On August 10th, cPanel announced provisional support for Let’s Encrypt via AutoSSL.
For hosts like DreamHost to be able to implement Let’s Encrypt is a lot easier than a behemoth like cPanel. See, DreamHost only had to make sure it worked on their own servers. They have a homegrown panel that they have 100% full control over. Adding in how to install the code on all servers and how to integrate it requires less testing than cPanel, who has to make sure everyone who uses cPanel can use this.
As of version 58 of cPanel, everyone can. And it works.
Installation
Log in via SSH and run this as root:
$ /scripts/install_lets_encrypt_autossl_provider
That installs everything you need. Keep in mind, this only adds LE to the AutoSSL feature. It’s AutoSSL that whips up SSL certificates for cPanel accounts. Doing this install does not install certs on your domains. We have to configure it for that.
Configuration
Once you’ve installed the code, go to WHM: Home » SSL/TLS » Manage AutoSSL and set it to Let’s Encrypt:
If it’s your first time, yes, check Create a new registration with the provider. because you’re new. You only need to mess with that if you’re new or have to reset registration for some reason.
By default, AutoSSL is set to run based on your “Feature List Setting” (under Home » Packages » Feature Manager » Edit Feature List). Mine has it checked, which means it will automatically run.
Adding Existing Domains
This worked great except I had a bunch of domains using StartSSL. First off, I adore StartSSL, and the recent changes to their website make it so much easier to use. But I was using it for external free certificates where I didn’t want to pay for them, on domains that never see money. Some of them (most of them) I wanted to convert to LE.
For that, I deleted the StartSSL certificates in WHM and cPanel for the domains/account in question. Then I went to AutoSSL, clicked on the tab “Manage Users,” and clicked “Check USERNAME.” I did not pick check all users (which is at the top of the page) because I don’t want to check all users.
Adding New Domains
I love this part.
Do nothing.
No, really. Add the new domain, wait twelve hours, boom. New certificate. If you have to have it right now, go into WHM and click check for that user. But it’s automatic. Hence ‘Auto’ SSL you see.
Caveats!
This is something only controlled by the server admin. Per-site cPanel doesn’t get an option, however if they delete the LE cert and add their own, that will override it.
There’s a limit to how many times you can make certificates and how many you can make. As the warning says:
Certificates that Let’s Encrypt provides through AutoSSL can secure a maximum of 100 domains per virtual host.
Let’s Encrypt will issue a maximum of 20 certificates per week that contain a domain or its subdomains. If you include subdomains of a domain on more than 20 certificates, Let’s Encrypt will issue those during the next window, up to the limit for that week.
If you’re using a wildcard subdomain (*.ipstenu.org for example) in order to make things easier with Multisite, this won’t work. You’ll see a ton of errors in your logs. Not to mention it won’t make SSL certs for all the virtual subdomains. That’s because they’re too virtual. You’ll have to make an actual add-on subdomain or use a domain alias for LE to pick that up.
You can’t revoke a certificate either, which can be a problem should there be a security issue along the lines of Heartbleed. When that happened, we all had to reset our SSL certs as well as patch our servers. Lots of fun. Should that happen again, cPanel users will have a big problem.
It’s because of that I don’t want to use Let’s Encrypt on everything. I’ll use it on this domain, and my other normal ones, but my WMH domain and my stores use a Comodo Certificate.
Comments
8 responses to “Let’s Encrypt cPanel”
Note that Let’s Encrypt is not required for AutoSSL to run. cPanel & WHM 11.58 ships with a default provider that fetches free Comodo-signed certificates.
@John Hurst: “free” = 90 days, correct?
@xbladerunner: That appears to be correct. So ‘Free’ as in trial, vs free as in beer. ?
Hi Mika,
Thanks for this guide — I have LE setup on my VPS now!!! I was looking at one of your older articles on adding SSL to a single domain on multisite (comments are closed), and was wondering if there is a way to use LE on a mapped domain of a subdirectory on multisite? Your older article describes this on a subdomain rather than a subdirectory of multisite. I have a network that is https everywhere for the main domain name, but I have several subdirectory sites that have domain names mapped to them — I’d like them to have their own certificate to avoid that ugly certificate mismatch error… Do you have any experience with this scenario? If not, I’m willing to experiment and report back, just need some direction on starting points. Thanks!
@STEFAN DENSMORE: Should be the same as I said in this post.
That doesn’t care if you’re subdomain or subfolder for Multisite. you have an add-on domain, so LE should pick it up. If you don’t have the domain added properly to cPanel, it can’t pick it up.
@Ipstenu (Mika Epstein): I have a multisite installed on a subdomain, like.this.com/site1, /site2, /site3, etc… so when I create the addon domain, it is added as addon.like.this.com
AutoSSL finds it (recognizes that a certificate needs to be added), but reports an error (in the autossl log) that the system failed to fetch the domain control validation (dcv) file… that the domain has failed control validation… that it does not resolve to any IPv4 address on the internet.
Do you think I am configuring my addon domain incorrectly, or that it just won’t work with the configuration of my multisite?
No, you’re just making SUB sub domains, which aren’t really real. And you actually know what the issue is if you stopped to think about what you said.
It’s nothing to do with WordPress or Multisite. The error is AutoSSL can’t find the DCV for a sub sub domain. So that’s your problem.
From: http://www.ietf.org/rfc/rfc2818.txt
So that’s probably why. They’re not real. Talk to cPanel about it, but I suspect they’ll tell you you’re doing internet wrong.
@Ipstenu (Mika Epstein): Thanks Mika, it’s working now! Yes, I had the addon domain configured incorrectly — by default, it wasn’t pointed to the same directory as the main domain. Once that was realigned, autossl could do its thing. Thank you for your help! I’ve admired your knowledgeable presence in WordPress support community for years, but never communicated with you, glad to have had the opportunity to make the connection!