Skip to content

Simple guide to add TLS cert to cpanel

Fernando Miguel edited this page Sep 23, 2017 · 22 revisions

How to install a SSL/TLS Let’s Encrypt cert into a cPanel account

Based on https://github.com/Neilpang/acme.sh/blob/master/deploy/README.md

We will use acme.sh app, which is a Let’s Encrypt 3rd party client, with its cPanel API.

Replace EXAMPLE.COM with your domain


First we SSH into your cPanel host.

Then install acme running the following command:

$ curl https://get.acme.sh | sh

Then you either logoff and ssh again or just source bashrc:

$ source ~/.bashrc

Add your email to be notified of issues with the TLS cert:

$ acme.sh --update-account --accountemail USERNAME@EXAMPLE.COM

Now let’s issue a test cert to see if everything is in place for the real cert to be issued and put in place.

We will use the webroot method, which requires the user to enter the location of their public_html folder.

The default one is ~/public_html , but if you are using an addon domain, it will be that folder instead.

$ acme.sh --issue --keylength ec-256 --ecc --webroot ~/public_html/ -d EXAMPLE.COM --staging

If successful, then we issue the real cert:

$ acme.sh --issue --keylength ec-256 --ecc --webroot ~/public_html/ -d EXAMPLE.COM --force

Next we enter the cPanel username (replace with your account name):

$ export DEPLOY_cPanel_USER=_username_

Next we add the cert to the cPanel database:

$ acme.sh --deploy --deploy-hook cPanel_uapi -d EXAMPLE.COM

[Sat Sep 23 06:53:08 EDT 2017] Certificate successfully deployed

[Sat Sep 23 06:53:08 EDT 2017] Success


You can see if a crontab responsible to renew your cert every 60 days has been installed with the following command:

$ crontab -l

56 0 * * * "/home/EXAMPLE.COM/.acme.sh"/acme.sh --cron --home "/home/EXAMPLE.COM/.acme.sh" > /dev/null

In your cPanel account, you should see the new cron and also the new TLS cert applied to your domain.

Final step is create a redirect from http to https

Go to cPanel File Manager, create a .htaccess file in the root of your public_html folder, edit, and add the following:

RewriteCond %{HTTPS} off

# First rewrite to HTTPS:

RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

ADVANCE SETUP

Once your site is running smoothly with TLS, you can have browsers preload HTTPS.

It's called HSTS Preload. Before continuing, read more at https://scotthelme.co.uk/hsts-preloading/

Once informed, edit .htaccess and add the following:

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=60; " env=HTTPS

</IfModule>

This will add HSTS for 60 seconds. If the site is working as expect, increase it to 86400 seconds (one day).

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=86400; " env=HTTPS

</IfModule>

Once that is proven to work, change to 6 months.

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=15768000; " env=HTTPS

</IfModule>

You may consider to add preload flag and submit to https://hstspreload.org/

Clone this wiki locally