Service Certificates
Since version 0.4.1, the plugin supports automatic issuance and renewal of the WHM service certificates (2083, 2087, webmail, etc).
Please note that your server hostname must be a valid, internet addressable FQDN for this to work. No .internal, etc domains.
Prerequisites
The plugin will not overwrite any service certificates that are valid. That is to say:
- Certificates that pass trust validation
- Certificates that are not expired and have greater than 30 days validity remaining
If either of these conditions are not met, and the feature is enabled, then the plugin will issue a new certificate, and install it to all services.
Enabling
This feature is disabled by default, but can be enabled with the following command:
[root@~]$ le-cp hostcert enable
# to disable,
[root@~]$ le-cp hostcert disable
Once you run this command, if the prereqs are met, the issuance process should begin shortly after in the background.
Please Note
When moving between insecure and valid TLS, you may need to service letsencrypt-cpanel restart
if you find yourself unable to use the le-cp
tool.
Extra Hostnames
If you want to add some extra names into the service certificate (such as cpanel.server.host.org, where the service certificate might be server.host.org), you can manipulate these:
[root@~]$ le-cp hostcert add cpanel.server.host.org
[root@~]$ le-cp hostcert list
[root@~]$ le-cp hostcert remove cpanel.server.host.org
However, you need to ensure that these resolve and are being served up by WHM, otherwise validation will fail.
Verifying
You will want to check the log file shortly after after enabling the feature to see whether the certificate was issued correctly.
Look in either /var/log/letsencrypt-cpanel.log
, or journalctl -u letsencrypt-cpanel -f
on CentOS 7.
After the certificate is issued, you may also want to restart the letsencrypt-cpanel
service once to ensure that the insecure
setting is disabled (if coming from a self-signed cert).