Let’s Encrypt is a certificate authority (CA) that provides free X.509 certificates for Transport Layer Security (TLS). Simply said, Let’s Encrypt provides free SSL certificates for your websites. To make the deal sweeter, tools are available to simplify the process of acquiring SSL certificate (i.e. generate private key, get the certificate signing request, download SSL certificate). Let’s Encrypt is seamless for servers with shell access or when the hosting provider offers Let’s Encrypt support. However, the manual process could be daunting if you are on shared cPanel hosting (like me) but I hacked up a way to automate Let’s Encrypt SSL renewal for it.
The issue with manual Certbot method
The Let’s Encrypt free X.509 certificates have 90 days validity and they can be renewed on the 60th day mark.
If you do not have shell access and the hosting provider do not offer support for Let’s Encrypt then you got to use the Let’s Encrypt Certbot in manual mode to get/ renew the SSL certificates. It involves uploading of file to your website to prove your control (over the domain and server) before you can get your Let’s Encrypt SSL certificate.
This manual process is time consuming and needs to be repeated several times a year (every 60 to 90 days) before the SSL certificate expires. I guess I need not explain why shouldn’t you let the SSL certificate expire. Chances ah, SSL certificate renewal will lapse when done manually.
Being a lazy guy, I set out to find ways to automate this process.
What needs to be done to automate Let’s Encrypt?
To successfully automate the Let’s Encrypt renewal process, I will need to (at least):
- Monitor the expiry of Let’s Encrypt SSL certificate;
- Renew the SSL certificate by using Let’s Encrypt protocol;
- Upload the renewed SSL certificate (and probably private key) to cPanel; and
- Apply the renewed SSL certificate to the web server.
Alright, the steps seem straightforward and I hope that there will scripts/ tools to simplify the process.
Understanding (my) shared cPanel Hosting
Before I set off to hack up a way to renew Let’s Encrypt SSL certificate, I did a quick check with my hosting provider to see if they are planning to have Let’s Encrypt support in their cPanel or as part of their offerings. Well, seems like it is not going to happen in the foreseeable future.
The next step in this exploration was to understand what I could or could not do with my limited shared cPanel privileges:
|Upload/ Download file(s)||Yes!|
|Schedule Cron job(s)||Yes!|
|Set SSL certificate for domains/ sub-domains||No! 🙁|
|Get support team's help to set SSL certificate for domain/ sub-domain||Yes!|
At this juncture, it seems pretty clear what I could potentially do to automate the Let’s Encrypt SSL certificate renewal process.
What I did to automate Let’s Encrypt on (my) shared cPanel Hosting
I ended up semi-automating the Let’s Encrypt SSL renewal process by using a combination of Cron, acme shell client and sendmail. I think I am pretty innovation in using sendmail to rope in support team’s help. Why is it semi automated? Read on.
|1||Monitor the expiry of Let's Encrypt SSL certificate||Daily Cron job + acme.sh (Neilpang's acme.sh)|
|2||Renew the SSL certificate by adhering to Let's Encrypt process||Daily Cron job + acme.sh|
|3||Upload the SSL certificate and private key to cPanel||Automated sendmail to Support Team|
|4||Apply the SSL certificate for the web server||Automated sendmail to Support Team|
Yes, the Cron job cat the contents of the SSL certificate, private key and CA certificate into the email body and send it to the support team every two months to rope in their help in setting the SSL certificate for the website. It is pretty cool of them to help via email.
Just in case you are interested, the sendmail command is as follow:
( echo "Subject: Update SSL Certificate for shadowandy.net - $(date)"; echo "From: some@email"; echo; echo "SSL Certificate"; ) | /usr/sbin/sendmail -v support@email
I managed to automate the Let’s Encrypt SSL renewal process on my shared cPanel Hosting. However, there are some gaps in this solution.
Steps 1 and 2 are pretty deterministic. That is, I would know if the renewal process succeeds or fails.
However, step 3 and 4 requires human intervention to determine if they have succeeded or failed. What could be done better? Well, I could probably find a CLI email client to grep success replies from the support team to close off the entire loop. Well, I guess the current solution is good enough for me.
Hope it helps you. Cheers!