TLDR VERSION
This article shortcuts how to get SSL certs from Let’s Encrypt (or ZeroSSL) issued and deployed for your cPanel hosted websites (domain or addon domains), using acme.sh.
The commands to setup and configure acme.sh in cPanel are here. But once acme.sh is running via SSH or within cPanel terminal, there’s just 2 key commands needed to handle the SSL portion:
(optional) Set default CA to Let’s Encrypt (if you don’t want ZeroSSL):
acme.sh --set-default-ca --server letsencrypt
Issue your cert:
acme.sh --issue --webroot ~/public_html -d yourdomain.com -d www.yourdomain.com --force
Deploy your cert:
acme.sh --deploy --deploy-hook cpanel_uapi --domain yourdomain.com --domain www.yourdomain.com
Certs will renew every 60 days automatically, according the authors.
I was not able to successfully include mail, webmail or a wildcard cert. Maybe I will poke at that when I have more time.
MORE FUN READING
I resell NameCheap hosting because I think it offers top notch service at a fantastic price. However, one of the things that annoys me, when compared to providers like HostGator, is that Namecheap has a wonky version of “free SSL.”
NAMECHEAP SSL
It’s done via this weird plug-in for cPanel and I haven’t had it work correctly without contacting support. Even if it did work correctly, it has other drawbacks:
For example, it only gives you 50 1-year certificates. If you have 25 domain names you want to keep secure, you can provide SSL for 2 years and then your start paying. The cost for SSL will crush the savings you get from hosting, and at that point, might as well go back to HostGator or BlueHost.
Next, those 1-year certs are only good for your domain.com and www.domain.com. That means, if you use cPanel’s mail.domain.com or webmail.domain.com subdomains, you are COL (Cert Outta Luck).
LET’S ENCRYPT
If you use HostGator, they have some gadgets that use Let’s Encrypt to issue automatically renewing SSL certs FOREVER, and they cover all your subdomains. But . . . what if you are a cheap skate like ME? What if you want the suppor awesome inexpensive hosting of Namecheap AND you want free Let’s Encrypt certificates? In that case, let the good times roll.
THINGS I TRIED
I found this post: https://dev.to/atomar/let-s-encrypt-ssl-certificate-in-namecheap-autorenewal-verified-working-using-acme-sh-4m7i
But this is the post I used: https://medium.com/@jonathanobise/how-to-setup-free-lets-encrypt-ssl-on-namecheap-using-acme-sh-in-cpanel-5a3d408071ba
I also used some of the docs on the acme.sh project site: https://github.com/acmesh-official/acme.sh
It totally works, but I noticed the certs are from ZeroSSL. Maybe that’s fine, but I want to use Let’s Encrypt, turns out you can do that by setting the default CA.
Ultimately though, I am still not securing my mail or webmail subdomains, so I just use the wonky central hostname which has a wildcard cert on it, and that keeps those in their TLS happy place.
That’s the end of the fun reading, use the TLDR section at the top of this article to make some SSL magic happen in your life 🙂
RETHINKING FREE
Real work has been done to make this stuff possible. I like to sponsor the free software I use, and in the case of Let’s Encrypt and acme.sh, they are saving me VERY real money, so it is only fair I put them on my “donation” payroll and I encourage everyone to support the products you love, ESPECIALLY when they are truly “free”!
Is possibile, on shared server, enable wildcard?
Hello Michelangelo,
I no longer have access to my acme.sh configuration because I’ve changed hosting providers.
It looks like it should be possible:
https://blog.bobhy.com/blog/wildcard-cert-via-acme-sh/
https://kb.virtubox.net/knowledgebase/how-to-issue-wildcard-ssl-certificate-with-acme-sh-nginx/
But, I remember trying * and although the instructions said it should work, it kept having validation errors. I wanted the wildcard because I need mydomain and mail.mydomain and webmail.mydomain to all be SSL, but I couldn’t get that functioning. In the end, I left my hosting provider, and that was one of several reasons.