This object is in archive! 

Provide Support for Let's Encrypt Automated Certificate Management/SSL

Rick Sabatino shared this idea 2 years ago
Completed

Let's Encrypt is a public interest initiative [501(c)(3)] backed by ISRG, EFF, Cisco, Mozilla, Akami and others. It's aim is to provide free SSL to all websites on the internet so that all web traffic is encrypted.

Let's Encrypt is a free, open, automated signing authority; however, it has significantly simplified the method of implementing SSL on a site. See https://letsencrypt.org/howitworks/ for an explanation. It will use the Automated Certificate Management Environment (ACME) protocol (see: https://letsencrypt.org/getinvolved/)

This has enormous potential for individuals hosting content on the web - particularly those using cPanel. When this launches in 2015, I know would like the ability to use it on my sites - which all use cPanel. My hosting provider has already told me they will support if it you do.

case CPANEL-7816

Best Answer
photo

EDIT: There's also a blog post about this request: https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

I am so happy to tell you all that the Let's Encrypt plugin has left beta and is now in a public release! If you are running cPanel & WHM version 58.0.17 or above (the EDGE or CURRENT tiers right now), you can now install the plugin using the command line by running this command:

  1. /scripts/install_lets_encrypt_autossl_provider

Running that script will add cPanel's repo file and make sure the plugin is up to date, which will add it as a provider to the AutoSSL feature introduced in 58. If you want to enable it after you add it to the server, you will need to do so from WHM.

48955c537a7913aa97aa64f1566c319a

Please note, there are some domain and subdomain limits that are enforced by Let's Encrypt that we attempt to outline here:

https://documentation.cpanel.net/display/ALD/Manage+AutoSSL

If it becomes necessary, we may add this plugin to the list of plugins provided in the WHM interface in a later version of cPanel & WHM.

I want to mention, the most commonly requested feature in relation to this, SNI support for cpsrvd (which includes webmail, cPanel, WHM, etc) is being tracked in this feature request, and *may* make it in to cPanel & WHM version 60, but may be delayed to version 62:

https://features.cpanel.net/topic/ssl-certificate-per-domain-on-all-services

If you have any questions, or encounter any problems, feel free to comment on the forum thread, send me an email (my username is my email address :D ), or open up a support ticket, as is appropriate.

Comments (231)

photo
8

I own a hosting company and I want to support it too!

photo
14

this is an absolute must have and not 3 years down the road... this year...

photo
1

comments not showing?

photo
1

The software this site runs on was recently upgraded. It appears many comments are now going into the moderation queue. I'm sorry for the delay you, and others, are experiencing in having comments appear. Please bear with us as we get this resolved.

photo
1

I believe this solution is currently being audited by the same guys who recently completed the truecrypt audit, once it's got a clean bill of health it seems an excellent idea for supporting in cPanel

photo
3

My hosting company would install it if there's interest, according to they're reply to my ticket.

photo
4

This should be made a top priority.

photo
5

This should be done ASAP! Specially before let's encrypt is live and working for the end customer...

photo
1

+1 cPanel should keep in mind that some providers sell SSL certificates as options to hosting plans. If cPanel was to implement Let's Encrypt this could hurt those providers. If this was to be implemented, I'd like to have a way to disable it.

photo
1

I think it should be an option on more than one level.

  1. Allow customer
  2. Allow customer, per approval (paid feature)
  3. Not allow customers, but allow admin / staff

On a shared host, the host could sell this as a extra feature

photo
5

@God, I would like to respectfully disagree with you on your last point, and here is why.

Firstly, once Let's Encrypt is officially launched, many hosting providers will likely start to offer it.

This would put hosts that do not offer it at a disadvantage.

Secondly, Let's Encrypt is not meant to replace SSL certificates for commercial websites (i.e. those that take credit card details). It is merely meant as a way to secure all sites and, additionally, promote SSL.

I do agree though that there needs to be an option in the feature list manager to disable it if a host desires to do so.

photo
5

I agree with you @Marcel. This won't replace the SSL certificates we have today. Hosting providers can continue to offer those SSL certificates, as they do today, as an add-on. I would certainly switch providers if any of my hosting providers wanted to charge me for Let's Encrypt. After all, charging for Let's Encrypt would stand in opposition to the project's principles.

From https://letsencrypt.org/about/

------------------------------------

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal [...]

photo
3

We would like to see this implemented into cPanel as soon as Let's Encrypt becomes available.

photo
5

With lets encrypt everything could be made automatic. Each new subdomain or addon domain getting their own ssl cert without the user even needing to do anything.

Https is currently a requirement for http/2. On large sites http/2 makes quite a difference to users overall experience.

We want cPanel to implement the lets encrypt command line to generate an ssl and manage the ssl vhost with cpanel.

In the ssl center cPanel could add lets encrypt functions like generate, revoke, renew, cPanel should also have an auto add mode so that any new sites get a cert installed by default and that certs are renewed automaticaly.

Lets encrypt is comming in one month. We will possibly be installing certs with it manually until cPanel implements it.

photo
8

cP should start working on this now as Let's Encrypt will be offering it's first public certs next month. This will be absolutely essential for keeping small sites' logins secure in the future.

photo
2

Totally agree... but I guess it will take a very long time...

photo
1

@TCB13 - I would hope not. Let's Encrypt is targeting a mid-November opening to the general public; cPanel should do that too.

The plan is for an individual to add the cert to a single site with 2 lines of code, once the let's encrypt program is installed on the server. I can't imagine that would take forever. So many people are interested in it, I can see it being made available through the repos (I would guess EPEL) relatively quickly. Of course if the CentOS project jumped on it and incorporated it into the distro, that might be even better. @monarobase has it right and we (the cPanel end users) need it!

photo
1

@tss it's WHM team. Everything with less than 500 votes won't happened, and ever after that it will take 200 years to implement and it will have issues for sure. Take the CalDav/CardDav or Domains as examples...

photo
1

@TCB13 https://documentation.cpanel.net/display/SDK/Guide+to+WHM+Plugins <-- maybe using a plugin to make a proof of concept for them will expediate the release.

photo
1

agree, someone make a plugin to speed them along :)

photo
3

This will be a good thing if a cPanel/whm plugin was made to make things easier and quicker to install the free certs.

photo
5

+1 LetsEncrypt.org is very, very awesome... cPanel support deserves to be fast-tracked/accelerated! Yes! =)

/1182

photo
3

I'm completely amazed to see that not a single cP employee has placed any comment on this topic. Why it's too had for you guys to say yes will will do it ASAP when so many users/webmasters/admins are requesting for it.

I really don't understand. Lets Encrypt is going to launch on Nov 16 2015, but I really doubt that you guys will provide support for it by then.

Moderator note: conspiracy-based accusations have no purpose in this thread. Please keep comments constructive, and focused on the potential value this feature will bring to your business.

photo
1

I think companies that sell SSL certs will still have LOTS of customers, as you will need to pay for extended validation, wildcard domains, etc

photo
2

Please understand that the SSL from Let's Encrypt will be the most basic SSL cert you can get which is great for securing site content. Extended certs that our customers want are extended certs which turn green for for some browsers which seems to add a level of trust for shoppers.

photo
1

HTTP/2 is effectively only for a HTTPS web...

LetsEncrypt offers the basic to play, a validated (EV optional) cert is still needed for business/ecommerce =)

It will be really awesome when WHM/cPanel supports easy use!! Please, make it soonest! =)

photo
2

Moderator note: Comment removed for being off-topic.

photo
1

@iSaumya

i am web hosting provider of ogd web host have been

following LetsEncrypt ever-since , i want to use it and recommend it to all my

client not only that but help them to install it.

I strongly believe that not all the cP employee aware of it

photo
2

@TCB13 I said the same thing man.

photo
1

Trust me it's really bad to see that this post has been added 9 months back and since then not a single cP employee has ever got any time to post cP's thought on this? Hmmmm.... If I'm not wrong this is called "ignoring".

photo
2

Moderator note: Comment removed for being off-topic.

photo
1

Moderator note: Comment removed for being off-topic.

photo
1

Moderator note: Comment removed for being off-topic.

photo
1

Moderator note: Comment removed for being off-topic.

photo
1

Moderator note: Comment removed for being off-topic.

photo
11

There's a lot about the Let's Encrypt project we really like. Many of their key principles (https://letsencrypt.org/about/) are also valued by us.

The cPanel Conference just concluded in Denver. In attendance was Seth Schoen, one of the technical members of the Let's Encrypt project. We took the opportunity to 1) congratulate the project on issuing their first certificate (https://letsencrypt.org/2015/09/14/our-first-cert.html); and 2) to discuss in detail the Let's Encrypt project in the cPanel ecosystem.

There are some things we'll be doing soon, such as making their CA Bundle available in our cabundle service. This service is used by all cPanel & WHM servers going back several versions. Having the CA bundle in that service will ensure Apache is correctly configured when installing a certificate issued by the Let's Encrypt CA.

Some of the other things we discussed:

1. How the Let's Encrypt subscriber agreement (https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf) applies with the various ways people manage SSL/TLS certificates right now. One such scenario is when an admin/reseller manages the certificate for the domain owner

2. How to handle loss of the private key

3. What are the sensitive assets, such as the private key, that are created by the system. How should they best be protected? How do they affect account transfers within a company, and outside a company

4. How to improve the configuration of Apache and other web servers

5. What non-programming ways can people and companies help the project

Long term we do see this CA playing a powerful role for web site owners, system administrators, and many others. We hope to provide more support, and a great experience in using the Let's Encrypt CA with cPanel & WHM once they are ready to service the millions of web sites needing SSL/TLS certificates.

