How to install and automatically renew free Let's Encrypt / ZeroSSL certificate via cPanel for your domain

Home > Articles > How to install and automatically renew free Let's Encrypt / ZeroSSL certificate via cPanel for your domain

How to install and automatically renew free Let's Encrypt / ZeroSSL certificate via cPanel for your domain
Version 0.793

Is your web hosting company not letting you use free Let's Encrypt certificates conveniently via cPanel (e.g. Namecheap)? Are they trying to promote their own SSL certificates instead (e.g. PositiveSSL)?

This guide is for you.

Pros

Free certificate forever - NO yearly fees!
Auto Renews (No action required from you to renew)
View status of certificate in cPanel
NO root access / server access required
Plus all the benefits that come with HTTPS - encrypted secured connections, Google PageRank increase, safely access your website admin panel via public WiFi, etc

Cons

Requires some technical knowledge to setup as you will need to type in commands via SSH. That is what this guide is for. Even screenshots are included

Using this method, you can monitor your certificates within cPanel and they will auto renew by themselves as well.

These issued SSL certificates are free. One time setup, and the cron job will renew it for you. Until you change your hosting company.

Disclaimer

This was tested on Namecheap's Stellar / Stellar Plus shared hosting only. It may not work with your specific provider. If it has cPanel and allows SSH, it should work. But I can't guarantee it as I haven't tested it.

Other web hosting providers that don't support Let's Encrypt natively (1-click) include

1and1.com
247-host.com
GoDaddy
HostMonster.com
Hostripples.com
Inmotionhosting.com
Namecheap.com
Netsons.com
Site5.com

(Source)

Proceed at your own risk! The information here is accurate to the best of our knowledge. We will not be held responsible if this document causes your computer to explode or burst into flames. In real serious terms, if any corruption of data, hardware damage or any other kind of damage/losses/etc. arises from the use of this document, We will not be responsible for it. If you don't like this, please don't read any further.

Tip: Try it on a subdomain first before trying it on your main domain. Just login to cPanel and create a subdomain. However note that the last two commands are different for subdomains.

Requirement

You must be using cPanel and have a domain added to cPanel that you want to add a certificate to ('https' it).

Also if your hosting provider already provides free Let's Encrypt certificates, you don't have to use this guide.

NO root access is required

Assuming

DOMAIN / SUBDOMAIN: mydomain.com / subdomain.mydomain.com
EMAIL: me@mydomain.com
DOMAIN PATH: ~/public_html

Why does it need my email?

The certificate authority (e.g. Let's Encrypt / ZeroSSL) requires it in case it needs to contact you

What is my domain path?

Here is how to determine it:

Login to your cPanel
Click on Domains (located under Domains). Note that if it a subdomain, you should click Subdomains under Domains
Locate the domain in the table and look under Document Root. Prefix ~ to it. That is your domain path
1. You may have trouble copying the value as cPanel disables selecting text for the row. Simply click on Manage and copy the text under "New Document Root". You'll need to prefix "~/" to the value in this case.

Tips

For primary domains, the domain path is usually "~/public_html"
For subdomains, the domain path is usually "~/subdomain.mydomain.com"
For addon domains, the domain path is usually "~/public_html/addondomain.com" OR "~/addondomain.com"

How to access SSH?

Note: Namecheap requires you to activate SSH before you can use it. Simply go to cPanel, "Exclusive for Namecheap Customers", "Manage Shell", and "Enable" to activate it.

Here is how to access the SSH shell

Login to your cPanel
Go to Advanced
Go to Terminal
You should see a large black screen within the cPanel page. That is where you will be entering commands.

Here are all the commands needed

First time setup (only do it once per account)

curl https://get.acme.sh | sh source ~/.bashrc acme.sh --set-default-ca --server letsencrypt acme.sh --register-account --accountemail me@mydomain.com

What each line does:

Download and executes the ACME shell script
Reloads the environment
Sets Let's Encrypt as the default
Creates / Registers your account

For each domain (DO NOT use for subdomain)

You should not use the following 3 commands for subdomain as www is not required

acme.sh --issue --webroot ~/public_html -d mydomain.com -d www.mydomain.com --staging acme.sh --issue --webroot ~/public_html -d mydomain.com -d www.mydomain.com --force acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com

What each line does:

Does a test to check if your DOMAIN PATH is correct. This is where it checks that the parameters are correct.
Obtains a certificate from the Certificate Authority (i.e. Let's Encrypt / ZeroSSL). Won't work if the previous line gave errors.
Registers the certificate to your domain and cPanel (https will work now)

For each subdomain (DO NOT use for domain)

Subdomain DOMAIN PATH usually does not reside in "public_html", it should be "subdomain.mydomain.com".

Note: Auto Replace Function does not change the below values.

acme.sh --issue --webroot ~/subdomain.mydomain.com -d subdomain.mydomain.com -d --staging acme.sh --issue --webroot ~/subdomain.mydomain.com -d subdomain.mydomain.com -d --force acme.sh --deploy --deploy-hook cpanel_uapi --domain subdomain.mydomain.com

What each line does:

Does a test to check if your SUDOMAIN PATH is correct. This is where it checks that the parameters are correct.
Obtains a certificate from the Certificate Authority (i.e. Let's Encrypt / ZeroSSL). Won't work if the previous line gave errors.
Registers the certificate to your subdomain and cPanel (https will work now).

Auto Replace Function

This form allows you to replace the example (i.e. mydomain) values to what you need via JavaScript. It does not affect text in images.

DOMAIN:
EMAIL:
DOMAIN PATH:

What happens when each command is executed

The following was done for a domain. The last 2 commands are different for subdomain as stated above.

curl https://get.acme.sh | sh

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 104 937 0 937 0 0 4423 0 --:--:-- --:--:-- --:--:-- 36038 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 203k 100 203k 0 0 456k 0 --:--:-- --:--:-- --:--:-- 771k [Sat Jul 31 06:43:57 EDT 2021] Installing from online archive. [Sat Jul 31 06:43:57 EDT 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Sat Jul 31 06:44:14 EDT 2021] Extracting master.tar.gz [Sat Jul 31 06:44:14 EDT 2021] It is recommended to install socat first. [Sat Jul 31 06:44:14 EDT 2021] We use socat for standalone server if you use standalone mode. [Sat Jul 31 06:44:14 EDT 2021] If you don't use standalone mode, just ignore this warning. [Sat Jul 31 06:44:14 EDT 2021] Installing to /home/<username>/.acme.sh [Sat Jul 31 06:44:14 EDT 2021] Installed to /home/<username>/.acme.sh/acme.sh [Sat Jul 31 06:44:14 EDT 2021] Installing alias to '/home/<username>/.bashrc' [Sat Jul 31 06:44:14 EDT 2021] OK, Close and reopen your terminal to start using acme.sh [Sat Jul 31 06:44:14 EDT 2021] Installing cron job [Sat Jul 31 06:44:14 EDT 2021] Good, bash is found, so change the shebang to use bash as preferred. [Sat Jul 31 06:44:15 EDT 2021] OK [Sat Jul 31 06:44:15 EDT 2021] Install success!

source ~/.bashrc

(No output)

acme.sh --set-default-ca --server letsencrypt

[Sun Jun 18 09:04:48 EDT 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

acme.sh --register-account --accountemail me@mydomain.com

acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --staging

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[Sat Jul 31 06:55:00 EDT 2021] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Sat Jul 31 06:55:03 EDT 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory [Sat Jul 31 06:55:04 EDT 2021] Create account key ok. [Sat Jul 31 06:55:04 EDT 2021] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory [Sat Jul 31 06:55:04 EDT 2021] Registered [Sat Jul 31 06:55:04 EDT 2021] ACCOUNT_THUMBPRINT='(hidden)' [Sat Jul 31 06:55:04 EDT 2021] Creating domain key [Sat Jul 31 06:55:05 EDT 2021] The domain key is here: /home/<username>/.acme.sh/mydomain.com/mydomain.com.key [Sat Jul 31 06:55:05 EDT 2021] Multi domain='DNS:mydomain.com,DNS:www.mydomain.com' [Sat Jul 31 06:55:05 EDT 2021] Getting domain auth token for each domain [Sat Jul 31 06:55:10 EDT 2021] Getting webroot for domain='mydomain.com' [Sat Jul 31 06:55:10 EDT 2021] Getting webroot for domain='www.mydomain.com' [Sat Jul 31 06:55:10 EDT 2021] Verifying: mydomain.com [Sat Jul 31 06:55:10 EDT 2021] Pending, The CA is processing your order, please just wait. (1/30) [Sat Jul 31 06:55:13 EDT 2021] Success [Sat Jul 31 06:55:13 EDT 2021] Verifying: www.mydomain.com [Sat Jul 31 06:55:13 EDT 2021] Pending, The CA is processing your order, please just wait. (1/30) [Sat Jul 31 06:55:16 EDT 2021] Success [Sat Jul 31 06:55:16 EDT 2021] Verify finished, start to sign. [Sat Jul 31 06:55:16 EDT 2021] Lets finalize the order. [Sat Jul 31 06:55:16 EDT 2021] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(hidden)' [Sat Jul 31 06:55:23 EDT 2021] Downloading cert. [Sat Jul 31 06:55:23 EDT 2021] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/(hidden)' [Sat Jul 31 06:55:25 EDT 2021] Cert success. -----BEGIN CERTIFICATE----- MIIFYTCCB...(hidden) -----END CERTIFICATE----- [Sat Jul 31 06:55:25 EDT 2021] Your cert is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.cer [Sat Jul 31 06:55:25 EDT 2021] Your cert key is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.key [Sat Jul 31 06:55:25 EDT 2021] The intermediate CA cert is in /home/<username>/.acme.sh/mydomain.com/ca.cer [Sat Jul 31 06:55:25 EDT 2021] And the full chain certs is there: /home/<username>/.acme.sh/mydomain.com/fullchain.cer

acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --force

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[<username>@<server> ~]$ acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --force [Sat Jul 31 07:11:49 EDT 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Sat Jul 31 07:11:49 EDT 2021] Multi domain='DNS:mydomain.com,DNS:www.mydomain.com' [Sat Jul 31 07:11:49 EDT 2021] Getting domain auth token for each domain [Sat Jul 31 07:11:51 EDT 2021] Getting webroot for domain='mydomain.com' [Sat Jul 31 07:11:51 EDT 2021] Getting webroot for domain='www.mydomain.com' [Sat Jul 31 07:11:51 EDT 2021] Verifying: mydomain.com [Sat Jul 31 07:11:52 EDT 2021] Processing, The CA is processing your order, please just wait. (1/30) [Sat Jul 31 07:11:55 EDT 2021] Success [Sat Jul 31 07:11:55 EDT 2021] Verifying: www.mydomain.com [Sat Jul 31 07:11:56 EDT 2021] Processing, The CA is processing your order, please just wait. (1/30) [Sat Jul 31 07:11:58 EDT 2021] Success [Sat Jul 31 07:11:58 EDT 2021] Verify finished, start to sign. [Sat Jul 31 07:11:58 EDT 2021] Lets finalize the order. [Sat Jul 31 07:11:58 EDT 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/EkC0pOJsq33VoNwUHWvgoQ/finalize' [Sat Jul 31 07:11:59 EDT 2021] Order status is processing, lets sleep and retry. [Sat Jul 31 07:11:59 EDT 2021] Retry after: 15 [Sat Jul 31 07:12:15 EDT 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/EkC0pOJsq33VoNwUHWvgoQ [Sat Jul 31 07:12:16 EDT 2021] Downloading cert. [Sat Jul 31 07:12:16 EDT 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/Nk4LRx02vlbpqLb_3Wu1jA' [Sat Jul 31 07:12:17 EDT 2021] Cert success. -----BEGIN CERTIFICATE----- MIIGej......(hidden) -----END CERTIFICATE----- [Sat Jul 31 07:12:17 EDT 2021] Your cert is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.cer [Sat Jul 31 07:12:17 EDT 2021] Your cert key is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.key [Sat Jul 31 07:12:17 EDT 2021] The intermediate CA cert is in /home/<username>/.acme.sh/mydomain.com/ca.cer [Sat Jul 31 07:12:17 EDT 2021] And the full chain certs is there: /home/<username>/.acme.sh/mydomain.com/fullchain.cer [<username>@<server> ~]$

acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[<username>@<server> ~]$ acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com [Sat Jul 31 07:17:24 EDT 2021] Certificate successfully deployed [Sat Jul 31 07:17:24 EDT 2021] Success

Congratulations, your website is now HTTPS enabled

I hope the guide has been useful to you. If you have some trouble, post it in the Comments below and I will try to help.

How to remove a domain from auto renewing

Execute the below command

acme.sh --remove --domain mydomain.com

Problems

[Sept 2021]

I have multiple domains renewing using this procedure. However, during the first renewal, one of my domains failed to activate the new certificate.

I fixed it with

[<username>@<server> ~]$ acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com [Mon Sep 20 05:19:09 EDT 2021] Certificate successfully deployed [Mon Sep 20 05:19:09 EDT 2021] Success

Wait about 5 minutes and it should be resolved.

