Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. How do I

WebShield SSL-cache configuration on Imunify360 stand-alone installation

Artem Varlyga
  • Updated

Issue

WebShield SSL-cache is not configured on the server with Imunify360 Stand-alone installed.

webshield-2.png

The imunify360-webshield-ssl-cache service is not active as well.

webshield.png

Environment

  • Imunify360 stand-alone
  • WebShield
  • Any supported OS

Solution

To configure SSL-cache correctly on Imunify360 stand-alone, it is necessary to add the certificate information for each domain to the WebShield SSL cache. This can be done manually, as described in the documentation: https://docs.imunify360.com/control_panel_integration/#manage-webshield-ssl-cache-manually 

Alternatively, it can be done with a specially prepared script (pinned to this article in the attachments), to which it will be enough to pass the domain name, a path to the certificate, and key files as parameters. Here is an example of the script execution:

chmod +x jsupply.py
./jsupply.py -k /path/to/key.pem -c /path/to/cert.pem -C /path/to/chain.pem -d my.domain.com | im360-ssl-cache --add -

The following commands will list the domains added to the SSL cache.

# /usr/sbin/im360-ssl-cache
# cat /var/cache/imunify360-webshield/ssl.cache

For one time scenario (yearly renewal) and provided that certificates are stored as domains names, is is easier to enumerate those with a script and add to cache, for example as per:

#!/bin/bash
cd /etc/cloudflare/

for key_file in *.key; do
    domain=${key_file%.*}
    pem_file="${domain}.pem"

    if [[ -e $pem_file ]]; then
        ./jsupply.py -k "$key_file" -c "$pem_file" -C "$pem_file" -d "$domain" | im360-ssl-cache --add -
    else
        echo "Warning: No matching PEM file found for ${key_file}"
    fi
done

Or for 3 month renewal, a script that can automate adding a few domains can look like:

#!/bin/bash
#Specify more domains
DOMAINS=("domain1.org" "domain2.org" "domain3.org") 
BASE_PATH="/etc/letsencrypt/live"

SCRIPT_PATH="/root/jsupply_new_ssl.py"
LOG_PATH="/var/log/jsupply_new_ssl.log"

#provided that the certificates for each domain can be found in a similar path, we can enumerate those
for domain in "${DOMAINS[@]}"
do
    KEY_PATH="$BASE_PATH/$domain/privkey.pem"
    CERT_PATH="$BASE_PATH/$domain/cert.pem"
    CHAIN_PATH="$BASE_PATH/$domain/fullchain.pem"
   
    # Remove old cache entry, if there is a chance the certificate files will not exist at some point the deletion can me marked as text
    $SCRIPT_PATH -d $domain -r >> $LOG_PATH 2>&1
   
    # Add new certificate to cache
    $SCRIPT_PATH -d $domain -k $KEY_PATH -c $CERT_PATH -C $CHAIN_PATH -a >> $LOG_PATH 2>&1
done

This script assumes that the certificates have already been renewed, and for each domain you add to this array, the script will attempt to process its certificate as long as the corresponding certificate paths exist in the directory specified by BASE_PATH that can be adjusted.

I also assumed the script can be saved as /root/certificates_to_cache.sh, as such the permissions required to be set for the script:

chmod +x /root/certificates_to_cache.sh

With this a cron task for each day should work as expected:

0 2 * * * /root/certificates_to_cache.sh

UPD: We`ve added a new version of this script, attached in this article (jsupply_new_ssl.py), the following additional options were added:

args.add_argument('-a', '--add', help="add the specified certificate data to ssl-cache", action="store_true") 
args.add_argument('-r', '--remove', help="remove data for the given domain from ssl-cache", action="store_true") 
args.add_argument('-p', '--purge', help="remove all domains from ssl-cache", action="store_true")

>>

# ./jsupply_new_ssl.py -h
usage: jsupply_new_ssl.py [-h] [-d DOMAIN] [-k KEY] [-c CERTIFICATE] [-C CHAIN] [-B BUNDLE] [-a] [-r] [-p]

optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
domain
-k KEY, --key KEY Key path
-c CERTIFICATE, --certificate CERTIFICATE
Certificate path
-C CHAIN, --chain CHAIN
Chain path
-B BUNDLE, --bundle BUNDLE
Path to bundle file (key, cert and chain in one file)
-a, --add add the specified certificate data to ssl-cache
-r, --remove remove data for the given domain from ssl-cache
-p, --purge remove all domains from ssl-cache

Cause

The imunify360-webshield-ssl-cache service designed works only with supported control panels. On servers with Imunify360 stand-alone installation, it should be configured manually.

Useful links

 

Comments

0 comments

Please sign in to leave a comment.

Related articles