Right now I strongly encourage people interested in this project to do more than vote on this feature. Get involved in the project (https://letsencrypt.org/getinvolved/). Get involved in their forum. Having input and interaction with experienced hosting providers, and system admins will certainly help them.

One thing in particular they are seeking are sanitized examples of production web server configurations. That will help them improve their development and testing of the client (https://github.com/letsencrypt/letsencrypt).

photo
1

That's a good first step. Kenneth, thank you for posting this.

At this time, is there any plan beyond simply supporting the certs ?

Will we be on our own for installing the client or will it eventually be integrated in cPanel ? If it is on the horizon, do you have a rough timeline so we can judge whether we feel we can wait or invest in DIY to get it working sooner?

photo
4

Right now their client doesn't really work well with CentOS/RHEL, let alone cPanel & WHM.

What I'd like to see is Let's Encrypt appear in cPanel & WHM as a CA. That would allow admins, resellers, and users to obtain, and manage, certificates from them. I'd also like to see this appear early in 2016.

On the CentOS note, Seth was able to meet with a couple of CentOS people at our conference. My take away is that the two projects will work together to get the client working on stock CentOS systems.

photo
3

Kenneth, you might want to keep an eye on pull request for simplefs plugin for letsencrypt client it allows you to pass the web root to an already generated https vhost to obtain SSL certificate https://github.com/letsencrypt/letsencrypt/pull/757

It's derived from issue at https://github.com/letsencrypt/letsencrypt/issues/742.

So Cpanel could essentially auto generate the https vhost with self-signed ssl cert first and using simplefs just pass to the Letsencrypt client the vhost's web root for the auththorization and challenge verification process and get the SSL certificate and then auto update that https vhost.

photo
3

Thanks for passing that along, eva2000. We'll have to investigate that plugin, it looks rather promising.

photo
1

FYI simplefs plugin has been renamed webroot authentication plugin and has been merged officially into letsencrypt client master code :)

photo
2

eva2000 you're awesome - thanks very much for mentioning this, including your followup re. merge into letsencrypt client master =)

lets go cPanel!

photo
1

Great. For the vast majority of small websites, this could be THE best way to secure their websites. I'm happy to see it's being worked on and hope to see it implemented early in 2016 :)

photo
2

This really needs some serious attention, I am glad that cPanel have finally responded.

It is clear that it will take some time to get this up and running with the underlying RHEL code issues. Hopefully cPanel will provide the necessary resources to the Let's Encrypt team in a timely way so that this takes not a day longer than it needs to.

photo
1

LetsEncrypt integrated with cPanel would/will be a -GREAT- feature. Let's keep this one active as LetsEncrypt comes online!

photo
1

+100. Really would love to see this. LetsEncrypt is going to be offered to the general public next month, and besides the obvious security advantages, since Google Analytics is now ranking websites higher for the ones that have SSL activated this also becomes extremely important.

photo
1

Just a side note as well, support for this would allow proper use of the force HTTPS versions of whm/cpanel/mail. Currently the self signed style (or lack thereof) certs fly browser warnings which, depending on your use-case, could be a good or bad thing. Sure one could opt to purchase a cert for this, but in large deploys its cost multiplicity is often not justified at the client util level.

photo
2

This would be a great thing to have especially since it will simplify the process

photo
2

Yes! Can't wait to see this feature for my websites.

photo
1

I don't see this ever happening or if it does every host will have it turned off. All the major hosts make money off SSL's so I am sure they Lobby cPanel to put it off as long as possible. If they do add it It'll probably be turned off for most cPanel included subscriptions.

I support it and want to see it, just talking reality in the volume license game.

photo
1

I see your point - but it doesn't have to be turned on for the cPanel account - just WHM. let the admin add the certs and charge the client if they want.

I run my own VPS with cPanel, and would LOVE this. I only host sites for clients I did the website for, and supplying them with an SSL cert with the hosting plan at no additional cost to me would be HUGE.

photo
1

We'd all love it, it's been an idea for a long time and Google been pushing basic ssl for years. By creating a new root they have a chance, I hope it works out for them.

photo
2

I don't think we have to worry about not being free or not being turned on. The hosting market is so big and everyone wants to attract more clients. There will be lots of companies giving it for free, and who doesn't will start losing clients. Also remember that is basic ssl. If you want to run an ecommerce website, or to really be trusted, you'll need a better ssl.

photo
1

Let's Encrypt is exclusively offering DVs. They won't have the infrastructure to do OVs and EVs and have stated they're leaving those to the rest of the industry.

photo
2

I really don't think that hosting companies are gonna keep this feature turned off. This isnt the 90's -- SSLs are dirt cheap [or free] and are not a profitable endeavor for hosts anymore.

Why? Would you buy a significantly overpriced car if the dealer next door was giving them away for free? Consider the amount of their competition already offering free DV SSLs with domain/accnt, free proxies with free SSL such as Cloudflare, and deep SSL reseller discounts to the point where the only profit they make is a very slight percentile. Considering the discounts, the last cheapo SSL I bought was a Globalsign DV which "retails" for $250 and somehow, against all odds, the vendor sells them for less than $50. Hmm wonder why? Because SSL is a bubble sector that is artificially pushed up by the cert auths. All certs are worth, quite literally .... nothing. It's comparable to the cool kid at the party saying "trust me, he's legit....but i dont know him, he payed me to say this". Further attempts to append a price to DV/OV certs is going to result in expedited degradation of that bubble. OPs are aware of this, and when they see hosts propping up the bubble, they will not bite.

TLDR; The writing is on the wall. DV/OV certs are worth nothing. Cert auths prop inflation bubble. Hosts who sell DV instead of provide for free will see much more churn N burn to their competition.

photo
1

I agree it should happen and I'm not against it, just saying when I talk with the major "corp" hosting providers and they make same amount of money, installing, reinstalling and selling SSL's with a few clicks once a year then they do hosting.

So I am sure (we will never know for sure) they are pushing against the idea of people feeling secure and not wanting one. (Even though like you stated it's not exactly the same)

I kind of overstated on my phone I didn't mean never.... I meant more like not in the near future haha.

I hope I'm wrong and hosts are not able to flag it as disabled.

photo
1

I have several clients who purchase SSL certificates because of the amount of the warranty available. So I doubt having free SSL certificates will stop some clients from purchasing SSL certs.

photo
2

The letsencrypt certs are only 90 days and the infrastructure isn't ready yet and won't be till next year, given not much work has been done to date. Additionally, EV certs are a thing and will continue to be sold. I'm confident all hosts everywhere will have this available via cPanel from late 2016, as it becomes trusted and stable. Since it wasn't even working with Centos (!) there's a bunch of work to do.

photo
1

@Brian Coogan, the 90 day validity shouldn't be an issue since it's supposed to be auto-renewed when all is said and done.

Yes, I agree there's a bunch of work to do, but that's the kind of work people expect cPanel, with their resources and position in the industry, to get behind.

photo
2

Yeah, actually this MUST happen sometime in the future. Google has signaled its intent in Chrome to flag ALL unencrypted websites the same way they do self-signed HTTPS connections today. Its going to be phased in. The other browsers will follow suit over time. I could find additional articles, but this one sticks out: http://www.cnet.com/news/chrome-becoming-tool-in-googles-push-for-encrypted-web/

photo
2

Ok, I've just read their FAQ.

Let's encrypt certs will be valid for 90 days and from what I understood they will provide an automatic renew mechanism that runs every 60 days.

We will defenetly need this to be integrated to cpanel to make it able to renew ssl certs automaticaly.

Aslo this is comming sooner than I thought. Let's Encrypt is now compatible will all major browsers and their current planned launch date is nov 16 2015.

photo
1

Please add this, considering browsers are going to start flagging sites without this, it'd be nice if this could happen.

photo
2

This is definitely a requirement, do we have any sort of timeline for this?

I went ahead and registered for the Beta, got the invite only to find out because I use cPanel I apparently cannot use it at all because cPanel manages the apache config and rebuilds it. I double checked with our VPS host and they confirm that we cannot use it until there is added support in cPanel or some kind of plugin...

photo
3

I got an invite for the Let's Encrypt beta as well, but can't install it because I am using cPanel on my servers. I would love to see support for Let's Encrypt added to cPanel soon!

photo
2

I got in for the beta and i've been trying to create a certificate but it keeps saying it can't makekeys yet.

Once i get that fixed i though there was a section on the Cpanel system to upload an SSL\TLS certificate. I'm using it on godaddy and it has that option but my current ssl cert is self signed so it creates a warning when people visit it.

458c7377bc4684f207aca0a3204b60aa

photo
2

If it's a good/save alternative for payed SSL certificates then yeah i really vouch for this feature the faster the better even.

photo
1

It is easy to use, when you use it with the webroot routine --webroot-path

photo
1

Please in which way can you use it with webroot-path, i mean the steps thank

photo
2

You just pass the path of the webroot you used which is used for the domain you registered for the beta. In my case I used

  1. ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory --webroot-path /home/letsencrpt/public_html/ certonly

The script will then create some files (or folders, I forgot) in that webroot which will be used to check if you are the "owner" of that domain.

The cert files and the key will be created in some folder on your system and you can insert them as usual into cpanel.

photo
1

Please for give for asking again. that means only the reseller can do that right or those who have the permission to webroot

photo
1

But does it also place the cert and private key in the correct locations, create the necessary VirtualHost in httpd.conf, perform Apache distilling to update data in /var/cpanel, etc. so that it is recognized, preserved and supported by cPanel?

photo
1

No, it does not integrate the files in the appropriate locations. Also you are not able to do that as normal customer, at least I don't know how.

That is what this feature request is about, an implementation of this process by cPanel :-).

photo
1

OK thanks for your time

photo
1

RE " Also you are not able to do that as normal customer, at least I don't know how."

