Free SSL's for cPanel DNSOnly
We offer cPanel web hosting to our clients and as a result, run a cluster of 2x cPanel DNSOnly servers to handle the DNS hosting. The current (paid-for) cPanel/WHM SSL certificates on the DNSOnly servers were coming up for renewal, so it got me thinking if free SSL options were available.
cPanel offer and issue free SSL’s for all licensed servers, but given cPanel DNSOnly is an unlicensed product the offer doesn’t apply.
Fortunately you can use Let’s Encrypt to issue and rotate your SSL certificates for you. The setup is pretty easy.
Step 1 - Install Certbot
Follow the setup instructions for your platform here: https://certbot.eff.org
I was running cPanel DNSOnly on CentOS 6, so I chose “None of the above” and “CentOS 6” from the dropdowns. This prompted me to use “certbot-auto“ instead of plain ‘ole “certbot”. If you’re using “certbot-auto” also, just adjust the commands below to suit.
Step 2 - The SSL Installation Script
Download a copy of the SSL installation script for WHM/cPanel (as root).
curl https://pastebin.com/raw/gtrGEbyM | tr -d 'r' > certbot_whm_install.py
chmod a+x certbot_whm_install.py
Thank you to Mike from the “cPanel Features” website who contributed this script. I simply added a few lines to ensure the SSL’s were installed for Exim and Dovecot also.
Step 3 - Create the SSL’s
You only need to do this manual step the first time. Once the SSL’s have been issued, a CRON job can keep them renewed for months/years to come.
Soon you will run the command (below) and follow the prompts, but first, here’s some comments and hints.
The certbot tool can optionally “spin up a temporary webserver (standalone)” to verify your SSL request. Since cPanel DNSOnly doesn’t run it’s own web server (or use port 80 at all) I’d recommend picking that option. Just make sure ports 80 and 443 are open in your firewall.
You’ll also need to provide the fully-qualified URL to your DNS server (eg. ns1.example.com), so make sure you have that handy.
The rest of the questions should be easy to answer.
(or for certbot-auto, use the path to the script. Eg. “/root/certbot-auto“)
Once done, your certificate files will have been saved to:
Now you can run the installation script (manually, just this once) to install the new SSL’s. Just substitute in your server’s hostname - the same one as specified during the certbot setup above.
Done! But what about renewals?
Ok, your brand new SSL for WHM should be installed and working well at this point. Sometimes you’ll need to restart your web browser before the new SSL is picked up.
As with all Let’s Encrypt SSL certificates they only last a few weeks/months, so you’ll need to renew them regularly. Just add a CRON job to do this for you.
15 3 1,10,20 * * certbot renew --quiet --post-hook "/root/certbot_whm_install.py ns1.example.com"
(again, substitute in your hostname and if you’re using certbot-auto, use the full path to the script)