Since Let’s Encrypt is free, and we love their certificates, why not use them for the admin panel as well?
This is oddly enough not built-in considering that it supports AutoSSL out of the box, there is no way to create an account using the server hostname and no way (that I am aware of) to interface with it by CLI.

But fear not, after some disappointing googling and some trial and error, I managed to work out a solution that will replace the current certificates with Let’s Encrypt and keep them auto updated.

Without further ado, here is the short and sweet guide to enabling free SSL for the admin panel in CWP.

Note this does require access to the shell as root.

Install requirements

yum install certbot

We will use certbot to handle automatic certificate generation as it also supports post-hooks.

Add vHost to handle webroot challenge

nano /usr/local/apache/conf.d/lets-encrypt.conf

Now paste in the following snippet

Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

This will allow the webserver to server the acme challenge from /var/www/html/

Restart httpd

systemctl restart httpd

Generate the certificate

We can run it first with –staging to test without hitting any limits, and then the real run when we know it works.

# Staging (does not count towards limits)
certbot certonly --staging --webroot -w /var/www/html/ -d cwp.mydomain.tld

# Production
certbot certonly --webroot -w /var/www/html/ -d cwp.mydomain.tld

Note if you did with –staging first, then it will ask you if you want to overwrite the certificate, and you say YES.

Link CWP to the certificate

First we rename each of the old certs using these 3 commands

mv /etc/pki/tls/certs/hostname.crt /etc/pki/tls/certs/hostname.crt.bak
mv /etc/pki/tls/certs/hostname.bundle /etc/pki/tls/certs/hostname.bundle.bak
mv /etc/pki/tls/private/hostname.key /etc/pki/tls/private/hostname.key.bak

Now we can symlink to the live Let’s Encrypt certificate

ln -s /etc/letsencrypt/live/ /etc/pki/tls/certs/hostname.crt
ln -s /etc/letsencrypt/live/ /etc/pki/tls/certs/hostname.bundle
ln -s /etc/letsencrypt/live/ /etc/pki/tls/private/hostname.key

Then we restart CWP

systemctl restart cwpsrv

Now when you open the admin it should be a nice padlocked HTTPS url.

Add auto renew with hook

Finally we need to add a cronjob that will auto-renew the certificate and restart CWP only when the certificate changes.

The certificate is valid for 90 days, and we can check it every day, and it will only renew when it gets within 30 days of expiring.

Edit root cronjob

crontab -e

Add the following line

0 5 * * * certbot renew --post-hook "systemctl restart cwpsrv"

That’s it!
Happy webhosting!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.