Trouble with cPanel and Let's Encrypt

Spork_Schivago · May 15, 2016, 5:58pm

Hello,

I’m running cPanel and WHM in a virtual private server. Currently, cPanel doesn’t fully support Let’s Encrypt, however, they’re working on it. With the default setup, cPanel set’s up something called Proxy Subdomains. If I wanted to check my mail, instead of going to mydomain.com:2096, I could simply go to webmail.mydomain.com

This is nice but I can’t setup any .well-known directories and Let’s Encrypt fails. cPanel’s webmail CGI stuff asks for a username / password. If I shutdown my Apache and cPanel servers, I can point Let’s Encrypt to the webmail directory and it’d work but that’s a real pain.

I found a little work around though. I disable Proxy Sub-Domains and enable sub-domain redirects. When I go to some place like http://webmail.mydomain.com, it’ll just forward me to http://mydomain.com:2096.

Using .htaccess redirect rules, I can then allow the .well-known directory through, like this:

RewriteEngine on

# Allow .well-known through for Let's Encrypt
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/

# Redirect http://webmail.mydomain.com to https://www.mydomain.com:2096
RewriteCond %{HTTP_HOST} ^webmail.mydomain.com$
RewriteRule ^(.*)$ "https\:\/\/www\.MyDomain\.com\:2096\/$1" [R=301,L]

This seems to work. I can create a .well-known/acme-challenge/index.html file and access it by going to http://webmail.mydomain.com/.well-known/acme-challenge/index.html.

If I try going to https://webmail.mydomain.com/.well-known/acme-challenge/index.html, it fails, but it works when I try going to the http version.

When I run Let’s Encrypt, the log file gives me a message saying it succeeded. Here’s a long snippet of the log. I can post the whole thing if you want.

...

