How to install and automatically renew free Let's Encrypt / ZeroSSL certificate via cPanel for your domain
Version 0.794

Is your web hosting company not letting you use free Let's Encrypt certificates conveniently via cPanel (e.g. Namecheap)? Are they trying to promote their own SSL certificates instead (e.g. PositiveSSL)?

This guide is for you.

Pros

• Free certificate forever - NO yearly fees!
• Auto Renews (No action required from you to renew)
• View status of certificate in cPanel
• NO root access / server access required
• Plus all the benefits that come with HTTPS - encrypted secured connections, Google PageRank increase, safely access your website admin panel via public WiFi, etc

Cons

• Requires some technical knowledge to setup as you will need to type in commands via SSH. That is what this guide is for. Even screenshots are included

Using this method, you can monitor your certificates within cPanel and they will auto renew by themselves as well.

These issued SSL certificates are free. One time setup, and the cron job will renew it for you. Until you change your hosting company.

Disclaimer

This was tested on Namecheap's Stellar / Stellar Plus shared hosting only. It may not work with your specific provider. If it has cPanel and allows SSH, it should work. But I can't guarantee it as I haven't tested it.

Other web hosting providers that don't support Let's Encrypt natively (1-click) include

• 1and1.com
• 247-host.com
• GoDaddy
• HostMonster.com
• Hostripples.com
• Inmotionhosting.com
• Namecheap.com
• Netsons.com
• Site5.com

(Source)

Proceed at your own risk! The information here is accurate to the best of our knowledge. We will not be held responsible if this document causes your computer to explode or burst into flames. In real serious terms, if any corruption of data, hardware damage or any other kind of damage/losses/etc. arises from the use of this document, We will not be responsible for it. If you don't like this, please don't read any further.

Tip: Try it on a subdomain first before trying it on your main domain. Just login to cPanel and create a subdomain. However note that the last two commands are different for subdomains.

Requirement

You must be using cPanel and have a domain added to cPanel that you want to add a certificate to ('https' it).

Also if your hosting provider already provides free Let's Encrypt certificates, you don't have to use this guide.

NO root access is required

Assuming

• DOMAIN / SUBDOMAIN: mydomain.com / subdomain.mydomain.com
• EMAIL: me@mydomain.com
• DOMAIN PATH: ~/public_html

Why does it need my email?

The certificate authority (e.g. Let's Encrypt / ZeroSSL) requires it in case it needs to contact you

What is my domain path?

Here is how to determine it:

1. Login to your cPanel
2. Click on Domains (located under Domains). Note that if it a subdomain, you should click Subdomains under Domains
3. Locate the domain in the table and look under Document Root. Prefix ~ to it. That is your domain path
   1. You may have trouble copying the value as cPanel disables selecting text for the row. Simply click on Manage and copy the text under "New Document Root". You'll need to prefix "~/" to the value in this case.

Tips

• For primary domains, the domain path is usually "~/public_html"
• For subdomains, the domain path is usually "~/subdomain.mydomain.com"
• For addon domains, the domain path is usually "~/public_html/addondomain.com" OR "~/addondomain.com"

How to access SSH?

Note: Namecheap requires you to activate SSH before you can use it. Simply go to cPanel, "Exclusive for Namecheap Customers", "Manage Shell", and "Enable" to activate it.

Here is how to access the SSH shell

1. Login to your cPanel
2. Go to Advanced
3. Go to Terminal
4. You should see a large black screen within the cPanel page. That is where you will be entering commands.

Here are all the commands needed

First time setup (only do it once per account)

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --set-default-ca --server letsencrypt
acme.sh --register-account --accountemail me@mydomain.com

What each line does:

1. Download and executes the ACME shell script
2. Reloads the environment
3. Sets Let's Encrypt as the default
4. Creates / Registers your account

For each domain (DO NOT use for subdomain)

You should not use the following 3 commands for subdomain as www is not required

acme.sh --issue --webroot ~/public_html -d mydomain.com -d www.mydomain.com --staging
acme.sh --issue --webroot ~/public_html -d mydomain.com -d www.mydomain.com --force
acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com

What each line does:

1. Does a test to check if your DOMAIN PATH is correct. This is where it checks that the parameters are correct.
2. Obtains a certificate from the Certificate Authority (i.e. Let's Encrypt / ZeroSSL). Won't work if the previous line gave errors.
3. Registers the certificate to your domain and cPanel (https will work now)

For each subdomain (DO NOT use for domain)

Subdomain DOMAIN PATH usually does not reside in "public_html", it should be "subdomain.mydomain.com".

acme.sh --issue --webroot ~/subdomain.mydomain.com -d subdomain.mydomain.com --staging
acme.sh --issue --webroot ~/subdomain.mydomain.com -d subdomain.mydomain.com --force
acme.sh --deploy --deploy-hook cpanel_uapi --domain subdomain.mydomain.com

What each line does:

1. Does a test to check if your SUDOMAIN PATH is correct. This is where it checks that the parameters are correct.
2. Obtains a certificate from the Certificate Authority (i.e. Let's Encrypt / ZeroSSL). Won't work if the previous line gave errors.
3. Registers the certificate to your subdomain and cPanel (https will work now).

