Let’s encrypt SSL certificates at cPanel automatically and without native support (for example at Namecheap)

If you want to use Let’s Encrypt free certificates with some virtual shared hosting providers such as Namecheap, you could find that there is no official support.

While using the certificates is not a problem, as it is possible from the WebUI, having then renewed and automatically installed can be a different story.

In my case, one of the providers is Namecheap, an they decided not to integrate Let’s Encrypt support into cPanel because (they say) it requires a big amount of changes to their infrastructure.

I am happy enough with their service, given the features I get for the money I pay. So despite my first idea was to switch to another hosting, I decided to see if I could automate all the needed parts, to renew the certificate and uploaded it to cPanel.

And as a result cp-installssl was born.

The steps to install it and getting to work are not really that hard:

1. Get SSH access to your shared hosting.

Usually you just need to contact your tech support and request it. Then at cPanel you need to configure your SSH public key, and then access with your preferred client.

You can get cp-installssl working even without SSH access, but then you will need to preconfigure everything somewhere else, and then uploading using the highly insecure FTP protocol.

2. Get and configure acme.sh

acme.sh is a bash script able to use the ACME protocol to verify domain and subdomain ownership and create Let’s Encrypt certificates.

The main benefit is that it does not need any external dependencies and, at least for me, it works at Namecheap without doing anything special.

I suggest you create a git folder outside your public_html folder, to place the git repositories we are going to create, so…

cd ~
mkdir git
cd git
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh

Then you need to configure acme.sh (check acme.sh help and documents), so it can verify ownership for the domains or subdomains that you will include at your certificate(s).

Keep in mind that the way you create the certificates will be important later (it’s not the same if you want a single certificate for domain1.com and www.domain1.com or of you want separate certificates).

Also keep in mind that if you are following acme.sh installation instructions, –install parameter will create a crontab job that you need to remove:

0 0 * * * “/home/user/.acme.sh”/acme.sh –cron –home “/home/user/.acme.sh” > /dev/null

We will install later a new crontab job to call my script, that will call acme.sh to renew certificates when its needed.

Regarding the method using for validation, it is up to you. But this is my recomendation:

In the past I used DNS method, but keep in mind that you won’t be able to use it if any of the subdomains is a CNAME (see RFC1912 section 2.4 for reference). Besides: a TXT record needs to be renewed and if you want this automated it requires extra configuration for acme.sh (provided your DNS service is supported!).

Now I am using the WEBROOT method. If you are redirecting all HTTP traffic to HTTPS, you will need to change your .htaccess configuration file so the path /.well-known is NOT redirected to HTTPS.

In my case, this is achieved with the following configuration:

RewriteRule ^(.well-known)($|/) – [L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.juliogonzalez.es/$1 [R,L]

And I issued the certificates as follows:

acme.sh –issue -w /home/uosieg/www/juliogonzalez.es/ -d juliogonzalez.es -d www.juliogonzalez.es

acme.sh –issue -w /home/uosieg/www/sidrarusa.org/ -d sidrarusa.org -d www.sidrarusa.org

3. Get and configure cp-installssl

Time to clone my scripts:

cd ~
cd git
git clone https://github.com/juliogonzalez/cp-installssl.git
cd cp-installssl

Configure cp-installssl by copying the file .cp-installssl.ini to your home:

cp .cp-installssl.ini ~/

Change the content of the file (it will contain the credentials to connect to cPanel)

edit ~/.cp-installssl

Open the crontab configuration:

crontab -e

And add a new line similar to the next one:

0 0 * * * ${HOME}/git/cp-installssl/wrapper/cp-installssl-wrapper -d ‘[@.,www.,www2.]domain1.com [@.,www.,www2.]domain2.com’ -a ~/.acme.sh/ -c ~/git/cp-installssl/ > /dev/null

Note that you will need to adjust the time, and the content of -d parameter, according to the domains and subdomains you have. You can also consider redirecting all the standard output to a file.

Have a look at cp-installssl-wrapper help for reference.

git/cp-installssl/wrapper/cp-installssl-wrapper -h

In my case, this is my crontab line:

0 0 * * * ${HOME}/git/cp-installssl/wrapper/cp-installssl-wrapper -d ‘[@.,www.]juliogonzalez.es [@.,www.]sidrarusa.org’ -a ~/.acme.sh/ -c ~/git/cp-installssl/ >> ${HOME}/ssl.log

As we saw during the previous step, acme.sh is configured to create two certificates:

Finally, run cp-installssl-wrapper similar to what we have at the crontab job but adding -f parameter to force certificate renewal, and without any redirection, so we can see the output. This is required to check that cp-installssl-wrapper is able to renew and install certificates.

In my case:

${HOME}/git/cp-installssl/wrapper/cp-installssl-wrapper -d ‘[@.,www.]juliogonzalez.es [@.,www.]sidrarusa.org’ -a ~/.acme.sh/ -c ~/git/cp-installssl/ -f

You will notice how cp-installsslwrapper will call acme.sh to renew the certificate, and then will install it.

5. Enjoy!

From this point my scripts will take care of trying to renew the SSL certificates with the schedule you configured at CRON.

Note that the certificates are only renewed when needed.

6. Extras

For the most tech-savvy, notice that there are two scripts at my git repository

Finally, please note that you don’t really need to manage certificate issues and renewals at the same machine where

 

 

 Comments (15) 

  1. Josh says:

    Hi, thanks for your work with this, I’ve got acme.sh running and have successfully issued certs, but I’m having a couple problems so far with integrating it properly. Firstly in your readme file it says that a requirement is “cPanel installations supporting the JSON API v2” and I can’t find any info about what versions of cpanel do support that. (The only info I can find about my cpanel version is “cPanel Pro 1.0 (RC1)”).
    My second problem is in the details needed for setting up cp-installssl.ini – being on shared hosting, I’m unsure what to enter regarding the “host” field. I can access cpanel via mydomain.com/cpanel is that what its looking for? Sorry for dumb questions and thanks for any help!

  2. Tonialde says:

    is there any video abt this cuz i didn’t understand anything 🙁

    • Hi Tonialde.

      I am afraid there are no videos, but let me know what you did not understand exactly and I will try to help.

      If you want to use this stuff you will need at least some basic knowledge about SSL, Let’s Encrypt, bash, cron, git and cPanel.

  3. Dylan says:

    When you’re saying changing the content of cp-installssl.ini, what content are you speaking of? It’s empty and I have absolutely no idea what to add.

    • Hi Dylan,

      I noticed that it’s a typo, and I already corrected it.

      The correct name for the file you need to edit is ~/.cp-installssl.ini with a dot at the beginning of the filename (~/ represents your home directory).

  4. Dylan says:

    Additionally, can the crontab command be added in the cpanel cron jobs section? I’m having some weird difficulty with putty and adding the command. Yeah I’m completely new to this but I like learning

    • Yes, you should be able to use cpanel cron jobs as well.

      I added my jobs using the shell but I can see them at cpanel as well, so I guess it should work fine.

  5. ahecht says:

    What is the ‘g’ for at the end of your example -d parameter?

  6. […] hosting provider does not fully support Let’s Encrypt for free SSL certificates. This site shows how to set it up […]

  7. Markus says:

    Thanks for your script, unfortunately I couldn’t get it to work, cpanel responded with “A critical error occurred while parsing the ASN.1 data: Cpanel::Encoding::BER: corrupt data? data appears truncated” to the “installssl” call.

    I finally figured out that acme.sh actually supports deploying to cpanel. I simple call to

    acme.sh –deploy -d –deploy-hook cpanel_uapi

    does the trick. I used acme.sh –install before the issue and deploy, so the cron job should do the automatic renewal.

    • Hello Markus,

      It is strange, maybe it is something related with the Cpanel version on your server, or the setup itself.

      Anyway it is good to see that finally acme.sh added the support, so it means my script is not really needed it anymore.

      I will give it a try at my server, and if it works fine, will create a new post and will mark this one and my git repository as deprecated.

      Thanks for the heads up!

  8. Bonty says:

    Good day. Please I don’t really understand this. Is this a tutorial for automatic renewal of certificate or its a tutorial of getting the certificate itself? Because I’m searching for one to get the certificate and also automate it.

    • Hi Bonty,

      The tutorial covers both, but keep in mind it’s only useful when the certificate is installed at cpanel.

      There are several ways of getting the certificate, but I suggest you use the webroot method and get the initial certificate as explained on step 2.

 Leave a comment 

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.


 © 2018 - Julio González Gil