2016-05-15 17:27:29,413:DEBUG:acme.client:Requesting issuance...
2016-05-15 17:27:29,413:DEBUG:acme.client:Serialized JSON: {"resource": "new-cert", "csr": "MIIDLDCCAhQCAQIwGTEXMBUGA1UEAwwOd3d3LmpldGJicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG57a79LLnho0yUpt-LADAM5FtqRy2GqItuKqMkCgQbRs241sFQSnY7YR07CvyDsLE7FD4KINMKV8eYF_hKGCxMt_N-qySmt0jfxMldRaagQFz6Pkh9FxLSzjU8H_Ip7_xEv2jqv91ZV2J1q6sGutROsqDIbuHcNtDtxGfTkTfDuCvSTJZ_1vYEfoE1RdNSECaNzuS0Dd64UqWOCXUih0gIEjblYV4KCzh1sd-PRNafYgA0xxJoy55xibpmNG7inJSSFTtEcACAyiyjBfUXUPCaJvAyvZXZ0ucnpcutLHj6I3dqMvtcX8GV1S6PPbLuuq38hkNpD7QqeDYLsALVcI5AgMBAAGggc0wgcoGCSqGSIb3DQEJDjGBvDCBuTCBtgYDVR0RBIGuMIGrgg53d3cuamV0YmJzLmNvbYIKamV0YmJzLmNvbYIRY3BhbmVsLmpldGJicy5jb22CFmNwY2FsZW5kYXJzLmpldGJicy5jb22CFWNwY29udGFjdHMuamV0YmJzLmNvbYISd2ViZGlzay5qZXRiYnMuY29tghJ3ZWJtYWlsLmpldGJicy5jb22CDndobS5qZXRiYnMuY29tghNmcmFua2xpbi5qZXRiYnMuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCspejTHPxpW2RuewYFWMu0SkMTYgpSgd7jLRvyTLiAbUFqJg9eUAzowoLjCLAVSjcbhn6L31wnSHPVgLoCCvFawiqKBH2RdTSotgz_ojAoHSb8jfDolCjP7BEyE_wwTCU9S-Cl1YN2Wp2IMZE_DuFe6DbuK1LjtgswNR8CbjBpVDbFmZhnM379Y9XSQ7MlU3IPy6UKWOeSoqwUwigAdv0uwciqEyTlW4VPwuhDmw6eUDlG438xtF3Fbjo7yLVLexui-WYhKxTPa-eBx4fKVqN71__-nqOq4m0BFnL1ATAEe9IQJTQOnp0bZsMTrNPuyHNH4uWYAoXQJTl4HdWq3W1w"}
2016-05-15 17:27:29,415:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, kid=None, alg=None, x5t=None, jku=None, x5u=None, x5tS256=None, jwk=None, cty=None
2016-05-15 17:27:29,417:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, kid=None, nonce=None, x5t=None, jku=None, x5u=None, x5tS256=None, cty=None
2016-05-15 17:27:29,417:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-cert. args: (), kwargs: {'headers': {'Accept': 'application/pkix-cert'}, 'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "6S5TnRC68jChq2NNUbipKzkV8gDkA89THji5UeCk8MXaAAHIAMEEZg7g0Zn5_9-LYRq1K_49fY_xOIn_QHqzaaxCz4MVlt8rt-VgR3-T26XBI3pEVPQFShrOdUOl0lUvQ2rtwvPXU9fKmeNGWpAkwEpos86U9emM2SCeEKk4L3vnVhQiaaI01zFsQvWDhukCfHNV8XHdDBfIDRqlTqnOBd9fBl4Hwsy-lNUTzyQVvXiRaeMPh97iRelBZXeO4xi18VXyyfl_Wh8hzggsv81qCmGVSg0oCM-p8cYcW54FGbdOMrf_yr7k14jNS7zSdNRtFsD2fvWuynbEQJlMRiRw8Q"}}, "protected": "eyJub25jZSI6ICJKalFUTngyeG42c051Y0x5TC1leWt0NHpsVGZIMUI3WEt1N0ZIYTJTVUdvIn0", "payload": "eyJyZXNvdXJjZSI6ICJuZXctY2VydCIsICJjc3IiOiAiTUlJRExEQ0NBaFFDQVFJd0dURVhNQlVHQTFVRUF3d09kM2QzTG1wbGRHSmljeTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURHNTdhNzlMTG5obzB5VXB0LUxBREFNNUZ0cVJ5MkdxSXR1S3FNa0NnUWJSczI0MXNGUVNuWTdZUjA3Q3Z5RHNMRTdGRDRLSU5NS1Y4ZVlGX2hLR0N4TXRfTi1xeVNtdDBqZnhNbGRSYWFnUUZ6NlBraDlGeExTempVOEhfSXA3X3hFdjJqcXY5MVpWMkoxcTZzR3V0Uk9zcURJYnVIY050RHR4R2ZUa1RmRHVDdlNUSlpfMXZZRWZvRTFSZE5TRUNhTnp1UzBEZDY0VXFXT0NYVWloMGdJRWpibFlWNEtDemgxc2QtUFJOYWZZZ0EweHhKb3k1NXhpYnBtTkc3aW5KU1NGVHRFY0FDQXlpeWpCZlVYVVBDYUp2QXl2WlhaMHVjbnBjdXRMSGo2STNkcU12dGNYOEdWMVM2UFBiTHV1cTM4aGtOcEQ3UXFlRFlMc0FMVmNJNUFnTUJBQUdnZ2Mwd2djb0dDU3FHU0liM0RRRUpEakdCdkRDQnVUQ0J0Z1lEVlIwUkJJR3VNSUdyZ2c1M2QzY3VhbVYwWW1KekxtTnZiWUlLYW1WMFltSnpMbU52YllJUlkzQmhibVZzTG1wbGRHSmljeTVqYjIyQ0ZtTndZMkZzWlc1a1lYSnpMbXBsZEdKaWN5NWpiMjJDRldOd1kyOXVkR0ZqZEhNdWFtVjBZbUp6TG1OdmJZSVNkMlZpWkdsemF5NXFaWFJpWW5NdVkyOXRnaEozWldKdFlXbHNMbXBsZEdKaWN5NWpiMjJDRG5kb2JTNXFaWFJpWW5NdVkyOXRnaE5tY21GdWEyeHBiaTVxWlhSaVluTXVZMjl0TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDc3BlalRIUHhwVzJSdWV3WUZXTXUwU2tNVFlncFNnZDdqTFJ2eVRMaUFiVUZxSmc5ZVVBem93b0xqQ0xBVlNqY2JobjZMMzF3blNIUFZnTG9DQ3ZGYXdpcUtCSDJSZFRTb3Rnel9vakFvSFNiOGpmRG9sQ2pQN0JFeUVfd3dUQ1U5Uy1DbDFZTjJXcDJJTVpFX0R1RmU2RGJ1SzFManRnc3dOUjhDYmpCcFZEYkZtWmhuTTM3OVk5WFNRN01sVTNJUHk2VUtXT2VTb3F3VXdpZ0FkdjB1d2NpcUV5VGxXNFZQd3VoRG13NmVVRGxHNDM4eHRGM0Ziam83eUxWTGV4dWktV1loS3hUUGEtZUJ4NGZLVnFONzFfXy1ucU9xNG0wQkZuTDFBVEFFZTlJUUpUUU9ucDBiWnNNVHJOUHV5SE5INHVXWUFvWFFKVGw0SGRXcTNXMXcifQ", "signature": "umsP2U6MNMSpku9YbQXzXNv7juq7sX5t66yxuc3_lMGG6ue_uVxnBZaL83sWhfR3AqCLx4SI145RdKTSjybeR9MY1Gz9IRPKu4PnsHnKWDpQD5bAIFf1r8WJWaFfJSa7aKxQA_bTglivgGAE7557XNcuZyMFavK6sYuaV6gIvQDSDSz_0a8cE5Yjg3MlYPfxg91pR85za6eofS7vO37ZZYtl-NuyL3RAPDdRnWhNzJZ6PyMUlqNZ1EL33pqeXsru8RQr-G2w3wZMMc-BQw7-LhryxtapgSlWJx4e4J63Gg4YW3IewXYWSAQQ-xWuPOUTutqaHA8bS_vabChrTxxG6Q"}'}
