Generate or Renew CPanel/WHM SSL Certificates Print

  • 1

Symptoms:-
1. When connecting to all CPanel/WHM SSL-enabled services (cpanel, WHM, webmail, SMTP, POP, IMAP, etc), you will get a warning of invalid certificate, and have to manually bypass or add exception in order to proceed.
or
2. Cron mails from the server include warnings as follows: "The SSL (Secure Sockets Layer) certificate ..... will expire in less than 30 days."

Solution:-
All managed servers currently use free SSL certificates provided by letsencrypt.org , which require renewal every 3-4 months. To generate and/or renew:-

1. SSH to server

2. vim /etc/crontab , and copy paste the letsencrypt command as follows:-
/root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /usr/local/apache/htdocs/ -d server-hostname-fqdn
(server-hostname-fqdn is full hostname including domain, e.g. sv1.shoppingnsales.com (or just shoppingnsales.com, depending on how admin/customer normally access cpanel, WHM, webmail, SMTP, POP, IMAP, etc)).

3. The results should be of this sort:-
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/server-hostname-fqdn/fullchain.pem. Your
   cert will expire on 2016-07-31. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. Ensure certificate files updated:-
cd /etc/letsencrypt/live/server-hostname-fqdn
ls -l 
lrwxrwxrwx 1 root root   48 May  3 06:29 cert.pem -> ../../archive/server-hostname-fqdn/cert4.pem
lrwxrwxrwx 1 root root   49 May  3 06:29 chain.pem -> ../../archive/server-hostname-fqdn/chain4.pem
lrwxrwxrwx 1 root root   53 May  3 06:29 fullchain.pem -> ../../archive/server-hostname-fqdn/fullchain4.pem
lrwxrwxrwx 1 root root   51 May  3 06:29 privkey.pem -> ../../archive/server-hostname-fqdn/privkey4.pem
(Most importantly, each files' last modified date must be today's date)

5. Go to server WHM --> Manage Service SSL Certificates
Tick each of this option:-
 Calendar, cPanel, WebDisk, Webmail, and WHM Services 
 Dovecot Mail Server 
 Exim (SMTP) Server 
 FTP Server 
- Copy paste the following file contents (from "BEGIN" to "END" lines) into the corresponding fields:-
cert.pem --> Certificate
privkey.pem --> Private Key
chain.pem ---> Certificate Authority Bundle
- Click "Install".

6. After installation completes, when offered to "Restart cpsrvd", click "Proceed".

7. Relogin to WHM: https://server-hostname-fqdn:2087
-
 Verify no more warnings.
- Padlock in URL should be green. Click on it and view certificate details. Verify that the certificate expires 3-4 months from now.

Was this answer helpful?

« Back