UPDATE: The domain failed to renew yet again. To fix this, I added a separate cron job to cPanel that runs on Day 1 and 15

acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com >/dev/null 2>&1

Credits

Last Updated 7 Oct 2023

Errors? Omissions? Need Help? Know something? Post your queries in the comments below.

12 comments

new post

[ expand all ]

Toxeia (1 posts)	Guide's great, I was able to do my primary and addon domain very easily, but I'm having trouble figuring out how to do my subdomains. Some of them don't have document roots that I can find, so how would I do a cert for my mail server, mail.domain.com ? Or for any of these that don't have a storage location? autodiscover, cpanel, cpcalendars, cpcontacts, webdisk, webmail, etc?
	posted 9 Dec 2023 - show 1 replies - Reply - Permanent Link

Admin Administrator	Webmail should already be secured with your server's hostname. I have never used cpcalendars and cpcontacts but it should be the same if they are accessible via server hostname ( e.g. https://premiumxxxx.web-hosting.com/cpanel or https://serverxxx.web-hosting.com/cpanel )
	posted 9 Dec 2023 - Reply - Permanent Link

Zak (5 posts)	This is great! I have used it with great success with multiple domains. I now have a private e-mail that had a free SSL for the first year at Namecheap and it will expire soon. It is in the format of mail1.mydomainame. Can I use this procedure for this as well? If so, are there any tweaks I need to do? Thanks so much!
	posted 11 Nov 2023 - show 1 replies - Reply - Permanent Link

Admin Administrator	I am not familiar with how the private e-mail works. This guide uses cPanel hooks.
	posted 11 Nov 2023 - Reply - Permanent Link

Zak (5 posts)	Hi! After some research, I tried it as a subdomain and it worked perfectly! One thing that came up for me....I think the last -d on line 1 and 2 for subdomains either needs to be removed or maybe www.subdomain.mydomain.com needs to be added in front of it. Thanks again!
	posted 12 Nov 2023 - Reply - Permanent Link

Zak (5 posts)	Hi! I am so grateful that you took the time to post this. I have been using the procedure from https://www.youtube.com/watch?v=bVbGW037fYk that allows a free SSL cert, but I have been having to update every 3 months. I have been trying to use your procedure and when I get to the acme.sh --issue --webroot ~/public_htm -d mydomain.org -d www.mydomain.org --force step, I get an error message. Right after "Pending, The CA is processing your order, please just wait. (1/30)", I get the following message in red: "Invalid status, anahat.org:Verify error detail:66.29.146.12: Invalid response from https://mydomain.org/.well-known/acme-challenge/pt5-6qH9nn_RTcJH3tVhylEGIJpmQv8S3W--xewbyr0: 404" Do you have any suggestions?
	posted 6 Oct 2023 - show 1 replies - Reply - Permanent Link

Admin Administrator	If you are doing it for the main domain, the webroot should be ~/public_html . This should be the right command "acme.sh --issue --webroot ~/public_html -d mydomain.org -d www.mydomain.org --force" don't forget to replace mydomain.org
	posted 6 Oct 2023 - Reply - Permanent Link

Zak (5 posts)	Hi! Thanks for the quick reply. I apologize for the typo. I just tried running it again with the correct spelling and am getting the same message. This is not the main domain on the account on NameCheap. It isn't a subdomain....just not the first domain I set-up. Could that be affecting things?
	posted 6 Oct 2023 - Reply - Permanent Link

Admin Administrator	That error means the webroot is likely wrong. You can get the correct value for your domain by going to cPanel > Domains > https://ibb.co/7tv4dgt (black square with red border for the desired domain) then stuff the value including the "/" in the XXXXXX below "acme.sh --issue --webroot ~XXXXXX -d mydomain.org -d www.mydomain.org --force" don't forget to replace mydomain.org
	posted 7 Oct 2023 - Reply - Permanent Link

Zak (5 posts)	Yes!! I get it now! Thank you so much for helping educate me on this. This really makes sense! So grateful to you!
	posted 7 Oct 2023 - Reply - Permanent Link

Unregistered	I love the Auto Replace Function.. That is pure genius!! well played.
	posted 19 Dec 2022 - Reply - Permanent Link

Unregistered	I just wanted to thank you for this post as it has helped me a lot in securing my domains hosted on Namecheap as the expense of SSL renewal makes it a little tempting to move elsewhere. Now I don't need to. Just one note on the subdomains the -d is not meant to be there for the staging and force part of the command. I appreciate the auto-renew command and hope it will run for me too. Best!
	posted 11 Nov 2022 - Reply - Permanent Link

new post

[ expand all ]