I have access to webhosting through the generosity of a friend and his hosting provider used CPanel and offers paid SSL certificates but does allow for SSH access. So, the best and free way to get SSL certificates is getting certificates from Let’s Encrypt using acme.sh.

While I’ve had this setup for years and it works great, it’s a real issue if it breaks because I do the sad thing of hitting up in the terminal history #somuchshame. So I’m documenting it for myself and anyone else that might find this useful.

  1. Clone acme.sh from Github and cd into folder.

  2. Issue the certificate with:

    ./acme.sh --issue --webroot /home/USERNAME/public_html/ --domain example.org --deploy-hook cpanel_uapi

  3. Deploy the certificate if the deploy hook doesn’t do its job properly

    ./acme.sh --deploy --domain example.org --deploy-hook cpanel_uapi

  4. Setup the cron job so it will renew automatically

    ./acme.sh --cron

Another win for FOSS and SSH access on a Linux box.

In dire situations, you can actually go to CPanel and manually enter the certificate information that acme.sh generates. The acme.sh folder will contain a sub-directory named example.org (whatever your domain name is), inside that you’ll need to map the contents of the following files to the following fields:

File Name CPanel Field
example.org.cer Certificate: (CRT)
example.org.key Private Key (KEY)
ca.cer Certificate Authority Bundle: (CABUNDLE)

NOTE: If you’re having issues with the ZeroSSL.com CA that acme.sh now defaults to, you can edit example.org.conf and specify the api using:


Editorial note: The API isn’t French, it’s Le for Let’s Encrypt… capitalizing acronyms in variable names is always contentious, snake case should makes it easier. But mixing usage seems like the worst of all choices. Le but not Api? Why not LE_API or le_api.

Update: @benoitj makes another great point, LE is not providing any additonal context, acme or api (regardless of capitalization) would make the variable name better.