I have installed my Letsencrypt certificate on my domain, HTTPS://igking.info , using the cpanel ssl certificate install.

My web hosting provider Ifastnet, answered my service request and gave me read/write acccess to the .well-know directory under the HTML-root directory which was necessary for the Letsencrypt manual domain authorisation process.

photo
2

Let's encrypt offers only 90-day certificates, so cpanel could create an option to renew such certificates automatically (where 'automatic renewal' option is turned on)

photo
1

The 90 day limit is only for the beta period, I am actually running one of these beta certs on my private OwnCloud instance now. It will be extended to yearly when it is out of the beta period. LetsEncrypt actually encourages users to revoke and re-issue certs as often as possible so I do agree that the UI should have a way to allow a user to either be able to re-issue the certificate often or even have the ability to set a cron to re-issue the cert every xx days (user defined)

photo
1

Maybe i'm wrong but normaly Let's Encrypt will not issue certs with more than 90 day limits. You can read 'why' here : https://letsencrypt.org/2015/11/09/why-90-days.html

photo
1

Woah, I am sorry, my mistake on that. The beta email advises keeping a cert no more then 60 days and they expire every 90 days. Need some coffee.

photo
1

This would be a big benefit for all our nonprofit clients we host; would love to see this implemented.

photo
1

Agree. Not to mention great benefit for all small businesses who don't have the expertise to buy and install SSL. It's quite complicated as it is today.

photo
1

I'm mid-level in my knowledge of Linux and servers. I use cPanel and other things (CSF, CloudLinux, CageFS, and I pay for a management service where I can ask questions, ask for help, and they do basic monitoring) to help me be as safe as possible, instead of running a bare server.

I just got into the beta for LE, and tried to install it. It failed for reasons that aren't important. What is important is getting cPanel behind this effort - because this is right up the alley for where cPanel can help people like me, and those who know even less than me.

The server experts can deal with certificates no worries; but in the effort to get as much of the web on https as possible, I definitely hope cPanel get help us out and get this working safely and such that it doesn't break features that cPanel already provides.

photo
2

I'm mid-level in my knowledge of Linux and servers. I use cPanel and other things (CSF, CloudLinux, CageFS, and I pay for a management service where I can ask questions, ask for help, and they do basic monitoring) to help me be as safe as possible, instead of running a bare server.

I just got into the beta for LE, and tried to install it. It failed for reasons that aren't important. What is important is getting cPanel behind this effort - because this is right up the alley for where cPanel can help people like me, and those who know even less than me.

The server experts can deal with certificates no worries; but in the effort to get as much of the web on https as possible, I definitely hope cPanel get help us out and get this working safely and such that it doesn't break features that cPanel already provides.

photo
1

With this entering beta in a week, do we have an update anywhere form cPanel?

photo
1

I don't think this should only be available end-2016. I think it should be available ASAP. It's not about stability it's about building cutting edge stuff, that we all know that can fail, however it should be offered as experimental. cPanel team should really get in talks with LetsEncrypt in order to launch an experimental automated solution as soon as their platform is available. Realistically speaking it should happen even on a demo version of the platform not the final thing because of two things: 1) LetsEncrypt would be much better tested; 2) cPanel implementation would be better because of the close collaboration.

photo
1

We definitely need this ASAP.

Lets face it, this is the end of paid certificates and the end of this truly unnecessary "tax". But I'm not sure if cPanel as a company would like to add this feature and they'll probably delay its integration as much as possible, because they already have a paid interface to sell certificates via WHM (its located under the SSL/TLS section).

But no matter how long they delay the inevitable death of paid certificates, I'm sure someone will implement a 3rd party solution... I'm not naming any names :)

photo
1

There will likely never be an end to paid certificates. The LetsEncrypt certs were mainly designed for general purpose websites and personal websites with the goal that all websites should offer encryption without the burden of costs and an overly complex set of steps to set the certificate up.

These certs were never designed for commercial use and any website that plans to handle credit card payments or other sensitive personal information. They lack the insurance and verification that are common in high security web services.

With that said, most customers who choose shared hosting on a cPanel server likely do not fall into the high-security commercial sector as these setups often require dedicated infrastructures.

photo
1

I politely disagree with your assessment, mainly due to my experience. I've created e-shops for the past 15 years or so and most of them have to abide by the PCI rules. Every single one of them handles credit cards and thus has a normal SSL certificate. But, none (none = zero = absolutely none) of them have the expensive EV/OV versions with insurance, mainly because insurance is provided by the bank anyway. Also, if you read the license agreement for the SSL "insurance", its effective when green aliens come to Earth or when their SSL root is compromised. So in practice you are paying for the "green" bar as a tax and nothing more.

If your infrastructure is not "sensitive" (eg you are the bank), then its really a useless tax in practice.

Even amazon's certificate is a simple one... and they handle a lot of credit cards :)

photo
1

Amazon uses Symantec/VeriSign OV certificates, which cost several hundred dollars each, but don’t provide a green bar. :(

It does seem a bit silly to bother with those rather than $5 DV certificates.

Maybe they just want the Symantec name to show up, on the off chance a Firefox user who has a higher opinion of Symantec than GeoTrust or Comodo clicks the padlock. ;)

They do come with that rather useless $1.5m warranty, though.

photo
1

I stand corrected on the amazon certificate :)

photo
1

Most SSL insurance applies to only the deepest caverns of infrastructure and is very easily voided by most types of breaches. Example, here is what Globalsign covers:

- Errors in the identification (within the cert scope of data mitigation, not your scope)

- Loss of documents (within the cert scope of docs, not your scope)

- Intentional or accidental errors (within the cert scope of infos, not your scope)

And here is what voids that meager coverage in a breach (it's all pretty useless because none of these have to do with the 3 above, and they don't actually cover a breach to begin with):

- Request for revocation failure (failure for you to say "turn it off" when it should be off)

- Due diligence failure (as in someone brute forces in and gets your key because you weren't able to stop them properly)

- Material obligations of agreement failure (you didnt comply with various TOS)

- Reasonable security measures failure (define reasonable security measures? They dont, and wont, because they want to cover....nothing)

- Illegal acts (you did something illegal. Again, define illegal? In what scope and where? Under what gov?)

- Misuse of services (same thing, define misuse......basically they dont and wont)

- Unreasonable reliance (this is the gem - If you rely on a cert then you are not allowed to know more than you know while doing trade/commerce. Like if you knew that all computers are inherently insecure, then you wont be covered when this truth is exposed via breach in ssl channel(s))

- Third party failure (Finally, to really rub you the wrong way: if any sort of failure occurs outside of what Globalsign owns, then you are not covered)

Bonus:

- You have 15 days to apply for the damages, IN WRITING. So if you didnt know Globalsign was breached, and they do a press release 16 days later, they will effectively get off scot free from all insurance claims. Notice how they say nothing about their public relations timeframes. Notice how it must be mailed by a snail to further eat days.

So, you see, there isn't really anything protecting you as far as insurance goes. Paid cert is the same as free cert in that sense. Actual insurance companies, banking, and credit card processors provide the actual real protection in a breach/fraud/MITM situation -- assuming you were properly buttoned up and PCI compliant, while operating in good faith of course.

photo
1

+1, I wish more users understood this.

photo
1

+1, I wish more users understood this.

photo
1

For Ecommerce sites, they may not be PCI Compliant enough for most gateway companies. These would likely be best used for the server hostname SSL for cPanel/WHM plus other services, instead of using self signed SSL certs.

photo
1

I believe these certificates would be mostly used by people to whom an SSL Certificate is not something they feel they can justify paying for, for example companies with out e-commerce or websites requiring the code.

It would also be useful for encrypting, mail services, WHM and cPanel for example on a server, as it means you do not buy an SSL Certificate for your server that lasts a year if you decommission a server it means wasted expenditure.

90 days a time for a hostname certificate seems like a sensible way of securing the traffic and not investing in a year long product for something that may not be required for that length of time.

photo
1

Don't get too excited it will take a few years to be implemented.

Status has been updated to Planned

photo
3

I don't think it'll take years to be implemented. I think this is a great step ahead.

photo
1

I hope you're right :)

photo
1

Can see the status for this topic was changed to planned, cPanel staff, do you happen to have further details, such as release dates ??

photo
1

ETA before March 2016? Please?

photo
1

IMO the cPanel implementation timing should be fairly close to when Let's Encrypt comes out of beta / goes mainstream..

photo
1

The public beta starts December 3rd 2015. Adding support ASAP would be appreciated.

photo
2

From what I've read so far of where LetsEncrypt is in their project — and let me emphasize that I think they're doing great work — I don't think it will be added TOO quickly to cPanel. They're a very small team hard, but from what I've read on their forum, development is not as far along. I'd term it more of an open alpha than an open beta, especially these days when so many projects enter in perpetual beta and make releases....

photo
1

I've been using it for several weeks without issue. Currently they don't have an automatic renewal mechanism but it's much further along than you seem to think. They've already issued over 11,000 certificates.

The project has the backing from a lot of big names like EFF, Shopify, Automattic (WordPress), CISCO, and many more.

They may be behind their original deadlines but they are going open beta on December 3rd and accepting requests from anyone who would like to take part.

https://letsencrypt.org/2015/11/12/public-beta-timing.html

photo
2

I'm not intending to diss the project in the slightest, but the reading I did in their forum - even team members of the project talk about how small they are and how much work they have to do. Also, looking at the OSes supported currently.... it's a long road to go.

I believe you've been using it without issue; I believe others are as well. I'm just saying that there's not a huge range of support yet - that will take time.

I'm excited to see the progress coming.

