Getting correctly signed SSL Certificates for cPanel/WHM Services

Back in the day I set up a few VPSes with WHM/cPanel on to host some sites. As back then the certificates for the cPanel services (FTPD, SMTP, WHM, …) were self-signed and Let’s Encrypt was still in its early days, I also ordered a wildcard certificate for *.3rds.be along with that and configured WHM to use that certificate for its services.

With the release of cPanel/WHM 56, cPanel started offering free cPanel-signed hostname certificates, removing the requirement for a user to get and install a custom one. New installs immediately use those cPanel-signed certificates, but setups from before that – like mine – still kept their old configuration. As my wildcard certificate is up for renewal, I decided to switch to the cPanel-signed hostname certificate … but how to do that?

In short

  1. Adjust one of the services to use a self-signed certificate.
  2. Run /usr/local/cpanel/bin/checkallsslcerts on the server to have it replace the self-signed certificated with a cPanel-signed one.
  3. Apply the cPanel-signed certificate to the other services.

The longer version

  1. Log on to your WHM server and go to the “Manage Service SSL Certificates” section. There you should see all cPanel services with your current certificate activated


    Services with a soon to expire certificate

  2. For one of the services, hit “Reset Certificate”. That will remove your custom certificate and replace it with a self-signed one


    The FTP Server Service, now with a self-signed certificate

  3. SSH to your server (as root) and run /usr/local/cpanel/bin/checkallsslcerts. That will replace the self-signed certificate for the one service with a cPanel-signed one

    [email protected] [~]# /usr/local/cpanel/bin/checkallsslcerts
    The system will check for the certificate for the “cpanel” service.
    The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
    The certificate for the “cpanel” service passed all checks.
    The system will check for the certificate for the “dovecot” service.
    The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
    The certificate for the “dovecot” service passed all checks.
    The system will check for the certificate for the “exim” service.
    The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
    The certificate for the “exim” service passed all checks.
    The system will check for the certificate for the “ftp” service.
    The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
    The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
    The system will attempt to install a certificate for the “ftp” service from the cPanel store.
    Received error “X::NoCertificate” from cPanel Store (No free ssl certificate found for this IP); requesting new certificate …
    Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/54BDF83083ED3F53405BDE8A940D13C0.txt) …
    	… complete.
    Setting up DNS DCV (CNAME _54bdf83083ed3f53405bde8a940d13c0.s01.3rds.be) …
    	… complete.
    Attempting DNS DCV preflight check …
    	… success!
    Attempting to verify your certificate.....
    Querying Apache TLS for installations of the previous certificate …
    [email protected] [~]# exit

    The output for /usr/local/cpanel/bin/checkallsslcerts

  4. Reload the “Manage Service SSL Certificates” section and verify that the self-signed certificate got replaced


    The FTP Server Service, now with a cPanel-signed certificate

  5. Hit “Apply Certificate to Another Service” for the service with the cPanel-signed certificate. The form beneath the grid will be prefilled with the certificated details.

    Check all boxes of the other services, and hit apply. After that the certificate details will have been copied to those services too


    All cPanel/WHM Services, now with a cPanel-signed certificate

That’s it! 🎉

Did this help you out? Like what you see?
Consider donating.

I don’t run ads on my blog nor do I do this for profit. A donation however would always put a smile on my face though. Thanks!

☕️ Buy me a Coffee ($3)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.