Since Let’s Encrypt is free, and we love their certificates, why not use them for the admin panel as well?
This is oddly enough not built-in considering that it supports AutoSSL out of the box, there is no way to create an account using the server hostname and no way (that I am aware of) to interface with it by CLI.
But fear not, after some disappointing googling and some trial and error, I managed to work out a solution that will replace the current certificates with Let’s Encrypt and keep them auto updated.
Without further ado, here is the short and sweet guide to enabling free SSL for the admin panel in CWP.
Note this does require access to the shell as root.
yum install certbot
We will use certbot to handle automatic certificate generation as it also supports post-hooks.
Add vHost to handle webroot challenge
Now paste in the following snippet
Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/" <Directory "/var/www/html/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>
This will allow the webserver to server the acme challenge from /var/www/html/
systemctl restart httpd
Generate the certificate
We can run it first with –staging to test without hitting any limits, and then the real run when we know it works.
# Staging (does not count towards limits) certbot certonly --staging --webroot -w /var/www/html/ -d cwp.mydomain.tld # Production certbot certonly --webroot -w /var/www/html/ -d cwp.mydomain.tld
Note if you did with –staging first, then it will ask you if you want to overwrite the certificate, and you say YES.
Link CWP to the certificate
First we rename each of the old certs using these 3 commands
mv /etc/pki/tls/certs/hostname.crt /etc/pki/tls/certs/hostname.crt.bak mv /etc/pki/tls/certs/hostname.bundle /etc/pki/tls/certs/hostname.bundle.bak mv /etc/pki/tls/private/hostname.key /etc/pki/tls/private/hostname.key.bak
Now we can symlink to the live Let’s Encrypt certificate
ln -s /etc/letsencrypt/live/mini08.vths.dk/cert.pem /etc/pki/tls/certs/hostname.crt ln -s /etc/letsencrypt/live/mini08.vths.dk/fullchain.pem /etc/pki/tls/certs/hostname.bundle ln -s /etc/letsencrypt/live/mini08.vths.dk/privkey.pem /etc/pki/tls/private/hostname.key
Then we restart CWP
systemctl restart cwpsrv
Now when you open the admin it should be a nice padlocked HTTPS url.
Add auto renew with hook
Finally we need to add a cronjob that will auto-renew the certificate and restart CWP only when the certificate changes.
The certificate is valid for 90 days, and we can check it every day, and it will only renew when it gets within 30 days of expiring.
Edit root cronjob
Add the following line
0 5 * * * certbot renew --post-hook "systemctl restart cwpsrv"