Free SSL How to Install Let’s Encrypt on cPanel – Centos Servers
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands, Free SSL with a simple commands.
No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.
LetsEncrypt is in public beta and already in high demand. This service is a new certificate authority that allows you to generate your own signed certificates in an effort to improve security. At present there is a feature request for providing this functionality in cPanel.
Unfortunately cPanel does not currently have a plugin or automatic means of installing SSL from Let’s Encrypt. There is a feature request here for this functionality so it is possible this may be brought to the product in the future.
The following will show you how to install the Let’s Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API.
Installing the Let’s Encrypt Client on CentOS 6.x
Please note: The Let’s Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don’t worry it won’t break anything.
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm yum -y install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius cd /root git clone https://github.com/letsencrypt/letsencrypt cd /root/letsencrypt sed -i "s|--python python2|--python python2.7|" letsencrypt-auto ./letsencrypt-auto --verbose
Installing the Let’s Encrypt Client on CentOS 7.x
yum -y install git cd /root git clone https://github.com/letsencrypt/letsencrypt cd /root/letsencrypt ./letsencrypt-auto --verbose
Generate an SSL
You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace “cPanelUser” with your actual username. This is require to allow the Let’s Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
cd /root/letsencrypt ./letsencrypt-auto --text --agree-tos --email email@domain.com certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.
cd /root/.local/share/letsencrypt/bin/ ./letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel. 0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com You can also generate an FREE SSL certificate via Get HTTPS for free!, there are additional steps that are required however. Script to automatically install the SSLs you generated This script will be used to install the SSL's you generated to cPanel/WHM via the API. Please note the following things. 1. You must replace "rootpass" with your actual root password. 2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
#!/usr/local/cpanel/3rdparty/bin/perl use strict; use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; my $user = "root"; my $pass = "rootpass"; my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass ); my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my $dom = $ARGV[0]; my $certfile = "/etc/letsencrypt/live/$dom/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$dom/privkey.pem"; my $cafile = "/etc/letsencrypt/live/bundle.txt"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); my $request = HTTP::Request->new( POST => "https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca" ); $request->header( Authorization => $auth ); my $response = $ua->request($request); print $response->content;
Add the Let's Encrypt CA Bundle Since Let's Encrypt doesn't added the CA Bundle separately you need to create this file for the above script to work.
vi /etc/letsencrypt/live/bundle.txt
When editing that file set the following below and save
-----BEGIN CERTIFICATE----- MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1 gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4 4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3 pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk 6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk= -----END CERTIFICATE-----
Running the script First make the script executable. Then run the script with the main domain of the certificate generated from Let's Encrypt.
chmod +x installssl.pl ./installssl.pl domain.com
There you go you are all set and ready to generate and install SSLs from Let’s Encrypt automatically via the command line.