Since version 0.4.1, the plugin supports automatic issuance and renewal of the WHM service certificates (2083, 2087, webmail, etc).
Please note that your server hostname must be a valid, internet addressable FQDN for this to work. No .internal, etc domains.
The plugin will not overwrite any service certificates that are valid. That is to say:
- Certificates that pass trust validation
- Certificates that are not expired and have greater than 30 days validity remaining
If either of these conditions are not met, and the feature is enabled, then the plugin will issue a new certificate, and install it to all services.
This feature is disabled by default, but can be enabled with the following command:
[root@~]$ le-cp hostcert enable # to disable, [root@~]$ le-cp hostcert disable
Once you run this command, if the prereqs are met, the issuance process should begin shortly after in the background.
When moving between insecure and valid TLS, you may need to
service letsencrypt-cpanel restart if you find yourself unable to use the
If you want to add some extra names into the service certificate (such as cpanel.server.host.org, where the service certificate might be server.host.org), you can manipulate these:
[root@~]$ le-cp hostcert add cpanel.server.host.org [root@~]$ le-cp hostcert list [root@~]$ le-cp hostcert remove cpanel.server.host.org
However, you need to ensure that these resolve and are being served up by WHM, otherwise validation will fail.
You will want to check the log file shortly after after enabling the feature to see whether the certificate was issued correctly.
Look in either
journalctl -u letsencrypt-cpanel -f on CentOS 7.
After the certificate is issued, you may also want to restart the
letsencrypt-cpanel service once to ensure that the
insecure setting is disabled (if coming from a self-signed cert).