[Mashiro]

1. I don't know how exactly this whole SSL setup in WHM works to be honest. Can you like specify path to custom certificates? Does it mabye even come with its own free SSL module or can you add the Let's Encrypt module? If you can specify path to custom certificate files you could use this guide and simply point WHM to the Let's Encrypt certificate file. That means a WHM reload/restart every 90 days when you renew the Let's Encrypt certificate. A much nicer solution would be a offical function in WHM/cPanel or a plugin that does it properly.

- https://blog.cpanel.com/announcing-cpane...sl-plugin/
- https://documentation.cpanel.net/display...ypt+Plugin
- https://www.liquidweb.com/kb/enabling-le...d-servers/

2. To be honest that doesn't sound like something where I could really help. I can only say: I feel you. Taking over servers that might have not been updated for some time is always huge pain. I had servers where I could resolve it by basically doing the updates package by package to avoid breaking everything at once and in other cases the whole server just collapsed. So the worst that can happen is that something, e.g. cPanel, the web server or very unfortune the whole OS stops working. That is really the worst case scenario. CentOS 6.10 is the current CentOS version. You could try yum update and see how much stuff it has to update before actually saying YES to the update. WHM probably runs OS updates in the background anyway? No idea about WHM and cPanel. Never administrated it.

3. You should use these two hostnames when generating the certificate as explained in the tutorial: 1. "domain.net" and 2. "*.domain.net". domain.net covers the root domain itself and *.domain.net covers every possible sub domain which also includes host.domain.net automatically and any future additional sub domains.

4. Regardless of whether you have a certificate for a single domain, multiple domains or a wildcard domain(s) certificate the expiration period is always 90 days with Let's Encrypt.

[deanhills]

1. I don't know how exactly this whole SSL setup in WHM works to be honest. Can you like specify path to custom certificates? Does it mabye even come with its own free SSL module or can you add the Let's Encrypt module? If you can specify path to custom certificate files you could use this guide and simply point WHM to the Let's Encrypt certificate file. That means a WHM reload/restart every 90 days when you renew the Let's Encrypt certificate. A much nicer solution would be a offical function in WHM/cPanel or a plugin that does it properly.

- https://blog.cpanel.com/announcing-cpane...sl-plugin/
- https://documentation.cpanel.net/display...ypt+Plugin
- https://www.liquidweb.com/kb/enabling-le...d-servers/

 WHM used to have Let's Encrypt module in the good ol' days and then there were security issues that cropped up and WHM decided to create its own certificates - urging all cPanel Administrators to remove the Encrypt module as it is a security risk. WHM has a link to a paid SSL signed service - which I think is Comodo.  You know, last night I just saw one HUGE money-making racket, all in the name of "security".  Makes me bristle all over.  WHM now has auto self-signed certificates.  Like when you create a new add on domain, then one automatically gets a self-signed certificate that expires in a year or more.  When I created mine last night for the WHM services - expiry date is 1 July 2020. WHM then came up with a URGENT notice to change the self-signed to signed as soon as possible - with the link to the paid service.  

When the self-signed certificate expires it creates headaches for cpanel users who haven't studied the subject carefully.  cPanel sends an e-mail to the host of the domain a month in advance - and then of course at Gigarocket we get plenty of support requests for fixing it.  It's not a perfect set-up at all and I'm not sure how this is contributing to the overall security of the domains.  To me it looks more like a money making racket.

2. To be honest that doesn't sound like something where I could really help. I can only say: I feel you. Taking over servers that might have not been updated for some time is always huge pain. I had servers where I could resolve it by basically doing the updates package by package to avoid breaking everything at once and in other cases the whole server just collapsed. So the worst that can happen is that something, e.g. cPanel, the web server or very unfortune the whole OS stops working. That is really the worst case scenario. CentOS 6.10 is the current CentOS version. You could try yum update and see how much stuff it has to update before actually saying YES to the update. WHM probably runs OS updates in the background anyway? No idea about WHM and cPanel. Never administrated it.

The cpanel was updated though - like continuously.  When I first was given it in January 2015, I put it on automatic updates and I think that was responsible for the server and cpanel's general longevity. But yes, when one goes deeper on server level like with Apache that probably needs to be updated, you're right. I must give kudos to WHM/cpanel though.  WOW.  It's a great panel.  It's a bit complex because there's so much to it, but every entry you make there's a document for it, or a note next to it what the default setting is or what the consequences of the setting is.  Some of it is not completely user-friendly, some of it doesn't always make sense, some is not perfect, but if one Googles the issue there is bound to pop up an answer somewhere.