But also, in my attempt to get it running - as I've seen others say, it complained about my version of Python. I chose to stop at that point. I'm not a Linux guru, so it's entirely possible to screw my production server up and lose business. I can't take the risk for now.

I highly look forward to it getting to the point where I can risk installing it. :)

photo
1

Indeed it would be great to try. The cPanel environment is far more closed than manually installed stacks. I see Facebook became a supporter today as well. From discussions, it would appear that it also supports multiple domains on one IP, critical considering the scarcity of IPv4 IP addresses. I know they have the naysayers. Only a few weeks ago I think a cPanel reply I got was that they would never get it to public beta within even a year from now, based on the setbacks and delays they had already had. A 50,000 strong beta, and so many successfully getting the certs, it seems to me that cPanel ought to get *very* involved with the LE team to make it work as seemlessly as possible, maybe with EA4 in cPanel 54?

photo
1

Remember, cPanel has a deal with Trustwave to offer their $79/yr (!!!) certs through the WHM (under Purchase and Install an SSL Certificate). It could be that they are unable to implement LetsEncrypt due to this contract. If that were the case it would be great if they would let us know.

I am not holding my breath for cPanel to implement this feature. I think we're much more likely to see the community solve this problem.

photo
1

I guess you missed the part where this is listed as planned. If they were not going to do this, they would not move the request to the planned phase.

There seems to be a ton of people that for whatever reason just want to be naysayers and talk about how this will never be implimented, and how Lets Encrypt is going to fail. It adds literally nothing to the discussion.

photo
1

Ah, sorry. I did not realize this was marked as planned. I think LetsEncrypt is great and have no reason to think it will fail. Still, I expect to see a community solution before an official one.

photo
1

I'm trying to test letsencrypt on a CloudLinux/cPanel server. I know it's not yet fully compatible...

I'm getting conflicts with the git-cpanel package.

  1. root@server5 [~/letsencrypt]# ./letsencrypt-auto
  2. Bootstrapping dependencies for RedHat-based OSes...
  3. yum is /usr/bin/yum
  4. ...

    Transaction Check Error:

    file /etc/bash_completion.d/git from install of git-1.7.1-3.el6_4.1.x86_64 conflicts with file from package git-cpanel-1.8.3.1-1.el6.cloudlinux.x86_64

    file /usr/bin/git from install of git-1.7.1-3.el6_4.1.x86_64 conflicts with file from package git-cpanel-1.8.3.1-1.el6.cloudlinux.x86_64

    file /usr/libexec/git-core/git from install of git-1.7.1-3.el6_4.1.x86_64 conflicts with file from package git-cpanel-1.8.3.1-1.el6.cloudlinux.x86_64

    file /usr/bin/git-receive-pack from install of git-1.7.1-3.el6_4.1.x86_64 conflicts with file from package git-cpanel-1.8.3.1-1.el6.cloudlinux.x86_64

...and so on...

  1. Could not install additional dependencies. Aborting bootstrap!

Is there a way to fix this? Bypass this check? (since we have git installed on every cpanel server anyway).

photo
1

No problems here. CloudLinux 6.7 + cPanel 11.52.1. We only use the copy of git that’s already included in cPanel. If you had previously installed a different copy of git, try uninstalling that to see if it makes a difference.

photo
1

Thanks Valetia. That solved that git issue.

But now I cant generate a cert anyway.

  1. root@server5 [~/letsencrypt]# ./letsencrypt-auto certonly -a webroot --webroot-path /home/mydomain/public_html -d mydomain.com -d http://www.mydomain.com --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview
  2. Bootstrapping dependencies for RedHat-based OSes...
  3. yum is /usr/bin/yum
  4. Loaded plugins: fastestmirror, rhnplugin
  5. Setting up Install Process
  6. Loading mirror speeds from cached hostfile
  7. * cloudlinux-x86_64-server-6: cl-mirror.idealhosting.net.tr
  8. Package python-2.6.6-64.el6.x86_64 already installed and latest version
  9. Package python-devel-2.6.6-64.el6.x86_64 already installed and latest version
  10. No package python-virtualenv available.
  11. Nothing to do
  12. Loaded plugins: fastestmirror, rhnplugin
  13. Setting up Install Process
  14. Loading mirror speeds from cached hostfile
  15. * cloudlinux-x86_64-server-6: cl-mirror.idealhosting.net.tr
  16. Package git-1.7.1-3.el6_4.1.x86_64 already installed and latest version
  17. Package gcc-4.4.7-16.el6.x86_64 already installed and latest version
  18. Package dialog-1.1-9.20080819.1.el6.x86_64 already installed and latest version
  19. Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
  20. Package openssl-devel-1.0.1e-42.el6.x86_64 already installed and latest version
  21. Package libffi-devel-3.0.5-3.2.el6.x86_64 already installed and latest version
  22. Package ca-certificates-2015.2.4-65.0.1.el6_6.noarch already installed and latest version
  23. Nothing to do
  24. WARNING: Python 2.6 support is very experimental at present...
  25. if you would like to work on improving it, please ensure you have backups
  26. and then run this script again with the --debug flag!

photo
1

And if I run it with the --debug flag I get this:

  1. Creating virtual environment...
  2. ./letsencrypt-auto: line 166: virtualenv: command not found

photo
2

I had to remove the python-virtualenv requirement from the Letsencrypt client config as it's incompatible with Cloudlinux setups. Edit ./bootstrap/centos.sh and remove the corresponding line.

Afterwards you can run it with:

letsencrypt-auto --debug --server https://acme-v01.api.letsencrypt.org/directory --agree-tos -a webroot --webroot-path /home/USERNAME/public_html/ -m USER_EMAIL -d YOUR.DOMAIN.TLD certonly

After giving out a bunch of deprecation warnings you get your certificate in /etc/letsencrypt/live/YOUR.DOMAIN.TLD

photo
1

I'm still getting this:

  1. ./letsencrypt-auto: line 166: virtualenv: command not found

Feels dangerous to remove something called virtualenv :)

photo
1

I installed cloudlinux alt-python-virtualenv and got passed that previous error! Seems to work fine now. Now we just need to find a way to automate the install and update of certificates :)

photo
1

Can we have this still this year? (⸮)

photo
3

Ideally a single button press in cPanel will (a) generate the necessary pub/priv certificates (b) submit to Let's Encrypt (c) install the certificate for the relevant site and most importantly (d) add a cron to automatically renew every 80 days.

photo
1

Amen to this idea. Let's make this easy!

photo
1

Meanwhile, Plesk has already added support for Let's Encrypt - check out their extension catalog.

photo
1

Plesk already has this. Let’s not have egg on our face, shall we? In terms of new features I would consider this a top-tier priority right now.

photo
3

We have created a How To article on the forums for installing the Let's Encrypt client and how to generate and install the SSLs via the command line using the API. Hopefully until development can look into adding a plugin or native function, the following should help all server administrators generate and install SSL's.

https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/

photo
1

There appears to be a typo in your Centos 7 instructions.

  1. root@server [~]# git clone https://github.com/letsencrypt/letsencrypt./letsencrypt-auto --verbose
  2. Cloning into 'letsencrypt-auto'...
  3. fatal: repository 'https://github.com/letsencrypt/letsencrypt./letsencrypt-auto/' not found

photo
1

Thanks, I corrected this.

photo
1

Still a typo, it should be the following:

  1. ./letsencrypt/letsencrypt-auto --verbose

Since git clones lets encrypt into it's one subdirectory (letsencrypt). Typing just ./letsencrypt-auto will give an error stating there is no such file or directory.

photo
1

Now its start working, i am using it.

Thanks

photo
1

how did you install it?

photo
1

I must admit, I would really like to see someone do a quick guide to installation in the style of the digitalocean guides. For me that is Centos 7, Apache 2.4 and PHP5.6 stack, and if they have made a cron to update it. I have the feeling that this can't be rocket science for the devs at cPanel, especially if they were to work with the LE team.

photo
1

I'm excited for this to be an easy plugin used by WHM and cPanel. Please remember though that this is still in beta. It would almost seem two-faced if cPanel blocked SPDY for possible security issues yet would roll out support for Let's Encrypt while still in beta. If any of you value security please do not deploy Let's Encrypt on production servers until it is finalized and has been audited and tested extensively.

photo
1

Anybody out there tried this yet?

https://gethttpsforfree.com/

photo
1

It works perfectly for me!

photo
1

Since you don't have a WHM plugin i guess this means its one installation per cPanel and cannot install once and create multiple ssl certs for multiple domains?

photo
2

So, Plesk users get the plugin faster and for free, but cPanel users have to wait and pay $30 for it? Wow...

photo
2

That's kind of a stupid thing to say. This is a third party, not cPanel. You can follow the instructions by the Let's Encrypt folks and getting working. So you have to neither wait nor pay $30. The fact that Plesk got it quickly is great; and it'd be neat if cPanel gets it quickly, but your comment is wrong.

(Meanwhile, I have CloudLinux, so I'm waiting for someone to get it working on there and write up how they did it. hehe)

photo
2

I made it work with CloudLinux - followed the same guide - no issues with that :)

photo
1

Hrm... I had troubles, so off to do more research on it. :)

photo
1

@LucasRolff What version of CloudLinux did you get it working on? We have been holding off rocking any boats while CL7.x and cPanel x.54/ea4 stabilize out more, but if LE works, that is a good sign.

photo
1

Are cPanel deleting comments from this thread now? I got several emails about new comments but they are not here? One of them looked very interesting (install guide) the other was a total stab into cPanels side calling you all scammers... Anyway the comment re: install should have been left up surely?

photo
1

The link to the guide is still here. By default, when there are many comments, most of them are hidden when the page is first loaded.

