Let’s encrypt SSL certificates at cPanel automatically and without native support (for example at Namecheap)

Maybe you are already aware that StartSSL free certificates are no longer an option after Google and Mozilla decided to distrust StartCom, and only certificates issued before October 21st will be valid, while any others issued after that date will provoke alerts at Google Chrome, Mozilla Firefox, and potentially any other software.

Fortunately, we have Let’s Encrypt free certificates, if you are able to automate renewals (as the certificates expire after just three months).

Usually, this is not a problem if you control your systems. There are a lot of different solutions to automate renewals and installation, using python, bash and a lot of other different languages, and with good integration with several different services such as Apache HTTP or nginx.

However playing with shared hosting as I do for some of my webpages, is a different matter.

If they support Let’s Encrypt out of the box, then it will be a piece of cake. But If they do not (and my provider does not), maybe it won’t be easy to configure all the stuff.

In my case, one of the providers is Namecheap, an they decided not to integrate Let’s Encrypt support into cPanel because (they say) it requires a big amount of changes to their infrastructure.

I am happy enough with their service, given the features I get for the money I pay. So despite my first idea was to switch to another hosting, I decided to see if I could automate all the needed parts, to renew the certificate and uploaded it to cPanel.

After some time I was able to generate a set of scripts to use acme.sh to renew the certificates and install them when needed, so here is my small guide on how to configure everything end to end.

1. Get SSH access to your shared hosting.

Usually you just need to contact your tech support and request it. Then at cPanel you need to configure your SSH public key, and then access with your preferred client.

2. Get and configure acme.sh

acme.sh is a bash script able to use the ACME protocol to verify domain and subdomain ownership and create Let’s Encrypt certificates.

The main benefit is that it does not need any external dependencies and, at least for me, it works at Namecheap without doing anything special.

I suggest you create a git folder outside your public_html to place the git repositories we are going to create, so…

cd ~
mkdir git
cd git
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh

Then you need to configure acme, so it can verify ownership for the domains or subdomains that you will include at your certificate(s).

For my scripts to work, you should generate one certificate for each set of domain and subdomains. For example one for domain1.com, www.domain1.com, www2.domain1.com and another certificate for domain2.com, www.domain2.com, www2.domain2.com.

Make sure that the domain is the first instance of -d parameter when you call acme.sh

The method you decide to use for validation is up to you.

Personally I use DNS method, but keep in mind that you won’t be able to use it if any of the subdomains is a CNAME (see RFC1912 section 2.4 for reference). If you have this problem, try to use the webroot method.

At this point, you should check acme.sh help and documents, to make sure how to configure it.

3. Get and configure cp-installssl

Now it is time to clone my scripts to automate everything.

cd ~
cd git
git clone https://github.com/juliogonzalez/cp-installssl.git
cd cp-installssl

Configure cp-installssl by copying the file .cp-installssl.ini to your home and changing the content:

cp .cp-installssl.ini ~/
edit ~/.cp-installssl

Finally open the CRON configuration:

crontab -e

And add a new line:

0 0 * * * ${HOME}/git/cp-installssl/wrapper/cp-installssl-wrapper -d ‘[@.,www.,www2.]domain1.com [@.,www.,www2.]domain2.com’ -a ~/git/acme.sh/ -c ~/git/cp-installss
l/ > /dev/null

Note that you will need to adjust the time, and the content of -d parameter, according to the domains and subdomains you have.

To see the format of -d parameter, have a look at cp-installssl-wrapper help:

git/cp-installssl/wrapper/cp-installssl-wrapper -h

Now, for the most tech-savvy, notice that there are two scripts at my git repository

  • cp-installssl is a PHP script which takes care of installing SSL certificates to cPanel using its JSON API. It’s based on code by Rob Parham.
  • cp-installssl-wrapper is a BASH script will take care of calling acme.sh to renew the certificates when needed, and if a renewal happened will install them using cp-installssl

4. Test

Just run the command you added at CRON, without the schedule and without ‘> /dev/null‘ so you can see the output.

5. Enjoy!

From this point my scripts will take care of trying to renew the SSL certificates with the schedule you configured at CRON.

Note that the certificates are only renewed when needed

 

 

 

 

10 Comments - Leave a comment
  1. Josh says:

    Hi, thanks for your work with this, I’ve got acme.sh running and have successfully issued certs, but I’m having a couple problems so far with integrating it properly. Firstly in your readme file it says that a requirement is “cPanel installations supporting the JSON API v2” and I can’t find any info about what versions of cpanel do support that. (The only info I can find about my cpanel version is “cPanel Pro 1.0 (RC1)”).
    My second problem is in the details needed for setting up cp-installssl.ini – being on shared hosting, I’m unsure what to enter regarding the “host” field. I can access cpanel via mydomain.com/cpanel is that what its looking for? Sorry for dumb questions and thanks for any help!

  2. Tonialde says:

    is there any video abt this cuz i didn’t understand anything 🙁

    • Hi Tonialde.

      I am afraid there are no videos, but let me know what you did not understand exactly and I will try to help.

      If you want to use this stuff you will need at least some basic knowledge about SSL, Let’s Encrypt, bash, cron, git and cPanel.

  3. Dylan says:

    When you’re saying changing the content of cp-installssl.ini, what content are you speaking of? It’s empty and I have absolutely no idea what to add.

    • Hi Dylan,

      I noticed that it’s a typo, and I already corrected it.

      The correct name for the file you need to edit is ~/.cp-installssl.ini with a dot at the beginning of the filename (~/ represents your home directory).

  4. Dylan says:

    Additionally, can the crontab command be added in the cpanel cron jobs section? I’m having some weird difficulty with putty and adding the command. Yeah I’m completely new to this but I like learning

    • Yes, you should be able to use cpanel cron jobs as well.

      I added my jobs using the shell but I can see them at cpanel as well, so I guess it should work fine.

  5. ahecht says:

    What is the ‘g’ for at the end of your example -d parameter?

Leave a comment

Your email address will not be published. Required fields are marked *



Jenkins Status
ebs-tools
nexus2-openshift
nexus3-openshift
nexus-oss-rpms
s3fs-fuse-rpm
tds_fdw
full-backup
Follow Me
GithubLinkedIn
Account

Welcome , today is Wednesday, 22/11/2017