This guide will demonstrate how to use acme.sh with a cPanel account to setup automatically renewing Let's Encrypt certificates.

Prerequisites: SSH access to your cPanel account is required. Contact your host to find out whether this is available. Sometimes they will enable it on request.

In the example commands below, make the following substitutions:

Login to your cPanel account via SSH:

ssh -l _CPANEL_USERNAME_ -p _SSH_PORT_  _SSH_ADDRESS_

Install acme.sh with the following command:

curl https://get.acme.sh | sh

Log-off and login to SSH again, or run the following command:

source ~/.bashrc

Tell acme.sh to set Let's Encrypt as the default CA server (required since Aug 2021):

acme.sh --set-default-ca  --server  letsencrypt

Register a Let's Encrypt account with your email, so you can be notified of any renewal issues:

acme.sh --register-account --accountemail [email protected]

And confirm that acme.sh has setup a cron job for automatic renewals:

crontab -l | grep acme.sh

# The above command should output something like the below:
10 0 * * * "/home/_CPANEL_USERNAME_/.acme.sh"/acme.sh --cron --home "/home/_CPANEL_USERNAME_/.acme.sh" > /dev/null

We will use the webroot method, which requires you to enter the document root of your domain. The webroot for your main domain is ~/public_html, but addon domains and subdomains will be located in other directories.

uapi DomainInfo single_domain_data domain=_EXAMPLE.COM_ | grep documentroot

Try issue a test certificate now:

acme.sh --issue --webroot ~/public_html -d _EXAMPLE.COM_ --staging

If this domain has alias/parked domains, include those with additional -d parameters, such as:

acme.sh --issue --webroot ~/public_html -d example.com -d www.example.com --staging

Note that the above test certificate would Issue ECC certificates which may get stored in your directory /home/CPANEL_USERNAME/.acme.sh/domain.com_ecc, and may cause your SSL issued but not working Instead, use this method to test certificates for (RSA2048),(RSA3072) or (RSA4096)

acme.sh --issue --webroot ~/public_html -d example.com -d www.example.com --keylength 2048 --staging

Ensure that this step is successful. If you encountered an error, ensure that the webroot is correct, or try to run acme.sh with --debug 2 for further information.

Use the same parameters as for your test certificate, except replace --staging with --force:

acme.sh --issue --webroot ~/public_html -d _EXAMPLE.COM_ --force

Note that the above test certificate would Issue ECC certificates which may get stored in your directory /home/CPANEL_USERNAME/.acme.sh/domain.com_ecc, and may cause your SSL issued but not working Instead, use this method to test certificates for (RSA2048),(RSA3072) or (RSA4096)

acme.sh --issue --webroot ~/public_html -d example.com -d www.example.com --keylength 2048 --force

This re-issues the certificate as a real, trusted SSL certificate, rather than a test one from the staging environment.

After issuing the real certificate, we need to tell acme.sh how to install it to our domain, so it can automatically perform that task at every renewal.

acme.sh --deploy --deploy-hook cpanel_uapi --domain _EXAMPLE.COM_

This should result in a success message:

[Tue Aug  6 03:56:25 EDT 2019] Certificate successfully deployed
[Tue Aug  6 03:56:25 EDT 2019] Success

You should now be able to visit your domain in your browser and see that it is protected by a Let's Encrypt certificate.

Please note, this will only deploy to a single virtualhost in your cPanel account. For other addon and subdomains, you should create separate certificates..

To automatically redirect insecure HTTP traffic to HTTPS, please enable Force HTTPS Redirection in cPanel: https://blog.cpanel.com/force-https-redirection/