Control Web Panel
WebPanel => SSL => Topic started by: cfreire on May 08, 2025, 03:38:04 PM
-
Hi I have intended renew my expired certs, webmail... cpanel... etc. In the web interface the renewing is success aparently, but when I reload the webpage, the advice tahr "expired" is still there. When I check in /etc/pki/tls/certs the .cert files, effectively, they are expired. Somethig is avoiding that the .cert or blundle files be rewriting.
How can I resolv this problem please?? Regards.
-
Possibly a bug from CWP.
This happened to me migrating domains from another server.
Once the domain was renewed manually, now the renewing process is automatic again.
Try to create a script, named like 'renew-cert.sh', to renew manually:
#!/bin/bash
DOM=${1}
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew --ecc -d ${DOM} --force
Change permissions:
# chmod 700 renew-cert.sh
And run the script (replacing "domain.com" with your domain):
# ./renew-cert.sh domain.com
Regards,
Netino
-
I tried with the script, it was going well but finally I got the next error:
cxxxxxxxxxxx.cxx: Invalid status. Verification error details: 157.90.211.236: Fetching http://cxxnxxxx.com/.well-known/acme-challenge/rxt3tCYUqpgL_DtbRhDA7ik31_RQrp_bt1cvzc1jXyk: Timeout during connect (likely firewall problem)
[Mon May 12 13:12:40 -05 2025] Please check log file for more details: /root/.acme.sh/cwp_certs/acme.sh.log
[root@ ~]#
And effectively, I have migrated this domain from another server. our help please. Thanks.
-
Is your firewall allowing in & outbound port 80? Is iptables configured similarly to this:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTYou could temporarily disable the CSF firewall (csf -x) and test a renewal, either from the CWP web GUI or via Netino's script. This would tell you if it is a firewall problem, which it would appear to be.
-
Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?
-
Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?
You simply can't get certificates via LetsEncrypt in apache mode if you can't save tokens in a specific are of the web server.
But with another app (certbot) in DNS mode, you could.
You manage the DNS server of these sites?
-
Hi, of course, I manage the DNS ZOne of the domain.... Then, how can I procedure?
-
Use certbot (an ACME client) and run with a configuration like this (obtaining an API key from your DNS provider -- Cloudflare, in this example):
/etc/letsencrypt/renewal/yourdomain.com.conf
# renew_before_expiry = 30 days
version = 1.8.0
archive_dir = /etc/letsencrypt/archive/yourdomain.com
cert = /etc/letsencrypt/live/yourdomain.com/cert.pem
privkey = /etc/letsencrypt/live/yourdomain.com/privkey.pem
chain = /etc/letsencrypt/live/yourdomain.com/chain.pem
fullchain = /etc/letsencrypt/live/yourdomain.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = YOURAPIKEYHERE
authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 60
dns_cloudflare_credentials = /some/path/conf/yourdomain.com.key
server = https://acme-v02.api.letsencrypt.org/directoryThen you just call certbot renew in cron and it will renew your SSL cert 30 days before expiry.
-
Hi, thanks by your reply..... What about if does not exist the folders letsencrypt/renewal/ in /etc??
-
Read and follow certbot's documentation. https://certbot.eff.org/instructions?ws=apache&os=snap (https://certbot.eff.org/instructions?ws=apache&os=snap)
You should run certbot from the CLI manually once to set it up, then edit the config to switch to DNS mode.
sudo certbot --apacheMy example was specifically for Cloudflare, so you may have to adapt it to your situation.
-
Hi, thanks by your reply..... Now, when I run the command that you suggested to me, I get:
sudo certbot --apache
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable httpd',)
[root@mail ~]#
I have AlmaLinux 8 ... Please your help... Regards..
-
Try to repair and create a new configuration with run the following script(still working with acme.sh):
#!/bin/bash
DOM=${1}
WEBS=""
systemctl -q is-active nginx && WEBS="${WEBS} nginx"
systemctl -q is-active httpd && WEBS="${WEBS} httpd"
/root/.acme.sh/acme.sh --cert-home /root/.acme.sh/cwp_certs --webroot /usr/local/apache/autossl_tmp --issue -d ${DOM} mail webmail ftp cpanel --ecc \
--cert-file /etc/pki/tls/certs/${DOM}.cert \
--key-file /etc/pki/tls/private/${DOM}.key \
--fullchain-file /etc/pki/tls/certs/${DOM}.bundle \
--reloadcmd "systemctl restart ${WEBS}"
Run it with:
# chmod script.sh
# ./script.sh your-domain.com
After that, try to renew with CWP (because CWP still could claim the domain have not a cert)
-
Hi friend, I get the next when run the script
ot@mail ~]# ./script.sh xxx.com
[Tue May 20 09:48:46 -05 2025] Unknown parameter: mail
-
What SANs do you need for your domain? Netino's script has the basic four used by CWP: mail webmail ftp cpanel (in addition to the common www CNAME, which is included in the main domain). Do you not use the "mail" SAN? Personally, I use the other three, but not cpanel.
-
Hi, I use all de subdamains, mail, www, cpanel...
-
Hi friend, I get the next when run the script
ot@mail ~]# ./script.sh xxx.com
[Tue May 20 09:48:46 -05 2025] Unknown parameter: mail
This is not a message from acme.sh.
So, may be you copy something wrong in your script.?
Try to replace the parameters directly in the main command in that script (/root/.acme.sh/acme.sh ... )
Type all these commands, step-by-step, in bash from your server:
# DOM=xxx.com
# WEBS=""
# systemctl -q is-active nginx && WEBS="${WEBS} nginx"
# systemctl -q is-active httpd && WEBS="${WEBS} httpd"
# /root/.acme.sh/acme.sh --cert-home /root/.acme.sh/cwp_certs --webroot /usr/local/apache/autossl_tmp --issue -d ${DOM} mail webmail ftp cpanel --ecc \
--cert-file /etc/pki/tls/certs/${DOM}.cert \
--key-file /etc/pki/tls/private/${DOM}.key \
--fullchain-file /etc/pki/tls/certs/${DOM}.bundle \
--reloadcmd "systemctl restart ${WEBS}"
Alternatively, you can put your parameters between quotation marks, like:
# DOM="xxx.com"
(...)
# /root/.acme.sh/acme.sh --cert-home "/root/.acme.sh/cwp_certs" --webroot "/usr/local/apache/autossl_tmp" --issue -d "${DOM}" "mail" "webmail" "ftp" "cpanel" --ecc \
(...)
You can check where are the error, and post here.
-
I tried to execute the command directly, and I get the same error... I attach the output.....
root@mail ~]#
[root@mail ~]#
[root@mail ~]# /root/.acme.sh/acme.sh --cert-home /root/.acme.sh/cwp_certs --webroot /usr/local/apache/autossl_tmp --issue -d xxx.com mail webmail ftp cpanel --ecc --cert-file /etc/pki/tls/certs/cxxxxx.cert --key-file /etc/pki/tls/private/xxxxcom.key --fullchain-file /etc/pki/tls/certs/xxxxcom.bundle
[Tue May 27 11:01:44 -05 2025] Unknown parameter: mail
[root@mail ~]#
[root@mail ~]# /root/.acme.sh/acme.sh --cert-home /root/.acme.sh/cwp_certs --webroot /usr/local/apache/autossl_tmp --issue -d ${DOM} mail webmail ftp cpanel --ecc --cert-file /etc/pki/tls/certs/${DOM}.cert --key-file /etc/pki/tls/private/${DOM}.key --fullchain-file /etc/pki/tls/certs/${DOM}.bundle --reloadcmd "systemctl restart ${WEBS}"
[Tue May 27 11:02:10 -05 2025] Unknown parameter: webmail
-
@Netino
Is there a way to renew all the certificates at once, and not one at a time using your script?
-
Seems like you could iterate it in a loop... and set it for interactive use to use $1 as an argument so you can feed in the domain instead of hard-coding it in the script.