1. Enable SSH and setup access key
Go to your Cpanel and Enable SSH. Then scroll down till you find the Security Section and click on SSH Access. Click on Manage Keys then Generate a key and download it to your local machine (ideally in ~/.ssh).
Take a note of the passphrase we will need in the next step
Change the downloaded key’s extension to .txt (optional) and then change its permission:
chmod 600 ~/.ssh/filename.txt
2. Adding your SSH key passphrase to the ssh-agent
This allow us to login securely and automatically
ssh-add -K ~/.ssh/id_rsa
3. SSH into Cpanel
ssh -i ~/.ssh/filename.txt username@ip
4. Download and install acme.sh
curl https://get.acme.sh | sh
Or:
wget -O - https://get.acme.sh | sh
5. Exit the shell and re-login to make the alias working
exit
6. Issue SSL certificate (web-root method)
acme.sh --force --issue -d example.com -d www.example.com -w /home/username/public_html
7. Deploy the certs to your CPanel host
Lets set some constants first
You only need to do this once
export DEPLOY_CPANEL_USER=myusername
export DEPLOY_CPANEL_PASSWORD=PASSWORD
Time to deploy the
acme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel
8. Deploy SSL to CPanel using UAPI
This hook is using UAPI and works in cPanel & WHM version 56 or newer.
DEPLOY_CPANEL_USER is required only if you run the script as root and it should contain cpanel username.
export DEPLOY_CPANEL_USER=username
acme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel_uapi
Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separate certificate for each domain.
Note: the cron job to auto-renew SSL certificate is also set-up
9.You are done. Check the cron job by the following.
crontab -l
23 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
10. Updating .htaccess file
Hosts doesn’t automatically redirect from the insecure (http) version of the site to the secure (https) version.
Here’s how to do just that:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
</IfModule>
Reference
https://medium.com/@sanjeevneo_/letsencrypt-ssl-cert-with-auto-renew-on-godaddy-cpanel-in-10-steps-efd8b4d4e4a6
https://certbot.eff.org/lets-encrypt/debianbuster-apache
2 comments on “LetsEncrypt SSL Cert with Auto Renew on Godaddy/Cpanel in 10 Steps”
CR
2022-01-03 at 10:20 PMHow to add LE SSL to subdomain? I tried the same method. While it works for the main domain (say example.com), it isn’t working for subdomain, say blog.example.com.
davidq69
2022-02-04 at 3:45 PMSorry, it took so long. For blog.example.com you need to have a DNS record pointing to your blog.domain.com domain. Ping blog.domain.com, if it does not reply, it’s your DNS. Check out this DNS information on my new site https://toolboxaid.com/dns/dns-record-types/ (still a work in progress). Let me know if this helps.
P.S. A minimum of two (2) records are required (CAA & A).