LetsEncrypt SSL Cert with Auto Renew on Cpanel in 10 Steps

  Uncategorized

1. Enable SSH and setup access key

Go to your Cpanel and Enable SSH. Then scroll down till you find the Security Section and click on SSH Access. Click on Manage Keys then Generate a key and download the private key to your local machine (ideally in ~/.ssh). Take a note of the passphrase we will need in the next step

Change the downloaded key’s extension to .txt (optional) and then change its permission:

chmod 600 ~/.ssh/filename.txt

2. Adding your SSH key passphrase to the ssh-agent

This allow us to login securely and automatically

ssh-add -K ~/.ssh/id_rsa

3. SSH into Cpanel

ssh -i ~/.ssh/filename.txt username@ip

4. Download and install acme.sh

curl https://get.acme.sh | sh
Or:
wget -O -  https://get.acme.sh | sh

5. Exit the shell and re-login to make the alias working

exit

6. Issue SSL certificate (web-root method)

UPDATE: Set Default CA to LetsEncrypt

acme.sh — set-default-ca — server letsencrypt

acme.sh --force --issue -d example.com -d www.example.com  -w /home/username/public_html

7. Deploy the certs to your CPanel host

Lets set some constants first

You only need to do this once

export DEPLOY_CPANEL_USER=myusername
export DEPLOY_CPANEL_PASSWORD=PASSWORD

Time to deploy the

acme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel

8. Deploy SSL to CPanel using UAPI

This hook is using UAPI and works in cPanel & WHM version 56 or newer.

DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.

export DEPLOY_CPANEL_USER=usernameacme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel_uapi

Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separate certificate for each domain.

Note: the cron job to auto-renew SSL certificate is also set-up

9.You are done. Check the cron job by the following.

crontab -l
23 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

10. Updating .htaccess file

Hosts doesn’t automatically redirect from the insecure (http) version of the site to the secure (https) version.

Here’s how to do just that:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
</IfModule>

LEAVE A COMMENT