Back in the day I set up a few VPSes with WHM/cPanel on to host some sites. As back then the certificates for the cPanel services (FTPD, SMTP, WHM, …) were self-signed and Let’s Encrypt was still in its early days, I also ordered a wildcard certificate for *.3rds.be
along with that and configured WHM to use that certificate for its services.
With the release of cPanel/WHM 56, cPanel started offering free cPanel-signed hostname certificates, removing the requirement for a user to get and install a custom one. New installs immediately use those cPanel-signed certificates, but setups from before that – like mine – still kept their old configuration. As my wildcard certificate is up for renewal, I decided to switch to the cPanel-signed hostname certificate … but how to do that?
In short
- Adjust one of the services to use a self-signed certificate.
- Run
/usr/local/cpanel/bin/checkallsslcerts
on the server to have it replace the self-signed certificated with a cPanel-signed one. - Apply the cPanel-signed certificate to the other services.
The longer version
-
Log on to your WHM server and go to the “Manage Service SSL Certificates” section. There you should see all cPanel services with your current certificate activated
-
For one of the services, hit “Reset Certificate”. That will remove your custom certificate and replace it with a self-signed one
-
SSH to your server (as root) and run
/usr/local/cpanel/bin/checkallsslcerts
. That will replace the self-signed certificate for the one service with a cPanel-signed oneroot@s01 [~]# /usr/local/cpanel/bin/checkallsslcerts The system will check for the certificate for the “cpanel” service. The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol). The certificate for the “cpanel” service passed all checks. The system will check for the certificate for the “dovecot” service. The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol). The certificate for the “dovecot” service passed all checks. The system will check for the certificate for the “exim” service. The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol). The certificate for the “exim” service passed all checks. The system will check for the certificate for the “ftp” service. The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store. The system will attempt to install a certificate for the “ftp” service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the “ftp” service. The system will attempt to install a certificate for the “ftp” service from the cPanel store. Received error “X::NoCertificate” from cPanel Store (No free ssl certificate found for this IP); requesting new certificate … Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/54BDF83083ED3F53405BDE8A940D13C0.txt) … … complete. Setting up DNS DCV (CNAME _54bdf83083ed3f53405bde8a940d13c0.s01.3rds.be) … … complete. Attempting DNS DCV preflight check … … success! Attempting to verify your certificate..... Querying Apache TLS for installations of the previous certificate … root@s01 [~]# exit
The output for
/usr/local/cpanel/bin/checkallsslcerts
-
Reload the “Manage Service SSL Certificates” section and verify that the self-signed certificate got replaced
The FTP Server Service, now with a cPanel-signed certificate -
Hit “Apply Certificate to Another Service” for the service with the cPanel-signed certificate. The form beneath the grid will be prefilled with the certificated details.
Check all boxes of the other services, and hit apply. After that the certificate details will have been copied to those services too
All cPanel/WHM Services, now with a cPanel-signed certificate
That’s it! 🎉
Thank me with a coffee.
I don\'t do this for profit but a small one-time donation would surely put a smile on my face. Thanks!
To stay in the loop you can follow @bramus or follow @bramusblog on Twitter.