Auto Replace Function

This form allows you to replace the example (i.e. mydomain) values to what you need via JavaScript. It does not affect text in images.

DOMAIN:
EMAIL:
DOMAIN PATH:

What happens when each command is executed

The following was done for a domain. The last 2 commands are different for subdomain as stated above.

(First-time setup only) curl https://get.acme.sh | sh

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
104 937 0 937 0 0 4423 0 --:--:-- --:--:-- --:--:-- 36038
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 203k 100 203k 0 0 456k 0 --:--:-- --:--:-- --:--:-- 771k
[Sat Jul 31 06:43:57 EDT 2021] Installing from online archive.
[Sat Jul 31 06:43:57 EDT 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Jul 31 06:44:14 EDT 2021] Extracting master.tar.gz
[Sat Jul 31 06:44:14 EDT 2021] It is recommended to install socat first.
[Sat Jul 31 06:44:14 EDT 2021] We use socat for standalone server if you use standalone mode.
[Sat Jul 31 06:44:14 EDT 2021] If you don't use standalone mode, just ignore this warning.
[Sat Jul 31 06:44:14 EDT 2021] Installing to /home/<username>/.acme.sh
[Sat Jul 31 06:44:14 EDT 2021] Installed to /home/<username>/.acme.sh/acme.sh
[Sat Jul 31 06:44:14 EDT 2021] Installing alias to '/home/<username>/.bashrc'
[Sat Jul 31 06:44:14 EDT 2021] OK, Close and reopen your terminal to start using acme.sh
[Sat Jul 31 06:44:14 EDT 2021] Installing cron job
[Sat Jul 31 06:44:14 EDT 2021] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 31 06:44:15 EDT 2021] OK
[Sat Jul 31 06:44:15 EDT 2021] Install success!

(First-time setup only) source ~/.bashrc

(No output)

(First-time setup only) acme.sh --set-default-ca --server letsencrypt

[Sun Jun 18 09:04:48 EDT 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

(First-time setup only) acme.sh --register-account --accountemail me@mydomain.com

acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --staging

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[Sat Jul 31 06:55:00 EDT 2021] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jul 31 06:55:03 EDT 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jul 31 06:55:04 EDT 2021] Create account key ok.
[Sat Jul 31 06:55:04 EDT 2021] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jul 31 06:55:04 EDT 2021] Registered
[Sat Jul 31 06:55:04 EDT 2021] ACCOUNT_THUMBPRINT='(hidden)'
[Sat Jul 31 06:55:04 EDT 2021] Creating domain key
[Sat Jul 31 06:55:05 EDT 2021] The domain key is here: /home/<username>/.acme.sh/mydomain.com/mydomain.com.key
[Sat Jul 31 06:55:05 EDT 2021] Multi domain='DNS:mydomain.com,DNS:www.mydomain.com'
[Sat Jul 31 06:55:05 EDT 2021] Getting domain auth token for each domain
[Sat Jul 31 06:55:10 EDT 2021] Getting webroot for domain='mydomain.com'
[Sat Jul 31 06:55:10 EDT 2021] Getting webroot for domain='www.mydomain.com'
[Sat Jul 31 06:55:10 EDT 2021] Verifying: mydomain.com
[Sat Jul 31 06:55:10 EDT 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Sat Jul 31 06:55:13 EDT 2021] Success
[Sat Jul 31 06:55:13 EDT 2021] Verifying: www.mydomain.com
[Sat Jul 31 06:55:13 EDT 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Sat Jul 31 06:55:16 EDT 2021] Success
[Sat Jul 31 06:55:16 EDT 2021] Verify finished, start to sign.
[Sat Jul 31 06:55:16 EDT 2021] Lets finalize the order.
[Sat Jul 31 06:55:16 EDT 2021] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/(hidden)'
[Sat Jul 31 06:55:23 EDT 2021] Downloading cert.
[Sat Jul 31 06:55:23 EDT 2021] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/(hidden)'
[Sat Jul 31 06:55:25 EDT 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIFYTCCB...(hidden)
-----END CERTIFICATE-----
[Sat Jul 31 06:55:25 EDT 2021] Your cert is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.cer
[Sat Jul 31 06:55:25 EDT 2021] Your cert key is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.key
[Sat Jul 31 06:55:25 EDT 2021] The intermediate CA cert is in /home/<username>/.acme.sh/mydomain.com/ca.cer
[Sat Jul 31 06:55:25 EDT 2021] And the full chain certs is there: /home/<username>/.acme.sh/mydomain.com/fullchain.cer


acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --force

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[<username>@<server> ~]$ acme.sh --issue --webroot ~/mydomain.com -d mydomain.com -d www.mydomain.com --force
[Sat Jul 31 07:11:49 EDT 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Jul 31 07:11:49 EDT 2021] Multi domain='DNS:mydomain.com,DNS:www.mydomain.com'
[Sat Jul 31 07:11:49 EDT 2021] Getting domain auth token for each domain
[Sat Jul 31 07:11:51 EDT 2021] Getting webroot for domain='mydomain.com'
[Sat Jul 31 07:11:51 EDT 2021] Getting webroot for domain='www.mydomain.com'
[Sat Jul 31 07:11:51 EDT 2021] Verifying: mydomain.com
[Sat Jul 31 07:11:52 EDT 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Jul 31 07:11:55 EDT 2021] Success
[Sat Jul 31 07:11:55 EDT 2021] Verifying: www.mydomain.com
[Sat Jul 31 07:11:56 EDT 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Jul 31 07:11:58 EDT 2021] Success
[Sat Jul 31 07:11:58 EDT 2021] Verify finished, start to sign.
[Sat Jul 31 07:11:58 EDT 2021] Lets finalize the order.
[Sat Jul 31 07:11:58 EDT 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/EkC0pOJsq33VoNwUHWvgoQ/finalize'
[Sat Jul 31 07:11:59 EDT 2021] Order status is processing, lets sleep and retry.
[Sat Jul 31 07:11:59 EDT 2021] Retry after: 15
[Sat Jul 31 07:12:15 EDT 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/EkC0pOJsq33VoNwUHWvgoQ
[Sat Jul 31 07:12:16 EDT 2021] Downloading cert.
[Sat Jul 31 07:12:16 EDT 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/Nk4LRx02vlbpqLb_3Wu1jA'
[Sat Jul 31 07:12:17 EDT 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIGej......(hidden)
-----END CERTIFICATE-----
[Sat Jul 31 07:12:17 EDT 2021] Your cert is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.cer
[Sat Jul 31 07:12:17 EDT 2021] Your cert key is in /home/<username>/.acme.sh/mydomain.com/mydomain.com.key
[Sat Jul 31 07:12:17 EDT 2021] The intermediate CA cert is in /home/<username>/.acme.sh/mydomain.com/ca.cer
[Sat Jul 31 07:12:17 EDT 2021] And the full chain certs is there: /home/<username>/.acme.sh/mydomain.com/fullchain.cer
[<username>@<server> ~]$

acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com

(Do not use this command for subdomains, refer above for the correct commands and substitute accordingly)

[<username>@<server> ~]$ acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com
[Sat Jul 31 07:17:24 EDT 2021] Certificate successfully deployed
[Sat Jul 31 07:17:24 EDT 2021] Success


Congratulations, your website is now HTTPS enabled

I hope the guide has been useful to you. If you have some trouble, post it in the Comments below and I will try to help.

How to remove a domain from auto renewing

Execute the below command

acme.sh --remove --domain mydomain.com

Problems You May Encounter

[Sept 2021]

I have multiple domains renewing using this procedure. However, during the first renewal, one of my domains failed to activate the new certificate.

I fixed it with

[<username>@<server> ~]$ acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com
[Mon Sep 20 05:19:09 EDT 2021] Certificate successfully deployed
[Mon Sep 20 05:19:09 EDT 2021] Success


Wait about 5 minutes and it should be resolved.

UPDATE: The domain failed to renew yet again. To fix this, I added a separate cron job to cPanel that runs on Day 1 and 15

acme.sh --deploy --deploy-hook cpanel_uapi --domain mydomain.com --domain www.mydomain.com >/dev/null 2>&1

Credits

• Credit 1
• Credit 2

Last Updated 7 Oct 2023

Errors? Omissions? Need Help? Know something? Post your queries in the comments below.

This document is Copyright(©) 2021 by G.Ganesh.