At the top of the page is a yellow box containing the original post. Below that yellow box, look for a 'Show All' link in a gray box.

Click that to show all the comments. Then look for the comment posted by cPMatthewV, which contains a link to the guide.

photo
1

cpMatthew's guide is on page one of this thread. I used his guide to automate the process at http://github.com/letsencrypt-cpanel

photo
1

Hi I am aware of the 'Show all' but its not actually that I mean, there are literally comments missing I read through all of them and the one I was looking for is just not there.

The comment I was looking for is below, as I said not sure why it was removed but I have hashed out the link incase that was why it was removed....

webstandardcss

Here is a Let's Encrypt installer for cPanel

photo
1

Perhaps it was deemed to be self-promotion, since that page contains a link to the poster’s Facebook page describing their services, and which in turn contains a link to the poster’s own website. There are some who offer items for free with the hidden intention of self-promotion.

photo
1

Please do it as a plugin!!!

photo
2

Any updates cpanel? :)

photo
1

A must have integration! I'd rather avoid installing letsencrypt cli on Cpanel on my own.

Let's Encrypt the world! Shall we?

photo
2

Plesk 12.5 already has it.

photo
1

Plesk also has nginx reverse proxy included and uses its own self-signed SSL when users try to connect through SSL to a site that doesn't have a certificate instead of showing another site on the same IP that does have a certificate.

Instead cPanel concentrates their resources on fiddling with Paper Lantern because they don't like X3 any more.

Different priorities I guess.

photo
2

I've gotten Let's Encrypt to work with cPanel / WHM and my website but I had to do it manually. Also, I have a Virtual Private Server, so I'm root. This made it a bit easier. I think it would be simple for cPanel to roll out an update that would allow Let's Encrypt to work automatically, at least for just getting the certs.

All cPanel needs to do is make it so Let's Encrypt can access a file it creates in the document root's directory for the various Virtual Hosts. For example, Let's Encrypt creates a directory, .well-known/acme-challenge in the document root. We point letsencrypt-auto to the document root, /usr/local/apache/htdocs, but when letsencrypt-auto tries accessing stuff like webmail.mydomain.com/.well-known/acme-challenge, it cannot. cPanel redirects to a 401 or whatever it is.

If cPanel just put in a small little patch that would allow the .well-known/acme-challenge directory to go through for the various virtual hosts, it'd be great! There's already scripts to automate installing the certs into WHM and installing the certs for the various services (ie, cPanel, WHM, webmail, ftp, etc). But currently, the only way to get the certs is to stop our webserver (ie, Apache), grab the certs, then start our webserver's back up again. Even though this can easily be automated, with a busy website, this causes issues for users. Thanks!

photo
1

I came across https://letsencrypt-for-cpanel.com/ and it looks good and easy.

Unfortunately they only support 64 bit and I would need it for an older, smaller 32bit VPS.

If you need 32bit and would consider them, please let them know.

photo
1

Mark,

Can people even charge for something that uses Let's Encrypt? I would guess they probably could, because they're not charging for Let's Encrypt themselves, just the plugin.

In all honesty though,

I didn't find it hard to manually setup Let's Encrypt to play nicely with cPanel. Even found a script on the net and modified it a bit to install the generated SSL certs for the various cPanel services, like whm.<yourdomain>.<whatever>, cpanel.<yourdomain>.<whatever>, etc. If you're interested in setting up Let's Encrypt's SSL certs to work with your cPanel stuff, I could probably help you out. There's a little bit of work but not too much. And as far as I can tell, there's two ways to do it.

photo
2

At $30 per HOSTNAME and only a year of support, it's an extremely expensive solution for most people. In addition to that, their TOS states you cannot use it on a server that has Cpanel installed by the company you are getting hosting from. They only allow people who own their own cpanel license, on their own server (not leased from a company) to use their service.

Anyone who is doing that, will most likely just do it manually instead of paying an additional $30 per hostname for a cert. It's way too expensive, and their TOS is way too restrictive to make it worth it for most unfortunately.

photo
1

I tested and purchased the plugin Mark mentions. I like the idea of a customer clicking two buttons in Cpanel and adding SSL to their site, with ZERO admin babysitting needed.

photo
4

Hi Dustin, we are the creators of the plugin.

It is $30 per WHM server hostname, not per certificate hostname.

The plugin works for the lifetime of the product, and updates are also free forever. Support means email support, and it is limited to one year to ensure we can viably support it into the future.

Additionally, you may use the plugin on any leased server without limitation. The only restriction is handing off an Organisation licence off to your own clients. Individual licencing is not affected whatsoever.

You can certainly self-manage Let's Encrypt on WHM with cron jobs, and that's fine for many people. Our main target was reducing support burden for medium/large web hosts (ourselves included) who lose a lot of time helping people buy and setup certificates.

Hope that helps.

photo
1

Dustin, it's $30 per WHM hostname, not per domain a cert is issued. Don't know where you got the TOS bit, but I'm going to assume you're misinterpreting it.

Of course it will not work if you're one a shared server, because you need root to get it going. Frankly, if you're on a HG shared reseller account, you're not really serious about hosting anyway.

photo
1

At $30 per hostname I'm willing to try it as soon as my next SSL request is ready. It's obviously possible to configure this manually but everything that may automate the job and save us time is highly appreciated :-)

photo
1

I apologize Alex, I misread the TOS. Sorry about that. $30 per server hostname is definitely worth it. I will give your trial a shot and see how it goes. Thanks for clearing that up!

photo
1

I also misunderstood, from reading the webpage link. If the 30$ is to provide support and make it easier for them to implement Let's Encrypt on their servers, I think that's definitely fair and might of be of some interests for certain people.

The way I do it, there is some initial work involved, but once you do it, everything is automated and you don't have to do it ever again, unless something changes. I use a cron-tab entry to automate the renewals / cPanel integration. I could definitely see some people paying money to have someone set all of that up for them though.

photo
1

I also misunderstood, from reading the webpage link. If the 30$ is to provide support and make it easier for them to implement Let's Encrypt on their servers, I think that's definitely fair and might of be of some interests for certain people.

The way I do it, there is some initial work involved, but once you do it, everything is automated and you don't have to do it ever again, unless something changes. I use a cron-tab entry to automate the renewals / cPanel integration. I could definitely see some people paying money to have someone set all of that up for them though.

photo
1

@Ken

For our server certificate we have a wildcard one right now, but I am in the process of switching it over to a StartSSL certificate. I need a CodeSigning certificate anyways and their class 3 OV validation comes in cheaper than a three standard signing certificate and I can create a wildcard three year OV certificate for free on top. So that will cover our main needs.

I was looking for an easy way to add certificates to some of the hosting domains we have on the server and keep them updated.

If you have a (semi-)automated way to do that, that would be great.

These guys have a nice cPanel integration with a UI that seems very easy to use for end users, but if I need to do some command line work to set it up for our clients once, that's not too bad either.

photo
1

Mark,

Although I've ran Linux since I was in middle school, owning a domain and using SSL is still very new to me. CodeSigning and class 3 OV validation are a bit greek to me. However, I can still show you what I did with my server, how I did it, and what the outcome was. I can share with you the script I used to install the SSL cert in cPanel, the script I used to configure it for the various cPanel proxy subdomain redirects (ie, whm.yourdomain.com, cpanel.yourdomain.com, webmail.yourdomain.com, etc) and the cron-tab stuff to automate it all.

Is it okay if I send you a private message with my e-mail address, if you're still interested, so we can talk about this in private? Thanks!

photo
1

@Ken

Sounds good. Thanks. I am more of a Windows guy and most Linux scripts sound greek to me...

photo
1

Mark,

I don't see any options to send a private message on here. Could you please send an e-mail to my junk mail account and I'll contact you via my gmail account? My e-mail is nacho2 874 @ yahoo.com (just remove the spaces). I'm going to head to bed now but I'll write you tomorrow with what I did and how to do it. Thanks!

photo
3

Thanks for sharing https://letsencrypt-for-cpanel.com/. I spun-up a cPanel demo on a DigitalOcean Droplet and checked this plugin out and found it work great. Passes SSL Labs with an A rating too!

photo
1

ersion: 1.1-20080819

No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually

** Done installing Python 2.7 and Lets Encrypt

** Done installing certificate

**** Usage below

** NOTE: Will need to make sure that /root/installpl.ssl exists. see https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/ for details.

****

photo
1

Please, any one can tell me where i can put those code , i'm using cpanel and the most results i found in google use linux

photo
2

Let's Encrypt is very nice and important feature for cPanel future.

most IT experts want to this with cPanel.

photo
1

it is so easy to implement, it could be even introduced in a minor update ;)

photo
1

unfortunately the cpanel has lost many customers may not have ssl the main ip but now and will lose even more as the delayed lets encrypt. in pelsk it works just fine. I have my servers in cpanel but really meditate change because competition has grown all the companies with pelsk offer lets encrypt things that we with cpanel we can not do.

photo
2

It may seem easy to you but there is more work then just makeing it work they also have to make sure it's secure, doesn't have any bugs, will be compatible with future releases of cPanel, doesn't break any existing usages/features. They also have alot of other features that they are in the process of integrating. This feature is planned and will hopefully soon make it to in progress. They have started work on v56 so I doubt this will be before v58.

photo
1

well, the implications are clear, but it cant get any easier than the letsencrypt guys implemented it.

i am using it with manual implementations on all my boxes already, besides on my cpanel box. and especially for the hosters offering whm/cpanel its a massive plus to offer this to their clients. plus there are already guys offering cpanel plugins for it. this is not cosmetics but pretty much standard (as well as sni, btw...). but maybe i am alone with that point of view (dont think so).

imagine happy clients which dont get punished by google with bad rankings for not offering tls as standard ;)

photo
1

> but it cant get any easier than the letsencrypt guys implemented it.

