Applying Let’s Encrypt SSL certificate in Namecheap in 2020 with AutoRenewal – Verified & working – Using ACME.sh

Since NameCheap doesn’t support Let’s Encrypt natively, was looking for implementing SSL for my blog, I did it with getSSL earlier, but in that case i had to apply that manually using cpanel, using acme.sh which has a cpanel hook using which you can get certificate implemented from command line itself along with auto renewal.

Follow below steps to Enable SSL :

Ignore Step 1 & 2 if you want to use NameCheap’s Terminal instead of yours – cPanel -> Advanced -> Terminal (Still you will need to Enable SSH Access)

1 – Login to NameCheap portal & enable SSH access first :

Select manageShell & enable checkbox for Enable SSH Access

Note down IP/username & port, Use same password which you use to login to cPanel, In case you don’t have same, have password reset with the support team.

2 – If you don’t had the RSA keys yet, generate a new key pair , if you already have then use same to login to server

  • View the private key & copy it to .ssh folder of any SSH client with name id_rsa and permission 600
vi ~.ssh/id_rsa
paste the private key data here
chmod 600  ~.ssh/id_rsa

Try connecting now: with details obtained from step 1
ssh -p <port> <cpanel_user>@IP

3 – Once logged in use below commands to generate the Certs: for more details : Also for more details you can visit the official wiki : https://github.com/acmesh-official/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

#Get acme.sh utility
curl https://get.acme.sh | sh

#Source the Environment variables
source ~/.bashrc

#Register your email with Lets's Encrypt to be notified any renewals issue
acme.sh --register-account --accountemail email@example.com

# At this moment a cron entry already has been setup for autorenewal which will auto renew after 60 days., You can update /dev/null to something like this if you need the log
crontab -l | grep acme.sh
10 0 * * * "/home/_CPANEL_USERNAME_/.acme.sh"/acme.sh --cron --home "/home/_CPANEL_USERNAME_/.acme.sh" >> /home/_CPANEL_USERNAME_/.acme_cron_log

4 – Issue a test cert to check if all working

#webroot will be any directory in which your domain exist, give path accordingly.
acme.sh --issue --webroot ~/public_html -d yourdomain.com --staging

5 – issue an actual Certificate

acme.sh --issue --webroot ~/public_html -d yourdomain.com --force

#In ourput you will see success if all goes fine & key/Certs/chaincerts/csr will be stored under below location, you can refer those if you intend to apply those using cpanel GUI manually

~/.acme.sh/yourdomain.com/

6 – Applying cert to cPanel using commandline

acme.sh --deploy --deploy-hook cpanel_uapi --domain yourdomain.com

7 – You should be able to see your domain with SSL in cpanel under SSL/TLS -> Manage all certs

8 -> Force HTTP-HTTPS redirection

If you see option to enable you can enforce HTTP from cpanel itself:

cPanel->Domains

In case it is greyed out, which could be in case you have multiple domains like www.yourdomain.com for which you don’t have the cert , Enable the redirection from “redirects” or simply add below lines in .htaccess file

#always backup as a thumb of rule
vi ~/public_html/.htaccess 

Or

vi ./yourdomain.com/.htaccess 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

9 – test your website in new window with URL: https://yourdomain.com or http://yourdomain.com( in http it should redirect automatically to https)

You should not see any warning now that site is not secure, Padlock should be visible & connection is secure , also certificate will show valid

If you click on Certificate, it will show Issuer as Let’s Encrypt:

in Firefox/chrome you should see connection as secure.

If you see error that some part of website is not secure, you can check which part of your website is still insecure using below link

https://www.whynopadlock.com/

7 – Default expiry is 90 days so cert will expire after 90 days, The cron job will renew the cert after 60 days, so ensure to check back after 60-65 days if it has been taken care of.

Let me know if it works for you or you get any errors with any step.

Leave a Reply

Your email address will not be published. Required fields are marked *