DEV Community

Cover image for Let's Encrypt SSL with auto-renew on GoDaddy in 4 steps
Ezequiel Esnaola
Ezequiel Esnaola

Posted on

Letsencrypt Godaddy Let's Encrypt SSL with auto-renew on GoDaddy in 4 steps

I recently tried to install a Let's Encrypt SSL certificate on GoDaddy and I did'n find enough information to configure auto-renew.

It is simplified in 4 simple steps steps everything you need to install a free certificate and save some πŸ’ΈπŸ’ΈπŸ’Έ
Β 

1. Connecting via SSH to your server

You must enable SSH access from your cPanel and log in with your credentials.

$ ssh [username]@[hostname]
Enter fullscreen mode Exit fullscreen mode

Β 

2. Install acme.sh

Download this repo and install it.

$ curl https://get.acme.sh | sh
Enter fullscreen mode Exit fullscreen mode

Β 

3. Issue the certificate

You only need write access to the web root folder to issue the certificate.

$ acme.sh --force --issue -d example.com -d www.example.com  -w /home/[username]/public_html
Enter fullscreen mode Exit fullscreen mode

Β 

4. Deploy the certificate

There are 2 ways to implement the certificate and both leave the cronjob configured.

a. Deploy SSL to cPanel using UAPI (GoDaddy option)

This hook is using UAPI and works in cPanel & WHM version 56 or newer.

$ acme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel_uapi
Enter fullscreen mode Exit fullscreen mode

b. Deploy SSL to cPanel (other cPanel version)

DEPLOY_CPANEL_USERΒ andΒ DEPLOY_CPANEL_PASSWORDΒ is required only once.

$ export DEPLOY_CPANEL_USER=myusername
$ export DEPLOY_CPANEL_PASSWORD=PASSWORD
$ acme.sh --deploy -d example.com -d www.example.com --deploy-hook cpanel
Enter fullscreen mode Exit fullscreen mode

For more documentation see theΒ GitHub Wiki

I hope this may help you!

Top comments (11)

Collapse
 
pljones profile image
Peter L Jones

Like @sylver9, this does not work for me:

$ acme.sh --force --issue -d maindomain.eg -d *.maindomain.eg -w /home/<username>/public_html
[Sun Oct  9 05:04:28 MST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Oct  9 05:04:28 MST 2022] Create account key ok.
[Sun Oct  9 05:04:28 MST 2022] No EAB credentials found for ZeroSSL, let's get one
[Sun Oct  9 05:04:28 MST 2022] acme.sh is using ZeroSSL as default CA now.
[Sun Oct  9 05:04:28 MST 2022] Please update your account with an email address first.
[Sun Oct  9 05:04:28 MST 2022] acme.sh --register-account -m my@example.com
Enter fullscreen mode Exit fullscreen mode

OK, fair enough - it wants an email and tells you how to feed it. However...

$ acme.sh --register-account -m <postbox>@maindomain.eg
[Sun Oct  9 05:04:53 MST 2022] No EAB credentials found for ZeroSSL, let's get one
Usage: _hmac hashalg secret [outputhex]
[Sun Oct  9 05:04:54 MST 2022] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Oct  9 05:04:58 MST 2022] Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}
Enter fullscreen mode Exit fullscreen mode

From which point progress is not possible.

Collapse
 
pljones profile image
Peter L Jones

Aha! That's because acme.sh changed to ZeroSSL in 2021 (after this article was written). To revert to Let's Encrypt, run this before running the --issue request:

acme.sh --set-default-ca --server letsencrypt
Enter fullscreen mode Exit fullscreen mode
Collapse
 
pljones profile image
Peter L Jones

Hm. Next hurdle is the script tries to chown things and gets it wrong: it should just leave well enough alone (i.e. owner read/write access is there, so why change anything). I think I'll have to patch something for this.

(This is because GoDaddy site root directory group ownership is nobody and the user running the site is not in that group.)

Collapse
 
abregnsbo profile image
Axel Bregnsbo

Had the exact same problem, and got side-tracked by a link output by acme.sh redirecting me to ZeroSSL with non-working recommendation. With your acme.sh --set-default-ca ... command above, it works nicely.

Thread Thread
 
sudar profile image
KÒzım ERDOĞAN

--set-default-ca --server letsencrypt

add to try

Collapse
 
sylver9 profile image
sylver9 • Edited

I kept getting this error:
The deploy hook cpanel is not found.

acme.sh --deploy -d example.com -d example.com --deploy-hook cpanel
I even tried channel_uapi and the resulting error noted that cert files were missing. And they were. Because one needs to create an account acme.sh --register-account -m user@example.com
before using acme.sh --force --issue

Collapse
 
abregnsbo profile image
Axel Bregnsbo

@eesnaola please update your nice tutorial with a step 2.5 (from Peter L Jones) that contains acme.sh --set-default-ca --server letsencrypt

Collapse
 
nuukem profile image
Nuukem • Edited

This is great. Thank you so much!

Will this auto deploy the new SSL to cPanel when the certificate renews?

Collapse
 
drix93 profile image
Adrian Dixon

Hi Ezequiel, great simple and useful article. How would I go about doing an SSL for two domains example: my-domain.com and my-domain.ca?

Collapse
 
drix93 profile image
Adrian Dixon • Edited

I think I might have answered my own question:

By just adding "-d my-domain.com" along with it's www. counterpart and any others.

Collapse
 
cuethenoise profile image
cuethenoise • Edited

This is GOLD saved me from having to dish out for a GoDaddy SSL cert! Does the autorenew install the cert into cpanel?