padlock, globe and some fun circuitry overlay

Free Let’s Encrypt SSL for cPanel using acme.sh

TLDR VERSION

This article shortcuts how to get SSL certs from Let’s Encrypt (or ZeroSSL) issued and deployed for your cPanel hosted websites (domain or addon domains), using acme.sh.

The commands to setup and configure acme.sh in cPanel are here. But once acme.sh is running via SSH or within cPanel terminal, there’s just 2 key commands needed to handle the SSL portion:

(optional) Set default CA to Let’s Encrypt (if you don’t want ZeroSSL):

acme.sh --set-default-ca --server letsencrypt

Issue your cert:

acme.sh --issue --webroot ~/public_html -d yourdomain.com -d www.yourdomain.com --force

Deploy your cert:

acme.sh --deploy --deploy-hook cpanel_uapi --domain yourdomain.com --domain www.yourdomain.com

Certs will renew every 60 days automatically, according the authors.

I was not able to successfully include mail, webmail or a wildcard cert. Maybe I will poke at that when I have more time.

MORE FUN READING

I resell NameCheap hosting because I think it offers top notch service at a fantastic price. However, one of the things that annoys me, when compared to providers like HostGator, is that Namecheap has a wonky version of “free SSL.”

NAMECHEAP SSL

It’s done via this weird plug-in for cPanel and I haven’t had it work correctly without contacting support. Even if it did work correctly, it has other drawbacks:

For example, it only gives you 50 1-year certificates. If you have 25 domain names you want to keep secure, you can provide SSL for 2 years and then your start paying. The cost for SSL will crush the savings you get from hosting, and at that point, might as well go back to HostGator or BlueHost.

Next, those 1-year certs are only good for your domain.com and www.domain.com. That means, if you use cPanel’s mail.domain.com or webmail.domain.com subdomains, you are COL (Cert Outta Luck).

LET’S ENCRYPT

If you use HostGator, they have some gadgets that use Let’s Encrypt to issue automatically renewing SSL certs FOREVER, and they cover all your subdomains. But . . . what if you are a cheap skate like ME? What if you want the suppor awesome inexpensive hosting of Namecheap AND you want free Let’s Encrypt certificates? In that case, let the good times roll.

THINGS I TRIED

I found this post: https://dev.to/atomar/let-s-encrypt-ssl-certificate-in-namecheap-autorenewal-verified-working-using-acme-sh-4m7i

But this is the post I used: https://medium.com/@jonathanobise/how-to-setup-free-lets-encrypt-ssl-on-namecheap-using-acme-sh-in-cpanel-5a3d408071ba

I also used some of the docs on the acme.sh project site: https://github.com/acmesh-official/acme.sh

It totally works, but I noticed the certs are from ZeroSSL. Maybe that’s fine, but I want to use Let’s Encrypt, turns out you can do that by setting the default CA.

Ultimately though, I am still not securing my mail or webmail subdomains, so I just use the wonky central hostname which has a wildcard cert on it, and that keeps those in their TLS happy place.

That’s the end of the fun reading, use the TLDR section at the top of this article to make some SSL magic happen in your life 🙂

RETHINKING FREE

Real work has been done to make this stuff possible. I like to sponsor the free software I use, and in the case of Let’s Encrypt and acme.sh, they are saving me VERY real money, so it is only fair I put them on my “donation” payroll and I encourage everyone to support the products you love, ESPECIALLY when they are truly “free”!

padlock, globe and some fun circuitry overlay

Leave a Reply

Your email address will not be published. Required fields are marked *