2016-05-15 17:27:29,419:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 17:27:29,557:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-cert HTTP/1.1" 201 1442
2016-05-15 17:27:29,560:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1442', 'Expires': 'Sun, 15 May 2016 17:27:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/issuer-cert>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/cert/03135b4b1a7aaa8e374c7ee639acb739b1c0', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 15 May 2016 17:27:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/pkix-cert', 'Replay-Nonce': 'hz-gjVMQumNSM2H1La0q1tLopeZ8W1Lg2Mx4-6Qarh8'}. Content: '0\x82\x05\x9e0\x82\x04\x86\xa0\x03\x02\x01\x02\x02\x12\x03\x13[K\x1az\xaa\x8e7L~\xe69\xac\xb79\xb1\xc00\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000J1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\n\x13\rLet\'s Encrypt1#0!\x06\x03U\x04\x03\x13\x1aLet\'s Encrypt Authority X30\x1e\x17\r160515162700Z\x17\r160813162700Z0\x191\x170\x15\x06\x03U\x04\x03\x13\x0ewww.jetbbs.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc6\xe7\xb6\xbb\xf4\xb2\xe7\x86\x8d2R\x9b~,\x00\xc03\x91m\xa9\x1c\xb6\x1a\xa2-\xb8\xaa\x8c\x90(\x10m\x1b6\xe3[\x05A)\xd8\xed\x84t\xec+\xf2\x0e\xc2\xc4\xecP\xf8(\x83L)_\x1e`_\xe1(`\xb12\xdf\xcd\xfa\xac\x92\x9a\xdd#\x7f\x13%u\x16\x9a\x81\x01s\xe8\xf9!\xf4\\KK8\xd4\xf0\x7f\xc8\xa7\xbf\xf1\x12\xfd\xa3\xaa\xffue]\x89\xd6\xae\xac\x1a\xebQ:\xca\x83!\xbb\x87p\xdbC\xb7\x11\x9fND\xdf\x0e\xe0\xafI2Y\xff[\xd8\x11\xfa\x04\xd5\x17MH@\x9a7;\x92\xd07z\xe1J\x968%\xd4\x8a\x1d  H\xdb\x95\x85x(,\xe1\xd6\xc7~=\x13Z}\x88\x00\xd3\x1cI\xa3.y\xc6&\xe9\x98\xd1\xbb\x8arRHT\xed\x11\xc0\x02\x03(\xb2\x8c\x17\xd4]C\xc2h\x9b\xc0\xca\xf6WgK\x9c\x9e\x97.\xb4\xb1\xe3\xe8\x8d\xdd\xa8\xcb\xedq\x7f\x06WT\xba<\xf6\xcb\xba\xea\xb7\xf2\x19\r\xa4>\xd0\xa9\xe0\xd8.\xc0\x0bU\xc29\x02\x03\x01\x00\x01\xa3\x82\x02\xad0\x82\x02\xa90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb7\x01\xdb\xde \xa6\xbd\xfc\x15Ia\tn\xc7\x91\x9fc\x14\xc9U0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa10p\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04d0b0/\x06\x08+\x06\x01\x05\x05\x070\x01\x86#http://ocsp.int-x3.letsencrypt.org/0/\x06\x08+\x06\x01\x05\x05\x070\x02\x86#http://cert.int-x3.letsencrypt.org/0\x81\xb6\x06\x03U\x1d\x11\x04\x81\xae0\x81\xab\x82\x11cpanel.jetbbs.com\x82\x16cpcalendars.jetbbs.com\x82\x15cpcontacts.jetbbs.com\x82\x13franklin.jetbbs.com\x82\njetbbs.com\x82\x12webdisk.jetbbs.com\x82\x12webmail.jetbbs.com\x82\x0ewhm.jetbbs.com\x82\x0ewww.jetbbs.com0\x81\xfe\x06\x03U\x1d \x04\x81\xf60\x81\xf30\x08\x06\x06g\x81\x0c\x01\x02\x010\x81\xe6\x06\x0b+\x06\x01\x04\x01\x82\xdf\x13\x01\x01\x010\x81\xd60&\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16\x1ahttp://cps.letsencrypt.org0\x81\xab\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x9e\x0c\x81\x9bThis Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00E\xf4+v^\x06\x00\'BWa\x86\xb0\xc3n\xc3\xca+\xb3\x00\x830\x1b~Y["\xca\x93\xdfx\x07\\,\xff\xae\x17\x8c\xc9\xc6\xdfG\xbf)OFez$L\xa4P\x8e\xd8\x95D\x00\x07\xa2\x08I\xe9\x04\x08I\xc0\x0bT\xa4$\x8dJ\rv\x87T\xed\xa9bL\xf8\xf6\xcfq\xde]\xea\xf4-z`c\x82\x94,\xa1a\x97\xd1F\xff]\x93#\xf2\x9a\x19\xa0\x0ceN\xcc\xd1\xc4\x0b\x12\xbb\x16Uo4\x03Q\x03S\x91\xbeBXYh\xacK)\\\'\x8a\x13\xde\xebw\x80gf)+\xbdD\xff0\xc4U\xccfyE!\xe0%\x86\xfb$}G\xb7E\x9e\xf9\xbee\xdc\x00\xbd\xc4{\x16\xa8M\xe0Z\xe5\xafa\xb5\xf9\xca\xeb\xf0\xcf\xd0:\xcf\xe6\xe9\x18>\xb8\xdfB~\t\xc7\xf62\xc0o\x15?\x83\x13\xcf\xfc\xa2t\xf9\x1f\xe9\x05\xc8\x03\xfb\x9e8kD\xfet\xae\xc3\xeb\xa6\xb5\xef\xa0\xd9\xef\xc2q\xd9\xf1n\xe5Vs9M\xb2\xb0DC\xc8\xc7+\xac\r0'
