GoDaddy Dedicated server - cPanel(?) resets to old certificate after some day(s)?

Rented “dedicated” server from Godaddy with several web sites. I installed cerbot to get around the GoDaddy charge for certificates. All works as expected - no problems, certificates install and all is good, Then some time later the OLD certificates (not generated via cerbot) are re-installed instead of the valid certificate. I suspect cPanel is trying to help me? Has anyone seen this before or knows where I can look to stop it?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (many) I suppose RTAMinistries.org will work as one example

I ran this command: not applicable

It produced this output: not applicable

My web server is (include version): apache 2.4.41 with GoDaddy configured cPanel

The operating system my web server runs on is (include version): Centos

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 84.0.16

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Using both [(any)Panel control and (any)ACME agent] is generally NOT a good idea.
Was there a reason that required you to use certbot?
Does it “reset” after you make changes in cPanel?
If cPanel is capable is issuing certs, you should use only that.

1 Like

In this case, cPanel have a copy of the static configuration files (from Apache) and certbot changed the live files. cPanel will always try to go back to the file version they have, to avoid tampering.
There’s pretty small chance for you to stop this behavior…

If you are using dedicated server (with root access), why not install the default “AutoSSL” plugin for cPanel? It integrate Let’s Encrypt in it and is provided by cPanel officially.
https://documentation.cpanel.net/plugins/servlet/mobile?contentId=17183120#content/view/17183120

If you don’t want that and would like to obtain certificate in an account-by-account basis with command line, you can try acme.sh, which used cPanel’s API to update certificate (so it won’t be rolled back)

If you want the end users (accounts in cPanel) to have access to the certificate obtaining process, you could use the plugin developed by @_az which called FleetSSL cPanel https://letsencrypt-for-cpanel.com/. The plugin is a paid one but have some better features and more options for end-user (instead of managing certificates only with WHM)

Thanks

4 Likes

I had been entering certs manually in cPanel, then I lost track of HOW to get those certs from Let’s Encrypt. When I lost this means I installed the certbot auto.

The other posts covered it quite well.

You cannot use certbot-auto --apache on cPanel, it’s going to get constantly reverted in the way you described.

If you don’t want the certificate to be overwritten, then you must use the cPanel API UAPI ssl::install_ssl to install the certificate to your domains.

For example, as in this tutorial: https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel - you will see that acme.sh has a built-in cpanel_uapi hook which does this for you.

In theory you can do a similar thing with Certbot, by using certonly instead of --apache and adding a --deploy-hook which calls the cPanel API - but it’s quite a bit of work. So you may as well try acme.sh.

I’d also echo the recommendation that if you have root access to your WHM/cPanel server, just enable AutoSSL.

4 Likes

This is good information. Since GoDaddy is involved, and they have a financial interest in selling certificates, cPanel seems to prefer them. I will look deeper and try what has been recommended, forst if there is a way to get cPanel to AutoSSL using Let’s Encrypt instead of its own locally generated certificates, then the other steps. Thank-you for taking time to help!
-jdn-

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.