Automatic Let's encrypt SSL on GoDaddy

Digital nomad stuff about software, computers, operating systems, hosting providers, and computer games.

Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Wed Jul 05, 2017 5:24 pm

Let’s Encrypt offers free SSL certificates necessary for making secure web servers using https protocol. Currently GoDaddy hosting company is offering commercial SSL certificates and providing only defunct instructions for using Let's encrypt certificates. As you can see, this website is running on GoDaddy and it is using fully automated SSL certificates. How did I do that?

First I installed acme.sh using Steve Phillips's awesome instructions. I followed through until "Upload cert and private key via GoDaddy's web interface", where I was supposed to install certificates using cPanel. Let's encrypt certificates have to be renewed every 2-3 months or they will expire and your website stops working properly giving security warnings. Renewing certificates manually at least quarterly was not an option to me.

Reading acme.sh source code revealed that while there is functionality for automatic renewal and installing of certificates using cPanel, it has not been implemented yet. The missing script name is cpanel.sh and it is located at ~/.acme.sh/deploy/cpanel.sh

I wrote the missing script and now it works fully automatically. After the certificate is issued, it is deployed using the following command:
acme.sh --deploy -d www.mydomain.com --deploy-hook cpanel
I have submitted my script to acme.sh GitHub, but it might take a while before it will be merged, if ever. Here is my code in case you want to use it. Simply overwrite the original cpanel.sh with it and you are good to go.

(Script updated on 2017-7-10 with the fix hedgehog provided)

Code: Select all

#!/usr/bin/env sh
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi.  --user option is needed only if run as root.
# Returns 0 when success.
# Written by Santeri Kannisto <santeri.kannisto@2globalnomads.info>
# Public domain, 2017

#export DEPLOY_CPANEL_USER=myusername

########  Public functions #####################

#domain keyfile certfile cafile fullchain

cpanel_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # read cert and key files and urlencode both
  _certstr=$(cat "$_ccert")
  _keystr=$(cat "$_ckey")
  _cert=$(php -r "echo urlencode(\"$_certstr\");")
  _key=$(php -r "echo urlencode(\"$_keystr\");")

  _debug _cert "$_cert"
  _debug _key "$_key"

  if [ "$(id -u)" = 0 ]; then
    _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  else
    _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  fi

  if [ $? -ne 0 ]; then
    _err "Error in deploying certificate:"
    _err "$_response"
    return 1
  fi

  _debug response "$_response"
  _info "Certificate successfully deployed"
  return 0
}
Happy hacking!
Last edited by Santeri on Mon Jul 10, 2017 12:57 pm, edited 1 time in total.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by hedgehog » Mon Jul 10, 2017 6:08 am

Hi Santeri,

Thanks for this post. I was able to use this code to automatically deploy LE certificate to Godaddy's cPanel.
Had to make a change though. I am not running as root (shared hosting) so $_opt was empty. However having "$_opt" in the command messed things up and UAPI was giving me a "syntax page" result. Removing quotes around this optional parameter made it work ok.

Hope this is integrated soon into the main repository.
Regards.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Mon Jul 10, 2017 12:52 pm

hedgehog wrote:
Mon Jul 10, 2017 6:08 am
Thanks for this post. I was able to use this code to automatically deploy LE certificate to Godaddy's cPanel.
Had to make a change though. I am not running as root (shared hosting) so $_opt was empty. However having "$_opt" in the command messed things up and UAPI was giving me a "syntax page" result. Removing quotes around this optional parameter made it work ok.
Good that you managed to make it work. I don't have an environment for testing the option and it's been 15 years since I wrote shell scripts for GNU/Linux last time :)

I updated my pull request in GitHub including this fix: https://github.com/Neilpang/acme.sh/pull/940

Here is the fixed script:

Code: Select all

#!/usr/bin/env sh
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi.  --user option is needed only if run as root.
# Returns 0 when success.
# Written by Santeri Kannisto <santeri.kannisto@2globalnomads.info>
# Public domain, 2017

#export DEPLOY_CPANEL_USER=myusername

########  Public functions #####################

#domain keyfile certfile cafile fullchain

cpanel_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # read cert and key files and urlencode both
  _certstr=$(cat "$_ccert")
  _keystr=$(cat "$_ckey")
  _cert=$(php -r "echo urlencode(\"$_certstr\");")
  _key=$(php -r "echo urlencode(\"$_keystr\");")

  _debug _cert "$_cert"
  _debug _key "$_key"

  if [ "$(id -u)" = 0 ]; then
    _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  else
    _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  fi

  if [ $? -ne 0 ]; then
    _err "Error in deploying certificate:"
    _err "$_response"
    return 1
  fi

  _debug response "$_response"
  _info "Certificate successfully deployed"
  return 0
}
Thanks a lot for your help!