2016-05-15 17:27:29,560:DEBUG:acme.client:Storing nonce: '\x87?\xa0\x8dS\x10\xbacR3a\xf5-\xad*\xd6\xd2\xe8\xa5\xe6|[R\xe0\xd8\xccx\xfb\xa4\x1a\xae\x1f'
2016-05-15 17:27:29,561:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1442', 'Expires': 'Sun, 15 May 2016 17:27:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/issuer-cert>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/cert/03135b4b1a7aaa8e374c7ee639acb739b1c0', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 15 May 2016 17:27:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/pkix-cert', 'Replay-Nonce': 'hz-gjVMQumNSM2H1La0q1tLopeZ8W1Lg2Mx4-6Qarh8'}): '0\x82\x05\x9e0\x82\x04\x86\xa0\x03\x02\x01\x02\x02\x12\x03\x13[K\x1az\xaa\x8e7L~\xe69\xac\xb79\xb1\xc00\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000J1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\n\x13\rLet\'s Encrypt1#0!\x06\x03U\x04\x03\x13\x1aLet\'s Encrypt Authority X30\x1e\x17\r160515162700Z\x17\r160813162700Z0\x191\x170\x15\x06\x03U\x04\x03\x13\x0ewww.jetbbs.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc6\xe7\xb6\xbb\xf4\xb2\xe7\x86\x8d2R\x9b~,\x00\xc03\x91m\xa9\x1c\xb6\x1a\xa2-\xb8\xaa\x8c\x90(\x10m\x1b6\xe3[\x05A)\xd8\xed\x84t\xec+\xf2\x0e\xc2\xc4\xecP\xf8(\x83L)_\x1e`_\xe1(`\xb12\xdf\xcd\xfa\xac\x92\x9a\xdd#\x7f\x13%u\x16\x9a\x81\x01s\xe8\xf9!\xf4\\KK8\xd4\xf0\x7f\xc8\xa7\xbf\xf1\x12\xfd\xa3\xaa\xffue]\x89\xd6\xae\xac\x1a\xebQ:\xca\x83!\xbb\x87p\xdbC\xb7\x11\x9fND\xdf\x0e\xe0\xafI2Y\xff[\xd8\x11\xfa\x04\xd5\x17MH@\x9a7;\x92\xd07z\xe1J\x968%\xd4\x8a\x1d  H\xdb\x95\x85x(,\xe1\xd6\xc7~=\x13Z}\x88\x00\xd3\x1cI\xa3.y\xc6&\xe9\x98\xd1\xbb\x8arRHT\xed\x11\xc0\x02\x03(\xb2\x8c\x17\xd4]C\xc2h\x9b\xc0\xca\xf6WgK\x9c\x9e\x97.\xb4\xb1\xe3\xe8\x8d\xdd\xa8\xcb\xedq\x7f\x06WT\xba<\xf6\xcb\xba\xea\xb7\xf2\x19\r\xa4>\xd0\xa9\xe0\xd8.\xc0\x0bU\xc29\x02\x03\x01\x00\x01\xa3\x82\x02\xad0\x82\x02\xa90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb7\x01\xdb\xde \xa6\xbd\xfc\x15Ia\tn\xc7\x91\x9fc\x14\xc9U0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa10p\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04d0b0/\x06\x08+\x06\x01\x05\x05\x070\x01\x86#http://ocsp.int-x3.letsencrypt.org/0/\x06\x08+\x06\x01\x05\x05\x070\x02\x86#http://cert.int-x3.letsencrypt.org/0\x81\xb6\x06\x03U\x1d\x11\x04\x81\xae0\x81\xab\x82\x11cpanel.jetbbs.com\x82\x16cpcalendars.jetbbs.com\x82\x15cpcontacts.jetbbs.com\x82\x13franklin.jetbbs.com\x82\njetbbs.com\x82\x12webdisk.jetbbs.com\x82\x12webmail.jetbbs.com\x82\x0ewhm.jetbbs.com\x82\x0ewww.jetbbs.com0\x81\xfe\x06\x03U\x1d \x04\x81\xf60\x81\xf30\x08\x06\x06g\x81\x0c\x01\x02\x010\x81\xe6\x06\x0b+\x06\x01\x04\x01\x82\xdf\x13\x01\x01\x010\x81\xd60&\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16\x1ahttp://cps.letsencrypt.org0\x81\xab\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x9e\x0c\x81\x9bThis Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00E\xf4+v^\x06\x00\'BWa\x86\xb0\xc3n\xc3\xca+\xb3\x00\x830\x1b~Y["\xca\x93\xdfx\x07\\,\xff\xae\x17\x8c\xc9\xc6\xdfG\xbf)OFez$L\xa4P\x8e\xd8\x95D\x00\x07\xa2\x08I\xe9\x04\x08I\xc0\x0bT\xa4$\x8dJ\rv\x87T\xed\xa9bL\xf8\xf6\xcfq\xde]\xea\xf4-z`c\x82\x94,\xa1a\x97\xd1F\xff]\x93#\xf2\x9a\x19\xa0\x0ceN\xcc\xd1\xc4\x0b\x12\xbb\x16Uo4\x03Q\x03S\x91\xbeBXYh\xacK)\\\'\x8a\x13\xde\xebw\x80gf)+\xbdD\xff0\xc4U\xccfyE!\xe0%\x86\xfb$}G\xb7E\x9e\xf9\xbee\xdc\x00\xbd\xc4{\x16\xa8M\xe0Z\xe5\xafa\xb5\xf9\xca\xeb\xf0\xcf\xd0:\xcf\xe6\xe9\x18>\xb8\xdfB~\t\xc7\xf62\xc0o\x15?\x83\x13\xcf\xfc\xa2t\xf9\x1f\xe9\x05\xc8\x03\xfb\x9e8kD\xfet\xae\xc3\xeb\xa6\xb5\xef\xa0\xd9\xef\xc2q\xd9\xf1n\xe5Vs9M\xb2\xb0DC\xc8\xc7+\xac\r0'
2016-05-15 17:27:29,611:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/issuer-cert. args: (), kwargs: {'headers': {'Accept': 'application/pkix-cert'}}