For example, this cpanel doesn't come with Softaculous - but I managed through cpanel to find an app for installing WordPress.  It doesn't work as fast and effortless as Softaculous, but I managed to create one yesterday.  I wonder if it is more secure than Softaculous, as it creates your user name and password for you - the user name is as long and as gibberish as the password.  Really amused me yesterday!  

3. You should use these two hostnames when generating the certificate as explained in the tutorial: 1. "domain.net" and 2. "*.domain.net". domain.net covers the root domain itself and *.domain.net covers every possible sub domain which also includes host.domain.net automatically and any future additional sub domains.

Thank you for the tip.  What I'm thinking of doing is to first experiment on my hostus VPS and see how far I get with it.  Then if that works out, I can try it on the cpanel, if cpanel is still up and running.  Not sure where we are going with this.  Like the whole thing can come to an end at any minute.

4. Regardless of whether you have a certificate for a single domain, multiple domains or a wildcard domain(s) certificate the expiration period is always 90 days with Let's Encrypt.

Thanks HR.  This is much appreciated.  When I Googled this deeper by checking up the cost of wild card certificates, and the alternatives, I noticed it is 90 days.  But I guess once one has that app enabled and functioning, it's worth it to run it every 90 days.  I'd definitely do it to avoid those fees for Wildcard paid certificates.  BTW the cheapest I found so far for a year is with Comodo - 70 US$ - if you want to sign up for 4 years it is 54 US$.  What a racket!  

For now I've decided to focus on the DNS, as am trying to get a handle on the DNS Zones for the host IP.  I'll open a new thread about this elsewhere.

[Rehan]

I am getting error

" -bash: ./certbot-auto: Permission denied "

I had grabbed one in previous host but now in the new host i am getting this permission error.I searched google about it but unable to find any permission information.

[perry]

I am getting error

" -bash: ./certbot-auto: Permission denied "

I had grabbed one in previous host but now in the new host i am getting this permission error.I searched google about it but unable to find any permission information.

are you running in root?

You will want to run sudo certbot ... rather than just certbot .... This will solve your problem and is the solution most often used.

[Rehan]

are you running in root?

You will want to run sudo certbot ... rather than just certbot .... This will solve your problem and is the solution most often used.

I already have tried that decrypt command with sudo.But that shows me unknown command.I think the problem is in chown.In previous i just used the ./certbot-auto and during the installations it automatically grabbed a ssl certificate.Now during the installation it is showing the error of TXT Records.

[Mashiro]

Code: (Select All)

chown youruser:yourgroup certbot-auto
chmod +x certbot-auto

Root permission is certainly required when running certbot as it has to access directories and tools that only root can access/run. So running it as root or with sudo is necessary.


The error about TXT records is about right. You run certbot from a different host it will require different new TXT records. Even if you were about to request the certificate (mind that I'm not saying renew) again from the old host you would have to update the TXT records, too. Normal behavior.

I recommend running certbot in screen or tmux when requesting a certificate for the first time as sometimes you have to wait very long until the TXT records are fully available via DNS requests. And if you in that case don't wait long enough and certbot fails to verify the DNS record... guess what. You request it again and you get different TXT records again.

[Rehan]

Thanks @Hidden Refuge, That problem has been fixed.Now i am facing another error.I have successfully grabbed a ssl certificate but still browser is showing " Not secure ".I have changed the wordpress url to https and then it is showing " Page isn't working (redirected you too many times.).Then i re-installed the certificate and made website to redirect all request to https and also changed the url to https.Now site is showing the same page isn't working error.

[Mashiro]

@Rehan

Your site or webserver is still somewhere redirecting back to HTTP which together with your HTTPS redirection causes a redirection loop. Browsers can catch that and will show the error you get.

Nothing I can help with. I don't know your exact setup, your site software and etc. The issue is unrelated to LE or any other SSL CA. Just a redirect or software misconfiguration that has been introduced while enabling SSL due to the previous site running on HTTP only.

[Rehan]

@Rehan

Your site or webserver is still somewhere redirecting back to HTTP which together with your HTTPS redirection causes a redirection loop. Browsers can catch that and will show the error you get.

Nothing I can help with. I don't know your exact setup, your site software and etc. The issue is unrelated to LE or any other SSL CA. Just a redirect or software misconfiguration that has been introduced while enabling SSL due to the previous site running on HTTP only.

Ok.Thanks for the information.I am trying to use it for a Wordpress website.So i was using it on my wordpress site which was transferred from another server and i think the problem is due to mistake's during transfer.Now i think i should backup my contents manually and post it again.

Thanks for your help.

[Mashiro]

As far as I know Wordpress also stores URLs of the site in database tables and some configuration files. So both places have to be identified and updated.

I had the same trouble before with WP.