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by ATLWebDesign » Fri Jul 14, 2017 12:38 pm

Thanks for your script, it works great deployed manually.

acme.sh installs a cron job to auto renew the Lets's Encrypt certificate.

Do you need a 2nd cron job then to fire your deploy script, or can it be a parameter added to the acme.sh cron job?

What would the syntax of that cron job be?

I'm using on a GoDaddy server that has multiple websites installed in subfolders.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Fri Jul 14, 2017 8:38 pm

ATLWebDesign wrote:
Fri Jul 14, 2017 12:38 pm
Do you need a 2nd cron job then to fire your deploy script, or can it be a parameter added to the acme.sh cron job?
Renewed certificates should deploy fully automatically, at least manually (with --force) renewed did deploy when I tested the script. However, we will see that for sure only after my first certificates renew solely from cron within the next 2 months.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by null » Thu Aug 03, 2017 4:57 am

I want to thank you for your cpanel script, I've been manually doing it on godaddy for a while now. Did everything you said in post, and my final cron that works full auto is:
cd /home/GODADDYACCTNAME/.acme.sh; acme.sh --force --issue -d DOMAIN.COM -d WWW.DOMAIN.COM -w ~/www > /dev/null 2>&1; acme.sh --deploy -d DOMAIN.COM -d WWW.DOMAIN.COM --deploy-hook cpanel > /dev/null 2>&1
That does the issue and cpanel deploy with no output that is confirmed working full auto as a cron on godaddy using Santeri's script.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Thu Aug 03, 2017 8:14 pm

null wrote:
Thu Aug 03, 2017 4:57 am
I want to thank you for your cpanel script, I've been manually doing it on godaddy for a while now.
You are welcome and great that you got it working.

I am myself considering ditching GoDaddy and moving to Dreamhost. They offer built-in letsencypt and also support DKIM unlike GoDaddy. Their servers are really slow, like for example this forum, because they use NFS home directories and web roots which sounds pretty insane to me.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Tue Aug 08, 2017 11:31 am

Santeri wrote:
Thu Aug 03, 2017 8:14 pm
I am myself considering ditching GoDaddy and moving to Dreamhost.
I migrated this forum from GoDaddy to Dreamhost today. At least all tools and shell access is lightning fast compared to sluggish GoDaddy and I got also DKIM working there.

Do you see any difference in the speed of this forum?
Last edited by Santeri on Thu Aug 17, 2017 1:34 am, edited 1 time in total.

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by rusty » Tue Aug 08, 2017 12:46 pm

Hi, I am trying to follow the guide but get stuck at the remark "After the certificate is issued, it is deployed using the following command:
acme.sh --deploy -d www.mydomain.com --deploy-hook cpanel
".

I am not sure if I should be executing this code?
crontab -l shows the scheduled renewal, so that seems fine (using the last "fixed" code from your comments).

However executing the command acme.sh --deploy -d www.<.....>.com --deploy-hook cpanel
gives:
Domain is not valid:'www........com'

What am I doing wrong here?

Also I am not sure at what point, if at all, I should now continue in the post at https://tryingtobeawesome.com/encryptdaddy/
?

thanks for the help

Re: Automatic Let's encrypt SSL on GoDaddy

Unread post by Santeri » Tue Aug 08, 2017 1:00 pm

rusty wrote:
Tue Aug 08, 2017 12:46 pm
I am not sure if I should be executing this code?
crontab -l shows the scheduled renewal, so that seems fine (using the last "fixed" code from your comments).
You need to deploy it. Otherwise acme does not know how to re-deploy renewed certificates. If you don't, your crontab will only renew certificates without deploying them which leaves your system semi-automatic.

I am not 100% sure of this as my certificates are too fresh and have not yet renewed, but this is what I understood when I read their code.
Last edited by Santeri on Tue Aug 08, 2017 1:45 pm, edited 1 time in total.

Post Reply