cPanel 70 / Centos 7 / Apache 2.4.33

Server
1

I recently migrated from a Centos 7 / Apache server running cPanel 68 to a new server running Centos 7 Apache running cPanel 70.

I need to install LetsEncrypt/Certbot, but it’s failing at the end saying mod_ssl isn’t installed (but it does exist in /etc/apache2/modules directory). Any ideas how to get certbot installed successfully on this server? See install output below…

Thanks!

[root@gromit /]# yum install certbot-apache
Loaded plugins: fastestmirror, universal-hooks
Loading mirror speeds from cached hostfile

  • EA4: 208.100.0.204
  • cpanel-addons-production-feed: 208.100.0.204
  • base: mirror.den1.denvercolo.net
  • epel: mirror.steadfast.net
  • extras: mirror.ash.fastserv.com
  • updates: mirror.grid.uchicago.edu
    Resolving Dependencies
    –> Running transaction check
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: certbot >= 0.21.1 for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Processing Dependency: python2-certbot >= 0.21.1 for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Processing Dependency: python-augeas for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Running transaction check
    —> Package certbot.noarch 0:0.24.0-1.el7 will be installed
    –> Processing Dependency: /usr/sbin/semanage for package: certbot-0.24.0-1.el7.noarch
    —> Package python-augeas.noarch 0:0.5.0-2.el7 will be installed
    –> Processing Dependency: augeas-libs for package: python-augeas-0.5.0-2.el7.noarch
    —> Package python2-certbot.noarch 0:0.24.0-1.el7 will be installed
    –> Processing Dependency: python2-acme > 0.21.1 for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python-parsedatetime for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python-zope-component for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python-zope-interface for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-configargparse for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-cryptography for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-future for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-josepy for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-mock for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-pyrfc3339 for package: python2-certbot-0.24.0-1.el7.noarch
    –> Processing Dependency: pytz for package: python2-certbot-0.24.0-1.el7.noarch
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Running transaction check
    —> Package augeas-libs.x86_64 0:1.4.0-5.el7_5.1 will be installed
    —> Package policycoreutils-python.x86_64 0:2.5-22.el7 will be installed
    –> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64
    –> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.el7.x86_64
    —> Package python-zope-component.noarch 1:4.1.0-3.el7 will be installed
    –> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-3.el7.noarch
    —> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
    —> Package python2-acme.noarch 0:0.24.0-1.el7 will be installed
    –> Processing Dependency: pyOpenSSL >= 0.13 for package: python2-acme-0.24.0-1.el7.noarch
    –> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-pyasn1 for package: python2-acme-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-requests for package: python2-acme-0.24.0-1.el7.noarch
    –> Processing Dependency: python2-six for package: python2-acme-0.24.0-1.el7.noarch
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    —> Package python2-configargparse.noarch 0:0.11.0-1.el7 will be installed
    —> Package python2-cryptography.x86_64 0:1.7.2-2.el7 will be installed
    –> Processing Dependency: python-six >= 1.4.1 for package: python2-cryptography-1.7.2-2.el7.x86_64
    –> Processing Dependency: python-idna >= 2.0 for package: python2-cryptography-1.7.2-2.el7.x86_64
    –> Processing Dependency: python-cffi >= 1.4.1 for package: python2-cryptography-1.7.2-2.el7.x86_64
    –> Processing Dependency: python-enum34 for package: python2-cryptography-1.7.2-2.el7.x86_64
    —> Package python2-future.noarch 0:0.16.0-6.el7 will be installed
    —> Package python2-josepy.noarch 0:1.1.0-1.el7 will be installed
    —> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
    —> Package python2-parsedatetime.noarch 0:2.4-5.el7 will be installed
    —> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
    —> Package pytz.noarch 0:2016.10-2.el7 will be installed
    –> Running transaction check
    —> Package audit-libs-python.x86_64 0:2.8.1-3.el7 will be installed
    —> Package checkpolicy.x86_64 0:2.5-6.el7 will be installed
    —> Package libcgroup.x86_64 0:0.41-15.el7 will be installed
    —> Package libsemanage-python.x86_64 0:2.5-11.el7 will be installed
    —> Package pyOpenSSL.x86_64 0:0.13.1-3.el7 will be installed
    —> Package python-IPy.noarch 0:0.75-6.el7 will be installed
    —> Package python-cffi.x86_64 0:1.6.0-5.el7 will be installed
    –> Processing Dependency: python-pycparser for package: python-cffi-1.6.0-5.el7.x86_64
    —> Package python-enum34.noarch 0:1.0.4-1.el7 will be installed
    —> Package python-idna.noarch 0:2.4-1.el7 will be installed
    —> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
    —> Package python-six.noarch 0:1.9.0-2.el7 will be installed
    —> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    —> Package python2-pyasn1.noarch 0:0.1.9-7.el7 will be installed
    —> Package python2-requests.noarch 0:2.6.0-0.el7 will be installed
    –> Processing Dependency: python-requests >= 2.6.0 for package: python2-requests-2.6.0-0.el7.noarch
    —> Package python2-six.noarch 0:1.9.0-0.el7 will be installed
    —> Package setools-libs.x86_64 0:3.3.8-2.el7 will be installed
    –> Running transaction check
    —> Package python-pycparser.noarch 0:2.14-1.el7 will be installed
    –> Processing Dependency: python-ply for package: python-pycparser-2.14-1.el7.noarch
    —> Package python-requests.noarch 0:2.6.0-1.el7_1 will be installed
    –> Processing Dependency: python-urllib3 >= 1.10.2-1 for package: python-requests-2.6.0-1.el7_1.noarch
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Running transaction check
    —> Package python-ply.noarch 0:3.4-11.el7 will be installed
    —> Package python-urllib3.noarch 0:1.10.2-5.el7 will be installed
    —> Package python2-certbot-apache.noarch 0:0.24.0-2.el7 will be installed
    –> Processing Dependency: mod_ssl for package: python2-certbot-apache-0.24.0-2.el7.noarch
    –> Finished Dependency Resolution
    Error: Package: python2-certbot-apache-0.24.0-2.el7.noarch (epel)
    Requires: mod_ssl
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest
2