Well, that's arguable. Should see what AWS Certificate Manager implemented, but that is different piece on its own.

photo
1

true, the aws certificate management is straightforward, especially if you run aws infrastructure anyway.

just my 2 cents anyway :)

photo
1

true, the aws certificate management is straightforward, especially if you run aws infrastructure anyway.

just my 2 cents anyway :)

photo
1

@cpanelnick , why it is taking so long to implement this? This is very simple really. Don't wait for people to switch to Plesk.

photo
1

I am really in favor of this feature request, being a webhost. But, on the other hand, with DV SSL rated at 4 euro/year, it isn't the highest item on my priority wishlist. Might be because I've automated the whole process...

photo
1

It would certainly be nice to have a tool in the WHM for this feature to streamline this process for creating and installing certificates, but especially for maintaining and revoking them later so a site owner doesn't have to think about it much, or create the cron jobs manually.

One gotcha I found is if the user has a CMS installed at a particular domain or subdomain, the cert creation command will fail because of index.php and .htaccess redirect issues. The work around for that is to temporarily disable those files and run the command again so that the tool can write to the root folder properly and verify the domain.

LetsEncrypt installation in /root/ is pretty straight forward if you read the guide at https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621; or the repo at https://github.com/letsencrypt/letsencrypt.

Then it's about creating certs with the command line and installing them with cut-and-paste using the WHM at Home > SSL/TLS > Install an SSL Certificate on a Domain.

So yes, having a tool in the WHM would make that a lot easier.

After installing the tool, it's easy to run the commands to create certs with /root/letsencrypt/letsencrypt-auto, e.g.:

  1. ./letsencrypt-auto --text --agree-tos --email email@domain.com certonly --renew-by-default --webroot --webroot-path /home/cPanelUser/public_html/ -d domain.com -d http://www.domain.com

If the command completes successfully, the certs get installed in /etc/letsencrypt/live/domain/{cert.pem@, chain.pem@, fullchain.pem@, privkey.pem@}

Then it's trivial to cut-and-paste the cert.pem and privkey.pem into the WHM tool mentioned above.

My wish list for the WHM LetsEncrypt tool:

  • create certificates
  • match important options found in ./letsencrypt-auto --help all
  • pre-verify domain/subdomain has the right conditions for cert creation
  • measure hits on LetsEncrypt servers to avoid rate limiting
  • install certificates in domains/subdomains
  • maintain certificates with default and customizable crontab setup
  • revoke certificates
  • convert certificates to other formats
  • date and label certificates in WHM for easy visual reference
  • log file viewer and filter for /var/log/letsencrypt/letsencrypt.log*/

photo
2

Plesk already have it. https://devblog.plesk.com/2015/12/lets-encrypt-plesk/

Direct Admin, a free control panel, also have it. http://www.directadmin.com/features.php?id=1828

Chrome will flag unencrypted website soon.

This feature request is "Planned". Does that mean they haven't even start working on it?

photo
1

uhhh -- Direct Admin is far from "free" -- http://www.directadmin.com/pricing.html

photo
1

Sadly, whilst the cPanel 56 change log shows signs of PHP7 inclusion (another feature that is needed), there is no sign of LE in 56 either. Looks like this one may have been kicked into the long grass.

photo
1

is it in cpanel's best interest to delay LE implementation? Do they sell SSL certs or partner up with another company that does? I'd imagine this is a significant source of revenue for certain SSL cert issuers

photo
1

no-one in their right mind would pay those prices.

I doubt is is a major source of revenue

photo
1

cPanel partners with Trustwave and offers their $79/yr DV certificates through the WHM under SSL/TLS >> Purchase and Install an SSL Certificate.

photo
1

Considering that a 3rd party premium plugin was developed to add LE functionality to cPanel, it is pretty bad that cPanel themselves have still not added this in or posted updates. It will not lose them or any other company money as it is only basic SSL Certs that are being issued, for those on marketplaces or who want the full verified stamp etc they still need to purchase a premium one.

We are almost a full year since the request was made and it would appear that no progress has been made by cPanel?

I must say though cPanel are missing a trick here because if they added this functionality to WHM/cPanel they could even have a small area that promotes premium SSL certs either via cpanel directly (or sell their own via partnership) or they could list a cPanel recommended supplier which would allow them to make money or commission from those who want / need more than a free SSL Cert...

Please cPanel post an official update to this

photo
2

I really doubt they have made no progress. A lot of this abuse directed at cPanel is unwarranted.

Perhaps some individuals in this thread should take a look at the churn happening in the acme-spec and boulder repositories. We do so to keep on top of things for our plugin, and the fact is that Let's Encrypt is still in beta, and things are changing every day.

For instance, instant issuance may be working for now, but delayed issuance (to avoid overloading the HSM) is definitely going to be a fact of life, it was in the ACME spec from day one and materially affects how *any* plugin, including ours, works.

There are issues with various resolvers (PowerDNS), issues with various networks and providers causing validation timeouts, there is a lot that needs to be fixed before the service can be called stable.

cPanel have every right to be cautious when something like Let's Encrypt has yet to stabilize its own operations.

photo
1

Best comment ever.

photo
1

> Considering that a 3rd party premium plugin was developed to add LE functionality to cPanel, it is pretty bad that cPanel themselves have still not added this in

You forget that cPanel has other priorities as well. There's stuff right now that is *far more* important than Let's Encrypt. Maybe it's easy to implement for a third-party (which I believe still doesn't work optimal) - but cPanel has other stuff to do as well.

photo
1

To be fair cPanel ALWAYS is far behind the competition. We don't even have DNSSEC and that feature request has been floating around for over 4 years! Both Letsencrypt AND dnssec are trivial implementations as they only hook into other existing systems (DNS and SSL managers respectively). Both subsystems provide extensive API support both internally and externally so all that needs to be actually done is write a nice GUI and some glue code / cron jobs.

There is frankly only so much protection HTTPS can provide if you neglect to protect the DNS against MitM attacks.

photo
1

Yeah like trying to remove x3 and forcing people onto paper lantern :L

End of the day this should really be a very simple thing for them to implement. given everything WHM / cPanel can already do, all the other plugins that exist... If they don't have the capacity to work on these features then they need to start hiring new developers and expanding their team in order to keep up with the workload they have otherwise as many people have already said paying customers will go to control panels that have customers requests at their heart.

photo
1

DOUBLE POST. MY BAD

photo
1

I'm not meaning to have a go (I realise I kind of did have a go) but this is a fairly important feature, especially because it is being recommend left right and centre for EVERYONE (whether your a company or an individual website like a blog) to use SSL encryption. Not everyone can justify / afford the cost of an SSL cert (even cheap ones). Google too are going to give sites that are HTTPS a higher rank than those without. Its more than just security its also your ranking which can have an adverse affect on any site if your rank drops

I would say LE implementation is closer ta critical request than a trivial one...

Anyway as I said if they could atleast give us updates or something...

photo
1

@Daniel:

- gdnsd which is a geo-aware DNS server doesn't support DNSSEC as well. Also fine you want to use DNSSEC, majority of the internet still doesn't validate DNSSEC anyway, so there's no real added security

They're not trivial implementations, sure you can just download the python client, and do some hacked stuff, which isn't guaranteed to work all the time. But cPanel has to implement it, and implement it *nicely* and make sure that it's (almost) free of bugs, and make sure it doesn't change existing behaviour. If you're working with a large piece of software (specially software that has many years of development behind it), it can often not be that easy to just implement stuff. Let's say you're having some legacy code which no one really have touched for a long time (Because if it works, why fix it) - if you have to actually touch these parts of code all of a sudden, you have to be very very careful about changing anything, because you'll have to do an end to end testing with every functionality that relies on that code (and sometimes you find out there's stuff that rely on a piece of code you didn't imagine ;) ) - and often what you might happen to do, is to actually end up rewriting this legacy code from bottom up, to also make it easier for future extension of the code - which I know is also why cPanel went with EA4 e.g, to start a fundament of being able to plug new stuff easier into the system.

@Greg:

- x3 was deprecated because it was built many years ago, and to further develop cPanel at the speed you guys require, they have to at some point make functionality or themes EOL. They did that with x3 because the codebase wasn't easy to build upon. Where in PL this has become easier.

And sure they can hire more people, but are you gonna start paying double for your licenses every month? No I don't think so.

Just because you're having a bunch of things you want to do, doesn't mean you should do it all at same time - you have to give priority to the things you think (as a company) is important, and what you think will bring value for the most customers (I think EA4 brings more value than free SSL certificates and DNSSEC to be honest).

If you believe the world is just about hiring 1000 developers and get stuff done in 1 month, then seriously.. I'm going to disappoint you - you have to wake up and realize that, it's not how the world works.

You don't get richer by producing more money either.

Seriously, if you believe that you can just hire new developers and expand the team, then try own a company with more than 10 employees, then you'll quickly realize that doubling your employee count won't really double your productivity. duuuh

So - sure, it might be easy for a single server to implement, but it really needs proper testing and they have to think how to extend it in the future - what if another competitor to letsencrypt suddenly appear that offers wildcard certificates, then everyone wants to get that implemented as well.. right? :)

And I agree, this feature is fairly important, but there's other things that are far more important for a much bigger audience that needs to be taken care off first.

And everyone can afford a 7/yr USD SSL certificate - It's 1.9 cents a day. If they can't afford that, maybe they don't even need SSL, or they can just go for StartSSL :)

photo
1

@LucasRolff

If the company cannot keep up with its workload then they need to expand its simple business. I work for a company that essentially runs other peoples businesses for them. I can guarantee you that increasing your staff when you cannot keep up with your workload WILL improve your productivity and it will also potentially boost revenue.

