This doesn't mean nobody wants to help, it only means I'm the first trying to combine these things. I'm in the middle of a big project of my own and don't have time right now to dive into finding a solution to, what seems like, a project of its own.

So the first thing is to ask whether someone has done it before me.

I don't use any other these things but the process is much the same for any type of service using certs:

• figure out how the service refers to the certificate files (e.g. is the certificate full chain and private key path stored in a config file or a database).
• figure out how you will acquire your certificate (e.g. you might use certboth, or any other acme tool, and in your case you want one that can speak to the cloudflare API for DNS).

Typically the output of this process is your certificate component files:

• your certificate in PEM text format
• usually a "full chain" which is a set of certificates from your primary "leaf/end-entity" certificate through to any intermediate certificates the CA uses to sign your certificate (which in turn are signed by their main root certificate).
• your private key file, again usually this is a file in PEM text format. File names and extensions can vary but they are largely unimportant, it's the content that matters.

Once you have your files and know where to put them/what to call them you then copy them to your required destination (or update your service config to point directly to the files generated by the ACME client, in the case of certbot they use symlinks to maintain a static filename). Generally you then have to get your service to pick up the latest version of the certificates file, for some service types this is automatic on file change, for others you need to reload or restart the service for it to pickup the latest files.

As you are looking to go beyond the functionality supplied by AutoSSL I would start by using your choice of ACME client (perhaps certbot or acme.sh) to get a certificate, then figure out how to apply that to each service (e.g. post-request deployment hooks).

I don't really understand the part about how turning off cloudflares proxy stops you using AutoSSL. Cloudflare proxying uses cloudflares own servers to acquire and present a certificate, it doesn't necessarily care what certificates your actual "origin" server presents (how fussy it is about that is configurable). Is there perhaps some confusion between what AutoSSL is doing for you vs what Cloudflare is automatically doing for you on proxied domains?

This is superb, thank you! You just listed and structured the things I thought about but couldn't.

• cPanel chops up the cert chain and key in multiple files without extension. It also has the "combined" file (chain+key) for its services, plus another variant of the combined file with different permissions.
• Certbot has a Cloudflare DNS plugin that many people are successfully using so I think that is the easy part of the process.
• I will probably let Certbot do its thing, download and put files where it wants, and then automate the process of copying to cPanel's format and location and figure out how to make services pick up the change.
• You are right, turning off the proxy doesn't make AutoSSL do anything, my wording was confusing probably. The records I'm turning the proxy off are just DNS A records, they are not defined on my server as VirtualHosts and, therefore don't have a root folder for the HTTP-01 to be performed. It's an internal cPanel's thing. I need to create literal websites for each of those DNS A records' hostnames in cPanel for AutoSSL to cover them in the cert.

The thing is that AutoSSL is poorly structured regarding hostname coverage when using HTTP-01. This is why the DNS-01 challenge is better because it allows you to use wildcards.

Unfortunately, I won't be doing this right now. I may come back to it a few months later when I find the time. The thread will probably close by then, so I will start another one to post results. Admins can probably join them later.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.