Let’s Encrypt, acme.sh and cpanel deployment
This site was using a startssl certificate but… the certificate expired (I got an email mere hours before this happened) and when I went to update the certificate, startssl had somehow forgot all about me. It seems there was an ownership change and I found some things that made me decide a new certificate provider might be a good idea.
So I decided to get a Let’s Encrypt certificate instead. But I can’t run their suggested client (certbot) because I’m on a shared webhost without root access.
But I found acme.sh, which does the same thing certbot does without root or the heavy python dependencies. Apparently it will even handle auto-renewing my certificates for me.
New: This is the TL;DR version that just works.
ssh yasmar.net curl https://get.acme.sh | sh exit # probably could have just re-sourced .bashrc... ssh yasmar.net acme.sh --issue -d yasmar.net -w ~/public_html acme.sh --deploy -d yasmar.net --deploy-hook cpanel_uapi
Back to the original story…
However, there was no cpanel_uapi deploy hook originally. So acme.sh could not deploy my new certificates to cpanel. Bummer. Luckily, I found a cpanel API reference to do just that and whipped up a bit of perl code (only slightly changed from the reference) that deploys certificates to cpanel. My change is here.
For the record, here’s how I got everything going.
ssh yasmar.net curl https://get.acme.sh | sh exit # probably could have just re-sourced .bashrc... ssh yasmar.net acme.sh --issue -d yasmar.net -w ~/public_html acme.sh --deploy -d yasmar.net --deploy-hook cpanel
Though, the deploy step will do nothing without my modified cpanel.sh script. It has 3 important variables:
export DEPLOY_CPANEL_USER=myusername export DEPLOY_CPANEL_PASSWORD=PASSWORD export DEPLOY_CPANEL_HOSTNAME=localhost:2083
In my case, I had to use a real hostname instead of localhost to access cpanel.
My script is quick and dirty and doesn’t do any error checking. But it prints out the response so hopefully if there’s a problem it’ll be clear why.
It looks like the deploy hook is saved so when my certificate auto-renews, it should auto-deploy. I’ll know for sure in 60 days time.
Update: It did automatically renew and deploy 🙂
Update (June, 2018)
So my hosting company decided to seriously break perl. LWP was removed and there’s no compiler so I can’t install any equivalent CPAN modules. However, PHP is present and works just fine, so I have updated the deployment script. The new code is here.
With PHP, I can use the expected localhost:2083 to access cpanel, which is nice.
However, while looking at pushing this to the upstream project, I noticed that someone else has implemented support for the cpanel uapi command (which my hosting provider has). This has the advantage that you don’t need to put your credentials into a file and since it’s a cpanel thing, it probably won’t break in the future.
acme.sh --deploy -d yasmar.net --deploy-hook cpanel_uapi