Automatic SSL for DNSOnly

Ok thanks. Is there an API method which can be used to set the hostname cert? I can see this one but not sure if that can be used for the hostname. I haven't used the cPanel API before but if there's an appropriate method to set the hostname certificate, then it should be feasible to automate with Let's Encrypt ourselves.

You mean on your cPanel services? This is the API call you'll want.

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+install_service_ssl_certificate

That looks like the one, thanks! I'll give it a go.

Perfect, I wrote a quick script and now we have automated SSL on our DNSOnly systems. Thanks again!

Hi Mike,

Do you have a copy of that script? Would be handy for the community

Agreed! Even better if you can put it up on Github. That way we can all submit to it!

No problem. It's just a quick Python script which reads the cert files, feeds them to whmapi1 and then restarts cPanel. It's then used as a hook with certbot.

Here's the script (disclaimer - I've barely ever used Python before):

http://pastebin.com/raw/6m1AeHq0

Certbot renewal then looks something like this:

/usr/bin/certbot renew --quiet --post-hook "/path/to/certbot_whm_install.py ns1.yourhostname.com"

Thanks for the snippet Mike. I'm getting the following error, any ideas on how to resolve that?

-bash: /usr/bin/certbot: No such file or directory

@nimonogi, you need to install certbot first using yum install certbot.

@mike, how are installing the certs in the first place? Btw, if you want the hostname to be dynamic, this works well:

1. /usr/bin/certbot renew --quiet --post-hook "/root/certbot_whm_install.py $(hostname -f)"

Any idea how can we make run this script automatically when cert has less than 30 days to expire?

add this to your crontab with, crontab -e

0 0 */15 * * /usr/bin/certbot renew --quiet --post-hook "/root/certbot_whm_install.py $(hostname -f)" >/dev/null 2>&1

ive found that sometimes certbot struggles to work due to cpanels gui running. if you add the pre hook to stop cpanel it runs without fail and the post script restarts cpanel with the new ssl installed

0 0 */15 * * /usr/bin/certbot renew --quiet --pre-hook "service cpanel stop" --post-hook "/root/certbot_whm_install.py $(hostname -f)" >/dev/null 2$

Currently DNSOnly servers aren't licensed at all, which is where the limitation comes in. Do you mean to say that if you have a DNSOnly server, and a cPanel server, the DNSOnly server should be allowed an SSL?

Would cPanel consider licensing DNSOnly for a minimal fee (say $2 per server per month) in order to incorporate features like AutoSSL?

It's definitely something we *have* considered, and might consider again in the future, but isn't something we're going to do right now.

I'd suggest to consider to some extent that if a DNSOnly server is attached to a cPanel server, then it's to be flagged as licensed.

This way you would still limit who uses it on its own (is this even possible?) without penalising cPanel users.

I'll definitely pass that on! I do want to mention that it's unlikely to be implemented like that, as we have always tracked licenses by individual server, but I'll definitely pass on the suggestion.

Wholly agree with Giorgio. If a DNS Only server is clustered with one or more servers with a valid cPanel license, I firmly believe the DNS Only server should have right of an SSL certificate.

Some modern browsers/devices will not accept an insecure SSL override, so even installing DNS Only may be challenging.

Yes, this is the best idea. But initially, there needs to be some way (IMO) to easily connect the DNSOnly server to a master cPanel server without faffing around with the DNSOnly Web UI. Purely from a security standpoint - otherwise users will be forced to use insecure HTTP to connect to a cPanel server and potentially share precious credentials with the world.