Jump to content

Recommended Posts

Looks great! Thank you so much for writing this up.

 

I changed the 2082 (unsecure) links to port 2083 (secure) because it's silly to not use an ssl connection to cPanel to set up ssl on your website. Also, if you could add links to Johnny (johnny.heliohost.org:2083) for the people who aren't on Tommy. The instructions will be the same for either server. At the end you link to .htaccess instructions to redirect http:// connections to https:// You could just create a new page on the Heliohost wiki instead of sending people off to another site.

Link to comment
Share on other sites

Cheers for the port change, a bit of a slip up on my part. Just like putting SSH in the title of this thread instead of SSL... <_<

 

I'm happy to add the Johnny links, but I was under the impression that SNI is only supported on Tommy - would this SSL process work for Johnny users in the first place?

Link to comment
Share on other sites

I was really looking forward to using Let's Encrypt on Tommy. So, there is currently no possibility of automatically renewing the cert and installing it?

 

I saw that there's a Let's Encrypt plugin for cpanel on version 58.0.17, which is probably an infinitely easier solution. Any idea when that upgrade will happen?

 

https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin

 

Thanks

Link to comment
Share on other sites

That is a WHM plugin not a cpanel plugin and the way it works is every single site that is created on a server gets a certificate whether they want it or not. This works great for most hosting, but Heliohost creates more accounts per day than the people who create cPanel recommend you have total on a server. The problem with this plugin is that we would hit the Let's Encrypt extremely low limits constantly, and the plugin wouldn't work most of the time. It would also likely prevent people from manually installing Let's Encrypt certificates as well since the rate limit would constantly be exceeded. Not everyone needs or wants SSL on their site. What would work better for us is a cPanel plugin (not a WHM plugin) that would allow users to easily set up and renew a Let's Encrypt certificates if they want it. Unless you can find something like that we'll probably just have to write it ourselves.

Link to comment
Share on other sites

Oh, I see. I had no idea.

 

I did some research but didn't find anything like you were describing, a Let's Encrypt plugin that doesn't require WHM (only mildly confusing...), and I don't have any experience with writing plugins for cpanel. Calling the Let's Encrypt script itself and checking for successful output shouldn't be too hard, though.

 

Let's Encrypt doesn't issue wildcard certs, but it's possible to give their issuing script a list of all domains/subdomains of everyone wanting to opt-in to Let's Encrypt. That would overcome the rate limit, and also avoid not everyone wanting to enable SSL for their site (although I don't understand that one). So, cpanel frontend could have an opt-in checkbox with a note about how long it will take for changes to go into effect, and a script in the background could be run on cron to automatically renew the cert for everyone. But then, everyone could see everyone else's domain name because they're all on the same cert.

 

[EDITED]

 

Researching further, there's also a limit of 100 domains per cert. It looks like the proper solution is to get added to the "public suffix list", basically a list of all shared hosting providers, by submitting a pull request on github using the second link here. This nullifies the 20/week rate limit, aka "Certificates per Registered Domain".

 

https://letsencrypt.org/docs/rate-limits/

https://publicsuffix.org/

 

Meanwhile, I've simply got my own .com added to my Heliohost site, so the rate limit isn't posing a problem for me. The problem part is the automatic renewal.

Edited by jesse
Link to comment
Share on other sites

I noticed the ~/ssl folder is exposed for us to upload into. Is there any documentation for that? Can we re-generate certs locally then upload the new files to that folder, without doing anything in cpanel? Or what is the procedure? Thanks.

Link to comment
Share on other sites

As it currently stands, there's no official way to automate it. Cpanel does have an API, but I don't believe we're able to use it because when I last looked into it, it required WHM access to get the required session tokens. Any documentation on that SSL folder would be on cpanel's site or a third party forum that researched it, if it exists.

Link to comment
Share on other sites

I couldn't find any documentation on the folder, although it's very hard to search for. I tried making a script to automatically do it:

 

  1. I initially used cpanel UI to install key and cert. This made 2 files in the ~/ssl/key and ~/ssl/cert folders with unique/hashed filenames. It also added entries to ~/ssl/ssl.db, which is just a plain text file (not sqlite or anything like that).
  2. I created a script to generate new key and cert files, simulating a renewal. It uploads those new files into the respective folders, using the same filenames that were generated by cpanel for the previous files.
  3. Unfortunately, changes did not automatically take effect - the old files were still in use.
  4. Went to CPanel -> "SSL/TLS" -> "Update Certificate" -> "Autofill by Domain". Magically, the new cert appeared, but not the new key!! (I have no idea on that one.)
  5. However, if you go to "SSL/TLS" -> "Manage SSL" -> "Private Keys" -> "Edit" existing, the new key is already showing. I just don't know why the autofill doesn't pick it up. But, you can copy the encoded key from that page and paste it into the autofill page, and it works.

 

That process really sucks. My conclusion is that if the cpanel/WHM/whatever API is unavailable, then a custom script would need to be written to bypass/not use the whole ~/ssl folder and therefore the cpanel "SSL/TLS" module. The script invokes certbot, which automatically applies the SSL changes to apache. Users could opt-in to that and just be forewarned that SSL won't be manageable under the cpanel module from that point forward. The questionable part (to me) is getting the list of domains to apply Let's Encrypt SSL to.

 

The only other possibility that I can think of is to automatically update ~/ssl/ssl.db with each renewal and see if cpanel likes that any better, but I'm betting cpanel is copying the key and cert elsewhere, similar to how certbot would, in order to make them active, in which case updating ssl.db would not help.

 

So testing and setup would go something like:

  1. (Easy) Add heliohost.org to https://publicsuffix.org/
  2. (Easy) Install certbot following official directions
  3. (Hard?) Maintain a list of domains for Let's Encrypt SSL. Get the list via a script somehow.
  4. (Easy) When someone opts-in, pass new domain to certbot to generate and install initial cert automatically.
  5. (Easy) Make a renewal script on cron that renews all domains every 80 days, for example.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...