2016-05-15 17:27:29,612:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 17:27:29,693:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/issuer-cert HTTP/1.1" 200 1174
2016-05-15 17:27:29,695:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1174', 'Expires': 'Sun, 15 May 2016 17:27:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 15 May 2016 17:27:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/pkix-cert', 'Replay-Nonce': 'jgKaice6MoinB-Kd6mZP82eTkGfnQcuq6l3PJMFDLtE'}. Content: '0\x82\x04\x920\x82\x03z\xa0\x03\x02\x01\x02\x02\x10\n\x01AB\x00\x00\x01S\x85sj\x0b\x85\xec\xa7\x080\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000?1$0"\x06\x03U\x04\n\x13\x1bDigital Signature Trust Co.1\x170\x15\x06\x03U\x04\x03\x13\x0eDST Root CA X30\x1e\x17\r160317164046Z\x17\r210317164046Z0J1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\n\x13\rLet\'s Encrypt1#0!\x06\x03U\x04\x03\x13\x1aLet\'s Encrypt Authority X30\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\x9c\xd3\x0c\xf0Z\xe5.G\xb7r]7\x83\xb3hc0\xea\xd75&\x19%\xe1\xbd\xbe5\xf1p\x92/\xb7\xb8KA\x05\xab\xa9\x9e5\x08X\xec\xb1*\xc4h\x87\x0b\xa3\xe3u\xe4\xe6\xf3\xa7bq\xbay\x81`\x1f\xd7\x91\x9a\x9f\xf3\xd0xgq\xc8i\x0e\x95\x91\xcf\xfe\xe6\x99\xe9`<H\xcc~\xcaMw\x12$\x9dG\x1bZ\xeb\xb9\xec\x1e7\x00\x1c\x9c\xac{\xa7\x05\xea\xceJ\xeb\xbdA\xe56\x98\xb9\xcb\xfdm<\x96h\xdf#*B\x90\x0c\x86tg\xc8\x7f\xa5\x9a\xb8Ra\x14\x13?e\xe9\x82\x87\xcb\xdb\xfa\x0eV\xf6\x86\x89\xf3\x85?\x97\x86\xaf\xb0\xdc\x1a\xefk\r\x95\x16}\xc4+\xa0e\xb2\x99\x046u\x80k\xacJ\xf3\x1b\x90Ix/\xa2\x96O* %)\x04\xc6t\xc0\xd01\xcd\x8f18\x95\x16\xba\xa83\xb8C\xf1\xb1\x1f\xc30\x7f\xa2y1\x13=-6\xf8\xe3\xfc\xf23j\xb991\xc5\xaf\xc4\x8d\r\x1dd\x163\xaa\xfa\x84)\xb6\xd4\x0b\xc0\xd8}\xc3\x93\x02\x03\x01\x00\x01\xa3\x82\x01}0\x82\x01y0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x7f\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04s0q02\x06\x08+\x06\x01\x05\x05\x070\x01\x86&http://isrg.trustid.ocsp.identrust.com0;\x06\x08+\x06\x01\x05\x05\x070\x02\x86/http://apps.identrust.com/roots/dstrootcax3.p7c0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc4\xa7\xb1\xa4{,q\xfa\xdb\xe1K\x90u\xff\xc4\x15`\x85\x89\x100T\x06\x03U\x1d \x04M0K0\x08\x06\x06g\x81\x0c\x01\x02\x010?\x06\x0b+\x06\x01\x04\x01\x82\xdf\x13\x01\x01\x01000.\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16"http://cps.root-x1.letsencrypt.org0<\x06\x03U\x1d\x1f\x0450301\xa0/\xa0-\x86+http://crl.identrust.com/DSTROOTCAX3CRL.crl0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa10\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xdd3\xd7\x11\xf3cX8\xdd\x18\x15\xfb\tU\xbevV\xb9pH\xa5iG\'{\xc2$\x08\x92\xf1Z\x1fJ\x12)7$tQ\x1cbh\xb8\xcd\x95pg\xe5\xf7\xa4\xbcN(Q\xcd\x9b\xe8\xae\x87\x9d\xea\xd8\xbaZ\xa1\x01\x9a\xdc\xf0\xddj\x1dj\xd8>W#\x9e\xa6\x1e\x04b\x9a\xff\xd7\x05\xca\xb7\x1f?\xc0\nH\xbc\x94\xb0\xb6eb\xe0\xc1T\xe5\xa3*\xad \xc4\xe9\xe6\xbb\xdc\xc8\xf6\xb5\xc32\xa3\x98\xccw\xa8\xe6ye\x07+\xcb(\xfe:\x16R\x81\xceR\x0c._\x83\xe8\xd5\x063\xfbwl\xce@\xea2\x9e\x1f\x92\\A\xc1tl[]\n_3\xccM\x9f\xac8\xf0/{,b\x9d\xd9\xa3\x91o%\x1b/\x90\xb1\x19F=\xf6~\x1b\xa6z\x87\xb9\xa3zm\x18\xfa%\xa5\x91\x87\x15\xe0\xf2\x16/X\xb0\x06/,h&\xc6K\x98\xcd\xda\x9f\x0c\xf9\x7f\x90\xedCJ\x12DNosz(\xea\xa4\xaan{L}\x87\xdd\xe0\xc9\x02D\xa7\x87\xaf\xc34[\xb4B'
