Let’s Encrypt, acme.sh and cpanel deployment

09 June 2017 by Lincoln Ramsay

This site was using a startssl certificate but… the certificate expired (I got an email mere hours before this happened) and when I went to update the certificate, startssl had somehow forgot all about me. It seems there was an ownership change and I found some things that made me decide a new certificate provider might be a good idea.

So I decided to get a Let’s Encrypt certificate instead. But I can’t run their suggested client (certbot) because I’m on a shared webhost without root access.

But I found acme.sh, which does the same thing certbot does without root or the heavy python dependencies. Apparently it will even handle auto-renewing my certificates for me.

But what it wouldn’t do out of the box is deploy my new certificates to cpanel. Bummer. Luckily, I found a cpanel API reference to do just that and whipped up a bit of perl code (only slightly changed from the reference) that deploys certificates to cpanel. My change is here.

For the record, here’s how I got everything going.

ssh yasmar.net
curl https://get.acme.sh | sh
exit # probably could have just re-sourced .bashrc...
ssh yasmar.net
acme.sh --issue -d yasmar.net -w ~/public_html
acme.sh --deploy -d yasmar.net --deploy-hook cpanel

Though, the deploy step will do nothing without my modified cpanel.sh script. It has 3 important variables:

export DEPLOY_CPANEL_USER=myusername
export DEPLOY_CPANEL_HOSTNAME=localhost:2083

In my case, I had to use a real hostname instead of localhost to access cpanel.

My script is quick and dirty and doesn’t do any error checking. But it prints out the response so hopefully if there’s a problem it’ll be clear why.

It looks like the deploy hook is saved so when my certificate auto-renews, it should auto-deploy. I’ll know for sure in 60 days time.

Update: It did automatically renew and deploy 🙂

Update (June, 2018)

So my hosting company decided to seriously break perl. LWP was removed and there’s no compiler so I can’t install any equivalent CPAN modules. However, PHP is present and works just fine, so I have updated the deployment script. The new code is here.

With PHP, I can use the expected localhost:2083 to access cpanel, which is nice.

Update (again)

However, while looking at pushing this to the upstream project, I noticed that someone else has implemented support for the cpanel uapi command (which my hosting provider has). This has the advantage that you don’t need to put your credentials into a file and since it’s a cpanel thing, it probably won’t break in the future.

   acme.sh --deploy -d yasmar.net --deploy-hook cpanel_uapi