Securing the web around the world should be top priority for anyone. Keeping details and user info safe and stopping nosey hackers and nosey governments harvesting data. If that is not a priority then you my friend are in the wrong industry and should find a nice Amish settlement to move into.

I also do not expect this implementation to be done within a month however over 10 months without any progress updates is a little bit on the ridiculous side, this is only excusable for open source projects that are not actually commercial projects.

also if cPanel are falling behind with their work load it would be a very poor business practice to increase their prices. what a successful business would actually do in this situation would be to cut back on some profit for a short term to increase productivity and keep customers happy at which point their profits would rise again as happy customers = more money. unhappy customers = loss of business and less money which directly leads to your competitors rising above you because they are attracting your unhappy customers by offering what you do not...

Long and short of it is that it is good business to keep your clients updated and not just p*ssing into the wind wondering if anything will ever come of it.

Also I find your response to be rude and scarcastic - there was no call for this

photo
1

> Securing the web around the world should be top priority for anyone

One of the reasons why cPanel is making multiPHP work awesome so they can allow hosting providers to get rid of older (insecure) versions of PHP faster.

Again doubling your staff doesn't double your productivity, and sure - might double your revenue - but who cares about revenue if you'll end up having a loss.

Having a billion dollar revenue business doesn't matter if you owe 3 billion dollars every year.

Having a 5 million dollar revenue and having 500.000 dollar in revenue is way better.

But again, do you agree with increasing your license prices?

Also it's not 10 months, Let's Encrypt went into Public beta the 3rd of december 2015. That's NOT 10 months.

Priorities is one of the key points here - Let's Encrypt at this moment is not super duper important at this moment, compared to many other things that cPanel are developing.

Again inform your customers that they can get *free* 1 year certificates at StartSSL, or offer a free (7 usd) Comodo Positive SSL for your customers.

Also sure if cPanel implements Let's Encrypt, it sucks that I as a provider cannot issue SSL for all my customers in one go due to rate limiting, so what's the point of this very important thing if I as a provider is limited because of LE?

It's better to fix things that affects more people first than doing that most people doesn't care about anyway. Sure Let's Encrypt is nice - we offer it to all our customers, how many uses it yet? Less than 1% of the customer base. Why? Because they couldn't care less.

My response is not rude (well.. maybe a bit) - and specially not Scarcastic - but wah.

photo
1

@LucasRolff

It IS trivial. I started developing a custom LE module but discontinued work when the feature request changed to "Planned" in favor of other projects as I would have to continue supporting the module or find a migration path to the official implementation when released. In any case I found it very easy to get the basic functionality working by using a slightly tweaked LE client environment and a modified cPanel vHosts file for the domain verification together with some basic cPanel api commands. Relying on the official implementation in the backend instead of custom ACME implementations guarantees future-proofed code with clean upgrade pathes.

With cPanel's errr.... quality control.... that would be one man day development time tops. Seeing how I had to report glaring bugs in cPanel in the past (like vhosts turning modsecurity off and a few lines later on again) we can disregard software testing anyway.

PS: I don't know where you buy your SSL certificates but you can get Comodo PostiveSSL for about half your indicated price from some major resellers.

photo
1

@Daniel - if it's only 1 day, why not finish your custom LE module and send to cPanel, then they can push it to *all* their customers.

photo
1

@LucasRolff I am not planning on having an argument about this however

"

Provide Support for Let's Encrypt Automated Certificate Management/SSL

Rick Sabatino

shared this idea

1 year ago"

this request was made 1 year ago according to the top of this thread. Sure LE only went Beta more recent than that however cPanel could have got in on it nice and early to start enabling integration but they have not. So yes 10 months with no update is correct and pretty poor.

In the company I work for if many customers made requests and we ignored it for 10 months we would have no customers left, however if we told them over the 10 month period that we are working on it and our doing our best then most of them would be happy with the update given. We have heard nothing so we are unhappy as we do not know if it will be 6 weeks 6 months or 6 years.

And the rest of your points do not really hold any water. It is rather simple, look at it this way. If you have a workload that requires say 100 people, but you have 10 people and then add say another 10 or maybe 20 people to your work force. Your productivity will shoot right up (unless you hire complete idiots). this can only mean 1 thing, more work out, more money in. This may be over simplified but it is really that simple. If cPanel were struggling financially they would have already hiked prices but I see no evidence of a financial struggle so therefore it is very reasonable to suggest they take on more developers if they cannot even respond to a thread like this with an update, roadmap, or anything at all. Hell they could even just hire some forum moderators that can talk directly to the dev team for status reports...

You can even take this to a very simple level, a 1 man company. The person running it can only ever manage 50% of their emails, 50% of their invoices and 50% of their duties such as client relations and marketing etc PER DAY. Now this person hires 2 more staff that means, 100% of emails, 100% of invoices and 100% of other duties are now taken care of by these 2 employees which allows the person running the company to oversee all that work AND still have time to find new business opportunities or work on projects.

SIMPLE.

Anyway your logic is terrible and I am not going to sit arguing with you. Myself and other people are just trying to find out why there is no advancement and point out that this is a pretty important issue.

Just because only 1% of your clients are using SSL and the rest 'dont care' doesn't speak for the community, it would more than likely speak about yourself as a hosting provider - clearly you need to stress to your customers the importance of encryption. While you are at it you should probably read up on it yourself. Yes there are more things than just using an SSL but for the average user this is a great starting point as the user would normally make decision on SSL, other security features etc are usually controlled and dictated by the host.

Anyway thank you for making me laugh but I am not going to reply to you after this as it is clearly unproductive, like this feature request.

photo
2

@LucasRolff

Fair point. However considering that one work day equivalents to a couple hundred dollars in lost income from other projects, it would be much more cost-efficient to just buy the existing thirdparty solution if I didnt fear the same legacy support problem to arise as noted above. If cPanel was a FOSS project I would be tempted to do just as you suggest, but they are not, so we shall just let them do the job they are getting paid to do while we keep doing the job we are getting paid to do.

@Greg

That's not entirely correct. A smart man (Brooks) once stipulated that "adding manpower to a late software project makes it later" which is about the most important rule in project management.

photo
1

> if many customers made requests and we ignored it for 10 months we would have no customers left

LE is not the only feature customers requested - and again maybe it's important (I don't disagree with you) - but currently there's things in progress which either save time for a lot of SA's (so we can become more productive), or affecting a lot of customers directly.

> but you have 10 people and then add say another 10 or maybe 20 people to your work force

If you have 10, adding 10 doesn't double your productivity - but sure it increases it (maybe)

> more work out, more money in

Sure, but not every feature brings equal amount of money

> suggest they take on more developers

http://job.listings.cpanel.net/ go apply for a job - they're looking for developers

> they could even just hire some forum moderators that can talk directly to the dev team for status reports

If a feature is in the backlog, and the priority isn't high enough, then nothing is discussed during a sprint planning - aka those forum moderators has nothing to tell.

When there's news the PO usually informs on the forums and feature request page.

> Just because only 1% of your clients are using SSL and the rest 'dont care' doesn't speak for the community, it would more than likely speak about yourself as a hosting provider

We inform customers just fine that security is important, and that encryption is important, but if a customer doesn't need a feature they don't use it - it's really that simple.

We also ask customers to take backup of their data - do they do it? Usually not. - Look at your own hosting, assuming you provide shared hosting - how many of your customers have fully up to date systems? Who needs SSL that encrypts your data if the site can get hacked, and expose all the data on the interwebz.

Again - the actual SSL usage for customers is very very little. - You can by the way, install one of the many open source, working le clients that work with cPanel, offer your customers SSL certificates. It's better to do 1 second of work, than not offering a feature.

> While you are at it you should probably read up on it yourself

I'm fully aware on how encryption works.

> other security features etc are usually controlled and dictated by the host

Not really - the host is often required to take actions to secure the customers websites because the customer is too lazy actually caring about their own security.

> Anyway thank you for making me laugh

You're very welcome.

photo
1

@Daniel

I don't see it being a 'one day' job, if it really was that simple, I know cPanel would have done it already - they're not stupid (They're actually really smart people).

If people really really want this feature right now, why not buy those 3rd party solutions, I believe there's even a plugin which is like $150 for unlimited servers - if you run 5+ servers anyway that isn't really gonna ruin your budget (hopefully) - and then until cPanel makes their own implementation you have a working solution you can offer to customers.

A lot of people that use cPanel forget how huge the cPanel codebase is - please those that say it's really really easy - go take a look at the source code - it's a huge project that has legacy parts in it (truth be told), and yes there's a lot of stuff that might need to get rewritten, and we all (that knows software development) knows how hard it is to rewrite code and make sure it works 100% as before but in a better way.

We all decided to go with cPanel for a reason, and not with some of the paid/free alternatives.

There's in other cases where their competitors offer nice features, but same with cPanel they also offer some nice features that competitors doesn't or maybe they offer them in a more stable / clean way.

I don't think hiring more people would 'fix' anything, sure maybe you can push more work, but will the quality be just as good? Maybe not - and maybe the investment you make in those extra employees might not even give you the benefit you was hoping for.

There's plenty of examples of companies that with more employees didn't really develop a lot more features compared to when the company was smaller and more flexible.

Official LE support from cPanel would be awesome - and I guess we can all agree - but at least from my point of view, and for companies point of view that manage thousands of cPanel servers - there's far more important features being requested that make the lives easier for us, or save us money (either actual money or saving man hours). Allowing free automated SSL certificates is a nice feature - I agree. But I just see way more important things that either has to be developed or being developed to a more mature state.