2016-05-15 17:27:29,696:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1174', 'Expires': 'Sun, 15 May 2016 17:27:29 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 15 May 2016 17:27:29 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/pkix-cert', 'Replay-Nonce': 'jgKaice6MoinB-Kd6mZP82eTkGfnQcuq6l3PJMFDLtE'}): '0\x82\x04\x920\x82\x03z\xa0\x03\x02\x01\x02\x02\x10\n\x01AB\x00\x00\x01S\x85sj\x0b\x85\xec\xa7\x080\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000?1$0"\x06\x03U\x04\n\x13\x1bDigital Signature Trust Co.1\x170\x15\x06\x03U\x04\x03\x13\x0eDST Root CA X30\x1e\x17\r160317164046Z\x17\r210317164046Z0J1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\n\x13\rLet\'s Encrypt1#0!\x06\x03U\x04\x03\x13\x1aLet\'s Encrypt Authority X30\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\x9c\xd3\x0c\xf0Z\xe5.G\xb7r]7\x83\xb3hc0\xea\xd75&\x19%\xe1\xbd\xbe5\xf1p\x92/\xb7\xb8KA\x05\xab\xa9\x9e5\x08X\xec\xb1*\xc4h\x87\x0b\xa3\xe3u\xe4\xe6\xf3\xa7bq\xbay\x81`\x1f\xd7\x91\x9a\x9f\xf3\xd0xgq\xc8i\x0e\x95\x91\xcf\xfe\xe6\x99\xe9`<H\xcc~\xcaMw\x12$\x9dG\x1bZ\xeb\xb9\xec\x1e7\x00\x1c\x9c\xac{\xa7\x05\xea\xceJ\xeb\xbdA\xe56\x98\xb9\xcb\xfdm<\x96h\xdf#*B\x90\x0c\x86tg\xc8\x7f\xa5\x9a\xb8Ra\x14\x13?e\xe9\x82\x87\xcb\xdb\xfa\x0eV\xf6\x86\x89\xf3\x85?\x97\x86\xaf\xb0\xdc\x1a\xefk\r\x95\x16}\xc4+\xa0e\xb2\x99\x046u\x80k\xacJ\xf3\x1b\x90Ix/\xa2\x96O* %)\x04\xc6t\xc0\xd01\xcd\x8f18\x95\x16\xba\xa83\xb8C\xf1\xb1\x1f\xc30\x7f\xa2y1\x13=-6\xf8\xe3\xfc\xf23j\xb991\xc5\xaf\xc4\x8d\r\x1dd\x163\xaa\xfa\x84)\xb6\xd4\x0b\xc0\xd8}\xc3\x93\x02\x03\x01\x00\x01\xa3\x82\x01}0\x82\x01y0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x7f\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04s0q02\x06\x08+\x06\x01\x05\x05\x070\x01\x86&http://isrg.trustid.ocsp.identrust.com0;\x06\x08+\x06\x01\x05\x05\x070\x02\x86/http://apps.identrust.com/roots/dstrootcax3.p7c0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc4\xa7\xb1\xa4{,q\xfa\xdb\xe1K\x90u\xff\xc4\x15`\x85\x89\x100T\x06\x03U\x1d \x04M0K0\x08\x06\x06g\x81\x0c\x01\x02\x010?\x06\x0b+\x06\x01\x04\x01\x82\xdf\x13\x01\x01\x01000.\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16"http://cps.root-x1.letsencrypt.org0<\x06\x03U\x1d\x1f\x0450301\xa0/\xa0-\x86+http://crl.identrust.com/DSTROOTCAX3CRL.crl0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa10\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xdd3\xd7\x11\xf3cX8\xdd\x18\x15\xfb\tU\xbevV\xb9pH\xa5iG\'{\xc2$\x08\x92\xf1Z\x1fJ\x12)7$tQ\x1cbh\xb8\xcd\x95pg\xe5\xf7\xa4\xbcN(Q\xcd\x9b\xe8\xae\x87\x9d\xea\xd8\xbaZ\xa1\x01\x9a\xdc\xf0\xddj\x1dj\xd8>W#\x9e\xa6\x1e\x04b\x9a\xff\xd7\x05\xca\xb7\x1f?\xc0\nH\xbc\x94\xb0\xb6eb\xe0\xc1T\xe5\xa3*\xad \xc4\xe9\xe6\xbb\xdc\xc8\xf6\xb5\xc32\xa3\x98\xccw\xa8\xe6ye\x07+\xcb(\xfe:\x16R\x81\xceR\x0c._\x83\xe8\xd5\x063\xfbwl\xce@\xea2\x9e\x1f\x92\\A\xc1tl[]\n_3\xccM\x9f\xac8\xf0/{,b\x9d\xd9\xa3\x91o%\x1b/\x90\xb1\x19F=\xf6~\x1b\xa6z\x87\xb9\xa3zm\x18\xfa%\xa5\x91\x87\x15\xe0\xf2\x16/X\xb0\x06/,h&\xc6K\x98\xcd\xda\x9f\x0c\xf9\x7f\x90\xedCJ\x12DNosz(\xea\xa4\xaan{L}\x87\xdd\xe0\xc9\x02D\xa7\x87\xaf\xc34[\xb4B'
2016-05-15 17:27:29,715:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/www.jetbbs.com/privkey3.pem.
2016-05-15 17:27:29,715:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/www.jetbbs.com/cert3.pem.
2016-05-15 17:27:29,716:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/www.jetbbs.com/chain3.pem.
2016-05-15 17:27:29,716:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/www.jetbbs.com/fullchain3.pem.
2016-05-15 17:27:29,803:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0x7fbd2ebcf350>
2016-05-15 17:27:29,803:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7fbd2f08bc10>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7fbd2f08b9d0>, apache=<certbot.cli._Default object at 0x7fbd2ebcf450>, apache_challenge_location=<certbot.cli._Default object at 0x7fbd2ebcfcd0>, apache_ctl=<certbot.cli._Default object at 0x7fbd2ebd74d0>, apache_dismod=<certbot.cli._Default object at 0x7fbd2ebcff50>, apache_enmod=<certbot.cli._Default object at 0x7fbd2ebcfe50>, apache_handle_modules=<certbot.cli._Default object at 0x7fbd2ebd7290>, apache_handle_sites=<certbot.cli._Default object at 0x7fbd2ebd71d0>, apache_init_script=<certbot.cli._Default object