Installing Let’sEncrypt SSL on cPanel DNSOnly

If you’re using cPanel DNS only you probably know that AutoSSL feature isn’t available on it. Reason for that is because DNSOnly cPanel installation doesn’t have web server running as classic version does.

To circumvent this you may use certbot standalone mode to issue a Let’s encrypt certificate. Command you would use is:

certbot certonly --standalone -d HOSTNAME -n -m CONTACT@EMAIL.EXAMPLE --agree-tos

Ok, if domain resolves to the correct server certbot will launch its built-in web server and perform verification and hopefully certificate should be issued. Now it is only a matter of installing it via “Manage service SSL Certificates” option in WHM.

To automate whole process I’ve stumbled upon neat python script on cPanel’s feature request page. For archiving purposes I’ll attach whole script below as well:

#!/bin/env python

import sys, urllib, re
from subprocess import call

if len(sys.argv) < 2:
    print "The hostname must be specified."
    exit(1)

hostname = sys.argv[1]
hostname_pattern = re.compile("^[a-z0-9\.-]+$", re.IGNORECASE)

if not hostname_pattern.match(hostname):
    print "The hostname contains invalid characters."
    exit(1)

file_cert = open("/etc/letsencrypt/live/" + hostname + "/cert.pem")
file_privkey = open("/etc/letsencrypt/live/" + hostname + "/privkey.pem")
file_chain = open("/etc/letsencrypt/live/" + hostname + "/chain.pem")

cert = file_cert.read()
privkey = file_privkey.read()
chain = file_chain.read()

file_cert.close
file_privkey.close
file_chain.close

cert = urllib.quote(cert)
privkey = urllib.quote(privkey)
chain = urllib.quote(chain)

call(["/usr/sbin/whmapi1", "install_service_ssl_certificate", "service=cpanel", "crt=" + cert, "key=" + privkey, "cabundle=" + chain])
call(["systemctl", "restart", "cpanel"])</code>

Add that script somewhere on your server:

/usr/local/bin/whmcert.py

Give it execution permissions:

chmod 0700 /usr/local/bin/whmcert.py

And install certificate with it:

/usr/local/bin/whmcert.py HOSTNAME

Reason why you may prefer this in script is automation of renewal. This way you can simply add following entry in your crontab to automate renewal process:

0 0 * * 1 /usr/bin/certbot renew --quiet --post-hook "/usr/local/bin/whmcert.py HOSTNAME"