You should not install Certbot from repositories if you are using cPanel.

The reason is that cPanel provides its own Apache2 packages (including for mod_ssl) via EasyApache 3/4 that are incompatible with the way that Certbot is packaged:

# rpm -qa "*mod_ssl"
ea-apache24-mod_ssl-2.4.33-5.5.1.cpanel.x86_64

You could try to use certbot-auto on a cPanel server, or find another ACME client that has less complicated dependencies.

Certbot is not terribly useful on cPanel servers, as any automated changes performed by Certbot to Apache’s configuration files will be reverted by cPanel anyway.

1 Like
3

Thanks. I actually had certbot running on a different Centos 7 server up until last month, but I moved to a new Centos 7 server and I believe the new one uses Apache2 whereas the old one didn’t. On the old server it worked just fine. :slight_smile:
I’ll take your advice and look for a different solution. Thanks.

4

Hi @swbrains ,

I’m curious… Why use certbot if your cPanel 70 include autossl ?

(The autossl can be used to obtain certificate from cPanel CA(Comodo) or Let’s Encrypt CA (just let’s encrypt))

You can configure it from WHM panel if you have root access to WHM.

Thank you

5

Thanks. I will likely do that now. I originally wrote custom code to install SSL certs on my clients’ accounts a few years ago when I think cPanel’s AutoSSL didn’t do something I needed it to do – I can’t remember now. So I wrote my own code to auto install and auto renew LE certs and also auto-install my wildcard cert for my subdomain customers.

Thanks,
Vinnie

6

Actually, I think I remember now. I’m hosting over 600 customer sites. I think I was afraid of hitting the LE limits. About half of these sites use domain names. The other half use a subdomain of my main business domain.

I thought there was both a weekly and total lifetime limit and the lifetime limit was something like 200 certificates which I would be in danger of hitting if AutoSSL created the certs but maybe I’m mistaken on these points.

Any clarification you may have would be helpful in my decisions on how I move forward.

Thanks!

7

Hi,

Those people would be fine... If they don't request domain certificate rapidly.

For these people, you might want to request an rate limit extension (to request a higher rate limit for your domain) or use cPanel Certificate Authority for your cPanel server (switch from LE authority to cPanel)

Let's encrypt do have rate limits, but only have weekly limits (No lifetime limits)

In your case, these limits are related:

  1. Certificates per Registered Domain (20 Per week).
    This is the limit that you may hit on when you issue separate Certificate for clients on your subdomains.

A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk.

However, renew of existing certificate doesn't count toward this limit.

  1. Duplicate Certificate (5 per week)
    This might happen if you client delete the autossl certificate issued to you rapidly

A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames.

For other rate limits, I don't think autossl might hit on.. (if you don't rapidly press on the "run" button)

In conclusion, you might want to request an extension of rate limit since you have a large amount of client that use your subdomains.. (if you use LE CA)

Request your rate limit here: Let's Encrypt Rate Limit Adjustment Request Form

Otherwise, you can try switch to cPanel certificate authority by changing the switch on your WHM / autossl panel. cPanel CA has a loose restrictions.

Thank you

8

Thanks for your quick and thorough reply. I see I can switch to cPanel/Comodo certs in my WHM, which I may due as it sounds like it has less of a limit with my subdomains, correct?

Thanks again,
Vinnie

9

Hi,

Yes… that’s what I saw on cPanel’s website.

However, I highly suggest to reach cPanel support and confirm with them. (Since cPanel doesn’t mention any domain or hostname rate limit, only hostname per certificate limit)

https://confluence1.cpanel.net/plugins/servlet/mobile?contentId=2450296#ManageAutoSSL-Domainandratelimits

Thank you

10

Thank you again – will do!

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.