at 0x7fbd2ebd7550>, apache_le_vhost_ext=<certbot.cli._Default object at 0x7fbd2ebcfc50>, apache_server_root=<certbot.cli._Default object at 0x7fbd2ebcfd90>, apache_vhost_root=<certbot.cli._Default object at 0x7fbd2ebcfa10>, authenticator='webroot', break_my_certs=<certbot.cli._Default object at 0x7fbd2ebce550>, cert_path=<certbot.cli._Default object at 0x7fbd2f08bfd0>, chain_path=<certbot.cli._Default object at 0x7fbd2f08b990>, checkpoints=<certbot.cli._Default object at 0x7fbd2ebcea10>, config_dir=<certbot.cli._Default object at 0x7fbd2f08b7d0>, config_file=None, configurator=<certbot.cli._Default object at 0x7fbd2ebcf350>, csr=<certbot.cli._Default object at 0x7fbd2ebcec10>, debug=<certbot.cli._Default object at 0x7fbd2ebce150>, domains='franklin.jetbbs.com', dry_run=<certbot.cli._Default object at 0x7fbd2f08b210>, duplicate=<certbot.cli._Default object at 0x7fbd2f08bd10>, email='myemail@fake.com', expand=<certbot.cli._Default object at 0x7fbd2f08b710>, fullchain_path=<certbot.cli._Default object at 0x7fbd2f08bbd0>, func=<function obtain_cert at 0x7fbd2ffdaf50>, hsts=<certbot.cli._Default object at 0x7fbd2ebce950>, http01_port=<certbot.cli._Default object at 0x7fbd2ebce450>, ifaces=<certbot.cli._Default object at 0x7fbd2ebce410>, init=<certbot.cli._Default object at 0x7fbd2ebce810>, installer=<certbot.cli._Default object at 0x7fbd2ebcf350>, key_path=<certbot.cli._Default object at 0x7fbd2f08bdd0>, logs_dir=<certbot.cli._Default object at 0x7fbd2f08b3d0>, manual=<certbot.cli._Default object at 0x7fbd2ebcf750>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7fbd2ebd78d0>, manual_test_mode=<certbot.cli._Default object at 0x7fbd2ebd77d0>, nginx=<certbot.cli._Default object at 0x7fbd2ebcf550>, no_self_upgrade=<certbot.cli._Default object at 0x7fbd2f08bf10>, no_verify_ssl=<certbot.cli._Default object at 0x7fbd2ebce250>, noninteractive_mode=True, num=<certbot.cli._Default object at 0x7fbd2ebcefd0>, os_packages_only=<certbot.cli._Default object at 0x7fbd2f08be10>, post_hook=<certbot.cli._Default object at 0x7fbd2ebcef50>, pre_hook=<certbot.cli._Default object at 0x7fbd2ebcee50>, prepare=<certbot.cli._Default object at 0x7fbd2ebce610>, quiet=<certbot.cli._Default object at 0x7fbd2ebce050>, redirect=<certbot.cli._Default object at 0x7fbd2ebce750>, register_unsafely_without_email=<certbot.cli._Default object at 0x7fbd2f08b310>, reinstall=True, renew_by_default=<certbot.cli._Default object at 0x7fbd2f08b8d0>, renew_hook=<certbot.cli._Default object at 0x7fbd2ebcf090>, rsa_key_size=<certbot.cli._Default object at 0x7fbd2ebce650>, server=<certbot.cli._Default object at 0x7fbd2f08b1d0>, staging=<certbot.cli._Default object at 0x7fbd2f075f90>, standalone=<certbot.cli._Default object at 0x7fbd2ebcf650>, standalone_supported_challenges=<certbot.cli._Default object at 0x7fbd2ebd7490>, strict_permissions=<certbot.cli._Default object at 0x7fbd2ebced50>, text_mode=<certbot.cli._Default object at 0x7fbd2f075fd0>, tls_sni_01_port=<certbot.cli._Default object at 0x7fbd2ebce350>, tos=True, uir=<certbot.cli._Default object at 0x7fbd2ebceb50>, user_agent=<certbot.cli._Default object at 0x7fbd2ebcee10>, verb='certonly', verbose_count=<certbot.cli._Default object at 0x7fbd2f075ed0>, webroot=True, webroot_map=<certbot.cli._Default object at 0x7fbd2ebd7610>, webroot_path='/usr/local/apache/htdocs', work_dir=<certbot.cli._Default object at 0x7fbd2f08b5d0>)
2016-05-15 17:27:31,584:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/www.jetbbs.com.conf.new.
2016-05-15 17:27:31,675:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.jetbbs.com/fullchain.pem. Your cert will expire on 2016-08-13. To obtain a new version of the certificate in the future, simply run Certbot again.
2016-05-15 17:27:31,676:INFO:certbot.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

