There are two methods to install Let’s Encrypt on Cpanel for issuing free SSL to your clients. One is manual way described by Cpanel and other is through plugin. Lets go with the plugin first.
Install Let’s Encrypt Through Plugin for Cpanel (Preferred One)
Go to admin-ahead.com and click on get free. Get registered and get the free license.
After registering follow the steps below as mentioned in their knowledge base.
Install Let’s Encrypt cPanel Plugin v1.0
* Login to your remote cPanel server via SSH. Change to the installation directory.
* Download installer to your server
# wget http://rep0.admin-ahead.com/sources/aast-letsencrypt/aast-letsencrypt-installer.sh
* Set execution permission
# chmod +x aast-letsencrypt-installer.sh
* Run the installer and follow onscreen instructions
# ./aast-letsencrypt-installer.sh
Setup License
* Login to your client area ( https://admin-ahead.com/portal/clientarea.php )
* Find the product and get the license key
* Login to your WHM ( https://<your_server_ip>:2087/ )
* Navigate to plugin section and click on Let’s Encrypt CPanel Plugin v1.0
* Enter your license key and submit
Features (V1.0)
One Click free SSL retrieval and installation.
Automatic renewal of SSL certificates before they expire.
Easy and intuitive user interface.
Install Let’s Encrypt Manually on Your Server For CPanel
The following article has been copied from CPanel’s official forum.
The following will show you how to install the Let’s Encrypt client and how to generate and install SSL certificates from Lets Encrypt via the WHM API.
Installing the Let’s Encrypt Client on CentOS 6.x
Please note: The Let’s Encrypt client requires / prefers python 2.7, so we will install Python 2.7 alongside Python 2.6. Don’t worry it won’t break anything.
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
yum -y install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
./letsencrypt-auto --verbose
Installing the Let’s Encrypt Client on CentOS 7.x
yum -y install git
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd /root/letsencrypt
./letsencrypt-auto --verbose
Generate an SSL
You will be required to enter your email and accept their license agreement. I would recommend using the server admins email. Also make sure you replace “cPanelUser” with your actual username. This is require to allow the Let’s Encrypt client to create the auth files for the domain and be able to access them during the authorization. Please note if you are installing a subdomain or addon domain that points to another path, that you set the path of the subdomain or addon domain.
cd /root/letsencrypt
./letsencrypt-auto --text --agree-tos --email email@domain.com certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
For all subsequent runs use the following below, as there is no need to re-provide your email or re-agree to the TOS.
cd /root/.local/share/letsencrypt/bin/
./letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com
By adding the renew-by-default command you can add this to a cron to run every 60 (recommended) or say 85 days to avoid this expiring before you are sure the new certs are retrieved. Then all you need to do is simply run the install script below again to install the updated certificate to cPanel.
0 0 */60 * * /root/.local/share/letsencrypt/bin/letsencrypt --text certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d www.domain.com; /root/installssl.pl domain.com
You can also generate an SSL certificate via Get HTTPS for free!, there are additional steps that are required however.
Script to automatically install the SSLs you generated
This script will be used to install the SSL’s you generated to cPanel/WHM via the API. Please note the following things.
1. You must replace “rootpass” with your actual root password.
2. The CA Bundle is not by default in the location below and is generally saved to /etc/letsencrypt/live/domain.com/fullchain.pm and is the second cert in the file. I have included the CA Bundle below the script so you can create this.
#!/usr/local/cpanel/3rdparty/bin/perl
use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;
my $user = “root”;
my $pass = “rootpass”;
my $auth = “Basic ” . MIME::Base64::encode( $user . “:” . $pass );
my $ua = LWP::UserAgent->new(
ssl_opts => { verify_hostname => 0, SSL_verify_mode => ‘SSL_VERIFY_NONE’, SSL_use_cert => 0 },
);
my $dom = $ARGV[0];
my $certfile = “/etc/letsencrypt/live/$dom/cert.pem”;
my $keyfile = “/etc/letsencrypt/live/$dom/privkey.pem”;
my $cafile = “/etc/letsencrypt/live/bundle.txt”;
my $certdata;
my $keydata;
my $cadata;
open(my $certfh, ‘<‘, $certfile) or die “cannot open file $certfile”;
{
local $/;
$certdata = <$certfh>;
}
close($certfh);
open(my $keyfh, ‘<‘, $keyfile) or die “cannot open file $keyfile”;
{
local $/;
$keydata = <$keyfh>;
}
close($keyfh);
open(my $cafh, ‘<‘, $cafile) or die “cannot open file $cafile”;
{
local $/;
$cadata = <$cafh>;
}
close($cafh);
my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);
my $request = HTTP::Request->new( POST => “https://127.0.0.1:2087/json-api/installssl?api.version=1&domain=$dom&crt=$cert&key=$key&cab=$ca” );
$request->header( Authorization => $auth );
my $response = $ua->request($request);
print $response->content;
Add the Let’s Encrypt CA Bundle
Since Let’s Encrypt doesn’t added the CA Bundle separately you need to create this file for the above script to work.
vi /etc/letsencrypt/live/bundle.txt
When editing that file set the following below and save
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----
Running the script
First make the script executable. Then run the script with the main domain of the certificate generated from Let’s Encrypt.
chmod +x installssl.pl
./installssl.pl domain.com
There you go you are all set and ready to generate and install SSLs from Let’s Encrypt automatically via the command line.