Automatic SSL for DNSOnly

Mike shared this idea 8 months ago
Not Planned

The automatic SSL certificate feature would be nice for the DNSOnly version of cPanel.

Best Answer
photo

No problem. It's just a quick Python script which reads the cert files, feeds them to whmapi1 and then restarts cPanel. It's then used as a hook with certbot.

Here's the script (disclaimer - I've barely ever used Python before):

http://pastebin.com/raw/6m1AeHq0

Certbot renewal then looks something like this:

    /usr/bin/certbot renew --quiet --post-hook "/path/to/certbot_whm_install.py ns1.yourhostname.com"

Comments (21)

photo
1

Currently one of the requirements for AutoSSL is a valid cPanel license, which excludes DNSOnly since DNSOnly servers don't require licenses. We have discussed internally a few options that might impact this, but currently it's not planned to add AutoSSL functionality to DNSOnly servers. If that changes at all, I'll definitely update that here!

photo
1

Ok thanks. Is there an API method which can be used to set the hostname cert? I can see this one but not sure if that can be used for the hostname. I haven't used the cPanel API before but if there's an appropriate method to set the hostname certificate, then it should be feasible to automate with Let's Encrypt ourselves.

photo
1

You mean on your cPanel services? This is the API call you'll want.

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+install_service_ssl_certificate

photo
1

That looks like the one, thanks! I'll give it a go.

photo
1

Perfect, I wrote a quick script and now we have automated SSL on our DNSOnly systems. Thanks again!

photo
1

Hi Mike,

Do you have a copy of that script? Would be handy for the community

photo
1

Agreed! Even better if you can put it up on Github. That way we can all submit to it!

photo
2

No problem. It's just a quick Python script which reads the cert files, feeds them to whmapi1 and then restarts cPanel. It's then used as a hook with certbot.

Here's the script (disclaimer - I've barely ever used Python before):

http://pastebin.com/raw/6m1AeHq0

Certbot renewal then looks something like this:

    /usr/bin/certbot renew --quiet --post-hook "/path/to/certbot_whm_install.py ns1.yourhostname.com"

photo
1

Thanks for the snippet Mike. I'm getting the following error, any ideas on how to resolve that?

-bash: /usr/bin/certbot: No such file or directory

photo
1

@nimonogi, you need to install certbot first using yum install certbot.

@mike, how are installing the certs in the first place? Btw, if you want the hostname to be dynamic, this works well:

  1. /usr/bin/certbot renew --quiet --post-hook "/root/certbot_whm_install.py $(hostname -f)"

photo
1

Any idea how can we make run this script automatically when cert has less than 30 days to expire?

photo
photo
2

I think having at least one full valid cPanel license should allow cPanel DNS Only servers to have at least a certificate for their hostname if the master DNS server is offcourse a valid licensed cPanel server. SSL is the future, Google and other major players are realy forcing this already, in some years from now, the "Click here to continue (not recommended/not safe)" will just dissapear and we would have 'trouble' accessing our DNS Only server(s). Just my 2 cents :)

photo
1

Currently DNSOnly servers aren't licensed at all, which is where the limitation comes in. Do you mean to say that if you have a DNSOnly server, and a cPanel server, the DNSOnly server should be allowed an SSL?

photo
1

Would cPanel consider licensing DNSOnly for a minimal fee (say $2 per server per month) in order to incorporate features like AutoSSL?

photo
1

It's definitely something we *have* considered, and might consider again in the future, but isn't something we're going to do right now.

photo
2

I'd suggest to consider to some extent that if a DNSOnly server is attached to a cPanel server, then it's to be flagged as licensed.

This way you would still limit who uses it on its own (is this even possible?) without penalising cPanel users.

photo
1

I'll definitely pass that on! I do want to mention that it's unlikely to be implemented like that, as we have always tracked licenses by individual server, but I'll definitely pass on the suggestion.

photo
2

Wholly agree with Giorgio. If a DNS Only server is clustered with one or more servers with a valid cPanel license, I firmly believe the DNS Only server should have right of an SSL certificate.

Some modern browsers/devices will not accept an insecure SSL override, so even installing DNS Only may be challenging.

photo
photo
1

I downloaded the new CPanel IOS app and I currently can't add my DNSONLY servers to it as it won't connect as there no trusted SSL certificate. It'd be great if there was a supported feature or workaround to allow our DNSONLY servers to use AutoSSL to resolve this issue.

photo
3

Any cPanel/WHM hosting provider who plans to implement HSTS (highly recommended), needs SSL support on the DNSOnly server, otherwise you are NEVER going to be able to access the web UI of the DNSOnly server. I agree with the suggestion that if you have a valid license on your hosting server, DNSOnly should be automatically licensed to install SSL. You may want to consider making the server clustered with the Primary hosting server as a prerequisite for using AutoSSL on DNSOnly.

photo
2

Yes, this is the best idea. But initially, there needs to be some way (IMO) to easily connect the DNSOnly server to a master cPanel server without faffing around with the DNSOnly Web UI. Purely from a security standpoint - otherwise users will be forced to use insecure HTTP to connect to a cPanel server and potentially share precious credentials with the world.

photo