I’m confused though. The bottom part says Congratulations! But it looks like the certificates failed. When I try to install them, I get an error message saying verification failed:

...
Attempting to install the SSL certificate for the exim service...
{"metadata":{"version":1,"reason":"Certificate verification failed!\nCertificate verified:\nstdin: CN = www.jetbbs.com\nerror 20 at 0 depth lookup:unable to get local issuer certificate\n\n\n","result":0,"command":"install_service_ssl_certificate"}}
...

I was thinking maybe Let’s Encrypt requires the https stuff to be working, like maybe it needs to be able to go to https://webmail.mydomain.com/.well-kown/acme-challenge/ and because it can only go there when it’s an http request, the certs don’t fully work.

Am I right in thinking that? Does anyone have any ideas what might be going on and why I cannot generate valid certificates anymore? Thanks!

Spork_Schivago · May 15, 2016, 7:25pm

I figured it out. For some reason, the Perl script I was using to install the certificates in cPanel were pointing to a file /etc/letsencrypt/bundle.txt.

This file, from what I could tell, is just a copy of /etc/letsencrypt/domain/chain.pem

So, I updated the script to set the cafile variable to /etc/letsencrypt/$dom/chain.pem and they installed just fine.

Now, if there’s just a way for me to figure out how to install these certs without having to have my root password in the perl script. I was hoping I could some how use those tokens but I don’t know much about cPanel.

I also gotta figure out how to disable caching for Chrome users completely. That’s not as easy of a task as you might think it’d be.

I’d also like to move my cron job to cPanel’s cron tab, so I can manage it there. At least I got my certs working again.

serverco · May 15, 2016, 7:48pm

Once you have put the certs into cpanel the first time, have a look in /etc/httpd/conf/httpd.conf for the location of the SSL cert files ( for generic webmail cpanel etc it’s /var/cpanel/ssl/cpanel/mycpanel.pem )

You can then simply update these files when you renew your certificates, and don’t need your root password.

BregnedalSystems · May 15, 2016, 8:13pm

I use this messy script to copy the certs

\cp -f /var/cpanel/ssl/cpanel/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/cpanel/cpanel.pem
/bin/chown cpanel:cpanel /var/cpanel/ssl/cpanel/cpanel.pem
/sbin/service cpanel restart

\cp -f /var/cpanel/ssl/exim/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/exim/exim.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/exim/exim.crt
/bin/chown mailnull:mail /var/cpanel/ssl/exim/exim.*
/sbin/service exim restart

\cp -f /var/cpanel/ssl/ftp/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/ftpd-rsa.pem
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/ftp/pure-ftpd.pem
/bin/chown root:wheel /var/cpanel/ssl/ftp/*
/sbin/service pure-ftpd restart

\cp -f /var/cpanel/ssl/dovecot/* /root/ssl/
/bin/cat /etc/letsencrypt/live/$HOSTNAME/privkey.pem > /var/cpanel/ssl/dovecot/dovecot.key
/bin/cat /etc/letsencrypt/live/$HOSTNAME/cert.pem > /var/cpanel/ssl/dovecot/dovecot.crt
/bin/chown root:wheel /var/cpanel/ssl/dovecot/dovecot.*
/sbin/service dovecot restart

Spork_Schivago · May 15, 2016, 10:24pm

Thanks! This is the script I use to “install” the SSL certs in cPanel for the various sub-domains. With your method, do they show up in WHM or no?

#!/usr/local/cpanel/3rdparty/bin/perl

use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;

my $user = 'root';
my $pass = 'my_root_password';

my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );

my $ua = LWP::UserAgent->new(
    ssl_opts   => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
);

my $dom = $ARGV[0];

my $certfile = "/etc/letsencrypt/live/$dom/cert.pem";
my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem";
my $cafile =  "/etc/letsencrypt/live/$dom/chain.pem";

my $certdata;
my $keydata;
my $cadata;

open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
    {
        local $/;
        $certdata = <$certfh>;
    }
    close($certfh);

open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
    {
        local $/;
        $keydata = <$keyfh>;
    }
    close($keyfh);

open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
    {
        local $/;
        $cadata = <$cafh>;
    }
    close($cafh);

my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);

# Install the SSL cert
print "Attempting to install the SSL certificate to WHM...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the FTP service
print "\n\nAttempting to install the SSL certificate for the FTP service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=ftp&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the exim service
print "\n\nAttempting to install the SSL certificate for the exim service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=exim&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the dovecot service
print "\n\nAttempting to install the SSL certificate for the dovecot service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=dovecot&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the cpanel service
print "\n\nAttempting to install the SSL certificate for the cpanel service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=cpanel&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

# Install the SSL certificate for the courier service
#  NOTE: They removed the Courier mail server in cPanel & WHM version 54.
#  The Courier mail server only exists for cPanel & WHM version 11.52 and earlier.
#  If we try install the SSL cert for courier on a cPanel & WHM version 54 server,
#  the system returns the following message:
#    courier is not a known service.
#  This script should not cause any problems though, even if courier isn't installed.
print "\n\nAttempting to install the SSL certificate for the courier service...\n";
my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/install_service_ssl_certificate?api.version=1&service=courier&crt=$cert&cabundle=$ca&key=$key" );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;

system("service cpanel restart");

It looks nicer in real life. I just lose the formatting when I post for some reason. I can’t figure out how to get it to keep the formatting (the new lines, extra spaces / indents, etc). I borrowed and modified the script from the people over at the cPanel forums.

I just call the script daily from a cron tab entry, like install_ssl.pl mydomain.com

system · June 14, 2016, 10:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.