But I guess in the end it comes down to what we as different hosting providers want to offer our customers, and what we focus on.

photo
1

@Daniel Ruppert

I would normally agree in regards to a late software project, however the fact that this project has clearly not yet been started its not really applicable. Plus I was not just referring to developers, I mean staff as a whole, or someone who can mediate between the end user customers (us) and the developers so that we can be kept in the loop.

photo
1

Daniel Ruppert,

A bit off topic here, but I saw your post mentioning DNSSEC. For my provider (GoDaddy), I have an option of purchasing something that sets up DNSSEC. Do you know if there's a way to set that up for free? I tried sending a PM but couldn't find a way. Thank you.

photo
1

Daniel Ruppert,

A bit off topic here, but I saw your post mentioning DNSSEC. For my provider (GoDaddy), I have an option of purchasing something that sets up DNSSEC. Do you know if there's a way to set that up for free? I tried sending a PM but couldn't find a way. Thank you.

photo
1

This is no excuse for cPanel not at least issuing an official status for this "upcoming" implementation !

I agree with Greg : cPanel, please give us some more informations about the status of this feature request. What does "planned" stand for ?!?

For the time being, the 3rd party plugin does its job quite well... compared to nothing at all !

photo
1

> What does "planned" stand for ?!?

That it's planned.

photo
1

It IS in beta right now. If you listen to talks that LE staff do, it is quite clear it will be in beta for MANY months yet. They are still working on getting Apache working with it right, and nginx has many month's worth of work to catch up. They also have a LOT of work to do with the browser builders and their current system has a physical limit to the number of certificates it CAN issue and they are pretty much at that already. LE does NOT want any more load, and the work that the cPanel devs would face would be immense, as the goalposts will keep shifting, and not by small amounts. Yes, there are scripts out there that work, but I can quite see why cPanel will not include this any time soon. There are 4 release scheduled for cPanel this year. You have had 54, leaving 56, 58 and 60. 56 is already well under way, and there is no sign of LE in that. So, that leaves just 58 and 60. For it to get into 58, the decision would have to be made within 2-3 months, and in that time it is highly unlikely that LE will be ready enough. My guess? Wait for cPanel 60. Or do it yourself for now. There may be a demand right now, but there is not the supply of capacity at LE. My guess is that LE would not want cPanel to include a functional feature yet.

photo
8

Short answer: We have built a framework for this, but we're holding off on releasing this until LE stabilizes.

Long answer: In the last 5 years cPanel has put increasing focus on customer experience, and extensibility. With Let's Encrypt still in beta and consistently being improved, it has not yet been possible to build stable functionality that meets our standards. The good news is that we have been working directly on this internally, and all of the ground work for that functionality will be in place for v56. We have also been working with Let's Encrypt on this and the current plan is to release a plugin outside of our typical release cycle, as soon as Let's Encrypt stabilizes, that we expect to work on any cPanel & WHM v56+ servers.

photo
1

Thanks for responding here. To get an idea of the timeline here when is v56 expected to roll out? Any publicly available roadmaps that you can share?

photo
1

Well, technically, cPanel is at version 11!!! So version 56 is a long way to go!!! lol!

photo
3

No problem! 56 is entering its final stages of development now. We will be stopping all active development later this month, running through our final QA checks, and hope to have a version out to Current late this month. We don't have any public roadmaps yet, but it's definitely something I'm working on.

photo
1

Daniel: Hah! We changing our versioning pattern with 54, which was released after 11.52. You can read more about that here: https://blog.cpanel.com/whats-next-for-cpanel-whm/

photo
1

Thank you very much for replying in here. Hopefully it cuts down on the offtopic arguments and such. I wish there was a way to subscribe just to cPanel staff replies. :)

I'm curious on a couple of points:

1. Is the plugin idea anticipated to be the permanent / longterm implementation whenever it happens? i.e. do you anticipate LE functionality being later more integrated directly, or do you anticipate the plugin being the permanent method?

2. Is it a plugin that will appear someplace and basically we'll check a box to turn it on (the way things like Tomcat and such worked previously), or will we have to run a script or copy files somewhere? (Or something else I haven't thought of?)

Again, thanks for the reply. :)

photo
1

edit: sorry for the dupe, it didn't show that my post had posted…

photo
1

That's no problem at all. :) The system sometimes doesn't refresh automatically.

I don't currently have answers to those questions, but I hope to have them soon. I'll update this thread again when I have them.

photo
1

What specifically needs to stabilise? I only see new features being added, and I haven't seen any backwards compatibility broken since public beta.

Btw. it's almost a million issued certificates now, and the curve is still rising:

photo
4

Got some answers for you. I continued your numbering system to keep things easy:

1. We expect it will continue to be a plugin for at least the foreseeable future. This will allow us the flexibility to be able to do releases outside the normal cycle, in order to accommodate the speed with which changes will likely need to be made.

2. We expect it will be enabled with a checkbox in side the plugin UI in whm (which is similar to how the other plugins we've included have worked).

photo
2

I would very much like to see the proposed plugin for Let's Encrypt offer the ability to mass-provision certificates for the entire server, one for each domain name, and to include support for cPanel DNS-only systems too -- (to install a hostname certificate so that you're not surprised with certificate warnings when clicking "Fetch the remote access key" while adding new servers to your DNS cluster).

photo
5

I agree, we would like to enable certs by default on all domains and all subdomains without the customer needing to do anything, so the ability to 1- mass enable and 2- enable by default on new domains would be great. Of course letsencrypt ratelimits would need to be managed when doing something like this

photo
1

Any updates on this feature? I was going to hire someone to install Let's Encrypt but I would rather save the money where I can.

photo
1

As long as Let's Encrypt is still in beta, cPanel will hold this off.

photo
1

I definitely would love to see this added. Security is a big issue. With all the Ad-Hoc networks that we are connecting to using our mobile devices, link encryption is mandatory. No one in their right mind would intentionally run unencrypted connections, yet I am forced to do just that because of cost constraints. My ISP does not support Let's Encrypt and the cost for certificates and their required support services, when you look to cover 1/2 dozen domains, are simply unbelievable.

photo
1

If you consider 50$ for a personal or 100$ flat per year for a company account "unbelievable", then yes. Otherwise just go like about everyone else who needs a lot of domains signed from a reputable source with long certificate lifetime and use StartSSL =)

While I would like to see LetsEncrypt added asap too for my customers, it ONLY adds real value for the masses not actually caring about encryption. If you as the hoster do care about security, you should have added SSL certificates ages ago and not only when Google threatens to rank-down your website...

photo
1

In the interest of keeping the comments on this request focused, please take general conversation about the hosting industry to a forum thread or email conversation.

photo
2

We are still working internally on getting this out for you, and we're just as excited about it as you are! Currently we're hoping to see this hit with v58, which should be ready for production around 12-16 weeks from now. Thank you all for your continued interest, and hopefully we'll have something that meets our standards for you soon!

photo
1

Will you implement it before Chrome starts marking HTTP as insecure?

photo
1

We'll certainly try!

photo
4

We are still working internally on getting this out for you, and we're just as excited about it as you are! Currently we're hoping to see this hit with v58, which should be ready for production around 12-16 weeks from now.

I don't have any further updates at this time, and I think we've gotten just about all of the clarification on this request that we could ask for, so I'm going to go ahead and lock comments. If anyone new would like to express a desire for this feature, voting is still allowed. I've created a forum thread for any further conversation that folks would like to have, which can be found here:

https://forums.cpanel.net/threads/lets-encrypt-support.538621/

I'll post another update as soon as I have more information, but if you would like to reach out to me directly feel free to email me: benny@cpanel.net

photo
8

Hey everyone! We're doing much better than anticipated, and have been beta-testing our plugin for just over a week. We're looking for more people to provide feedback at this point. If you're interested, and will be able to provide feedback quickly, then we're interested in talking to you! The first step is to fill out this form. I'll reach out to you later today and get the process started.

http://bit.ly/1TZy6Qh

photo
8

Hey everyone! The BETA of the cPanel-provided Let's Encrypt plugin that we're building has been going very well, and we've gotten some incredible feedback from our testers. The public release of the plugin is still on target to be released during the v58 cycle and we will be sharing an updated BETA version with our testers soon. As soon as I have more information I'll let everyone know!

photo
3

EDIT: There's also a blog post about this request: https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

I am so happy to tell you all that the Let's Encrypt plugin has left beta and is now in a public release! If you are running cPanel & WHM version 58.0.17 or above (the EDGE or CURRENT tiers right now), you can now install the plugin using the command line by running this command:

  1. /scripts/install_lets_encrypt_autossl_provider

Running that script will add cPanel's repo file and make sure the plugin is up to date, which will add it as a provider to the AutoSSL feature introduced in 58. If you want to enable it after you add it to the server, you will need to do so from WHM.

48955c537a7913aa97aa64f1566c319a

Please note, there are some domain and subdomain limits that are enforced by Let's Encrypt that we attempt to outline here:

https://documentation.cpanel.net/display/ALD/Manage+AutoSSL

If it becomes necessary, we may add this plugin to the list of plugins provided in the WHM interface in a later version of cPanel & WHM.

I want to mention, the most commonly requested feature in relation to this, SNI support for cpsrvd (which includes webmail, cPanel, WHM, etc) is being tracked in this feature request, and *may* make it in to cPanel & WHM version 60, but may be delayed to version 62:

https://features.cpanel.net/topic/ssl-certificate-per-domain-on-all-services

If you have any questions, or encounter any problems, feel free to comment on the forum thread, send me an email (my username is my email address :D ), or open up a support ticket, as is appropriate.