arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Getting Let's Encrypt Wildcard Certificates
#12
(01-08-2019, 09:02 AM)Hidden Refuge Wrote: 1. I don't know how exactly this whole SSL setup in WHM works to be honest. Can you like specify path to custom certificates? Does it mabye even come with its own free SSL module or can you add the Let's Encrypt module? If you can specify path to custom certificate files you could use this guide and simply point WHM to the Let's Encrypt certificate file. That means a WHM reload/restart every 90 days when you renew the Let's Encrypt certificate. A much nicer solution would be a offical function in WHM/cPanel or a plugin that does it properly.

- https://blog.cpanel.com/announcing-cpane...sl-plugin/
- https://documentation.cpanel.net/display...ypt+Plugin
- https://www.liquidweb.com/kb/enabling-le...d-servers/
 WHM used to have Let's Encrypt module in the good ol' days and then there were security issues that cropped up and WHM decided to create its own certificates - urging all cPanel Administrators to remove the Encrypt module as it is a security risk. WHM has a link to a paid SSL signed service - which I think is Comodo.  You know, last night I just saw one HUGE money-making racket, all in the name of "security".  Makes me bristle all over.  WHM now has auto self-signed certificates.  Like when you create a new add on domain, then one automatically gets a self-signed certificate that expires in a year or more.  When I created mine last night for the WHM services - expiry date is 1 July 2020. WHM then came up with a URGENT notice to change the self-signed to signed as soon as possible - with the link to the paid service.  

When the self-signed certificate expires it creates headaches for cpanel users who haven't studied the subject carefully.  cPanel sends an e-mail to the host of the domain a month in advance - and then of course at Gigarocket we get plenty of support requests for fixing it.  It's not a perfect set-up at all and I'm not sure how this is contributing to the overall security of the domains.  To me it looks more like a money making racket.

(01-08-2019, 09:02 AM)Hidden Refuge Wrote: 2. To be honest that doesn't sound like something where I could really help. I can only say: I feel you. Taking over servers that might have not been updated for some time is always huge pain. I had servers where I could resolve it by basically doing the updates package by package to avoid breaking everything at once and in other cases the whole server just collapsed. So the worst that can happen is that something, e.g. cPanel, the web server or very unfortune the whole OS stops working. That is really the worst case scenario. CentOS 6.10 is the current CentOS version. You could try yum update and see how much stuff it has to update before actually saying YES to the update. WHM probably runs OS updates in the background anyway? No idea about WHM and cPanel. Never administrated it.
The cpanel was updated though - like continuously.  When I first was given it in January 2015, I put it on automatic updates and I think that was responsible for the server and cpanel's general longevity. But yes, when one goes deeper on server level like with Apache that probably needs to be updated, you're right. I must give kudos to WHM/cpanel though.  WOW.  It's a great panel.  It's a bit complex because there's so much to it, but every entry you make there's a document for it, or a note next to it what the default setting is or what the consequences of the setting is.  Some of it is not completely user-friendly, some of it doesn't always make sense, some is not perfect, but if one Googles the issue there is bound to pop up an answer somewhere. Smile

For example, this cpanel doesn't come with Softaculous - but I managed through cpanel to find an app for installing WordPress.  It doesn't work as fast and effortless as Softaculous, but I managed to create one yesterday.  I wonder if it is more secure than Softaculous, as it creates your user name and password for you - the user name is as long and as gibberish as the password.  Really amused me yesterday!  Smile

(01-08-2019, 09:02 AM)Hidden Refuge Wrote: 3. You should use these two hostnames when generating the certificate as explained in the tutorial: 1. "domain.net" and 2. "*.domain.net". domain.net covers the root domain itself and *.domain.net covers every possible sub domain which also includes host.domain.net automatically and any future additional sub domains.
Thank you for the tip.  What I'm thinking of doing is to first experiment on my hostus VPS and see how far I get with it.  Then if that works out, I can try it on the cpanel, if cpanel is still up and running.  Not sure where we are going with this.  Like the whole thing can come to an end at any minute.

(01-08-2019, 09:02 AM)Hidden Refuge Wrote: 4. Regardless of whether you have a certificate for a single domain, multiple domains or a wildcard domain(s) certificate the expiration period is always 90 days with Let's Encrypt.
Thanks HR.  This is much appreciated.  When I Googled this deeper by checking up the cost of wild card certificates, and the alternatives, I noticed it is 90 days.  But I guess once one has that app enabled and functioning, it's worth it to run it every 90 days.  I'd definitely do it to avoid those fees for Wildcard paid certificates.  BTW the cheapest I found so far for a year is with Comodo - 70 US$ - if you want to sign up for 4 years it is 54 US$.  What a racket!  Confused

For now I've decided to focus on the DNS, as am trying to get a handle on the DNS Zones for the host IP.  I'll open a new thread about this elsewhere.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  


Messages In This Thread
RE: Getting Let's Encrypt Wildcard Certificates - by deanhills - 01-08-2019, 10:10 AM

Possibly Related Threads…
Thread
Author
Replies
Views
Last Post

person_pin_circle Users browsing this thread: 7 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting