If you’re using cPanel DNS only you probably know that AutoSSL feature isn’t available on it. Reason for that is because DNSOnly cPanel installation doesn’t have web server running as classic version does.
To circumvent this you may use
certbot standalone mode to issue a Let’s encrypt certificate. Command you would use is:
certbot certonly --standalone -d HOSTNAME -n -m CONTACT@EMAIL.EXAMPLE --agree-tos
Ok, if domain resolves to the correct server
certbot will launch its built-in web server and perform verification and hopefully certificate should be issued. Now it is only a matter of installing it via “Manage service SSL Certificates” option in WHM.
To automate whole process I’ve stumbled upon neat python script on cPanel’s feature request page. For archiving purposes I’ll attach whole script below as well:
#!/bin/env python import sys, urllib, re from subprocess import call if len(sys.argv) < 2: print "The hostname must be specified." exit(1) hostname = sys.argv hostname_pattern = re.compile("^[a-z0-9\.-]+$", re.IGNORECASE) if not hostname_pattern.match(hostname): print "The hostname contains invalid characters." exit(1) file_cert = open("/etc/letsencrypt/live/" + hostname + "/cert.pem") file_privkey = open("/etc/letsencrypt/live/" + hostname + "/privkey.pem") file_chain = open("/etc/letsencrypt/live/" + hostname + "/chain.pem") cert = file_cert.read() privkey = file_privkey.read() chain = file_chain.read() file_cert.close file_privkey.close file_chain.close cert = urllib.quote(cert) privkey = urllib.quote(privkey) chain = urllib.quote(chain) call(["/usr/sbin/whmapi1", "install_service_ssl_certificate", "service=cpanel", "crt=" + cert, "key=" + privkey, "cabundle=" + chain]) call(["systemctl", "restart", "cpanel"])
Add that script somewhere on your server:
Give it execution permissions:
chmod 0700 /usr/local/bin/whmcert.py
And install certificate with it:
Reason why you may prefer this in script is automation of renewal. This way you can simply add following entry in your crontab to automate renewal process:
0 0 * * 1 /usr/bin/certbot renew --quiet --post-hook "/usr/local/bin/whmcert.py HOSTNAME"