Service Certificates

Since version 0.4.1, the plugin supports automatic issuance and renewal of the WHM service certificates (2083, 2087, webmail, etc).

Please note that your server hostname must be a valid, internet addressable FQDN for this to work. No .internal, etc domains.

Prerequisites

The plugin will not overwrite any service certificates that are valid. That is to say:

  • Certificates that pass trust validation
  • Certificates that are not expired and have greater than 30 days validity remaining

If either of these conditions are not met, and the feature is enabled, then the plugin will issue a new certificate, and install it to all services.

Enabling

This feature is disabled by default, but can be enabled with the following command:

[root@~]$ le-cp hostcert enable
# to disable,
[root@~]$ le-cp hostcert disable

Once you run this command, if the prereqs are met, the issuance process should begin shortly after in the background.

Please Note

When moving between insecure and valid TLS, you may need to service letsencrypt-cpanel restart if you find yourself unable to use the le-cp tool.

Extra Hostnames

If you want to add some extra names into the service certificate (such as cpanel.server.host.org, where the service certificate might be server.host.org), you can manipulate these:

[root@~]$ le-cp hostcert add cpanel.server.host.org
[root@~]$ le-cp hostcert list
[root@~]$ le-cp hostcert remove cpanel.server.host.org

However, you need to ensure that these resolve and are being served up by WHM, otherwise validation will fail.

Verifying

You will want to check the log file shortly after after enabling the feature to see whether the certificate was issued correctly.

Look in either /var/log/letsencrypt-cpanel.log, or journalctl -u letsencrypt-cpanel -f on CentOS 7.

After the certificate is issued, you may also want to restart the letsencrypt-cpanel service once to ensure that the insecure setting is disabled (if coming from a self-signed cert).