Free SSL Certificates

We're very pleased to be able to offer full integration with Let's Encrypt, the new FREE SSL certificate authority.

To get your free certificates installed, find the “Let’s Encrypt SSL” icon in the “Security” category after logging into cPanel:

or by searching for “SSL” in the top search bar:

The very first time you visit this page may take a few seconds, as it will register an anonymous account key with the Let’s Encrypt CA.

The Interface

The interface is split into two sections.

The first section will list all of your domains that have “Let’s Encrypt” certificates issued, their expiry, and options to remove, reinstall and view them:

Additionally, you can see the last time that renewals were processed for your account, which is typically every 12 hours.

The second section will list all of the domains configured in your account (parked domains will show up in the issue section under the main domain) with their webroots, and an option to issue certificates:

Issuing a new certificate

Prerequisites

There are two important prerequisites to be met in order for a certificate to be able to issued:

  • The domain name(s) you want signed must be pointing to this cPanel server already
  • The Let’s Encrypt CA must be able to visit http://your-domain/.well-known/acme-challenge/xxx successfully.

These directories/files will be created automatically, but you should take care that you do not have any .htaccess rules that prevent access.

Most users will fulfil these requirements automatically.

Note regarding SSL-only domains: Currently, the ACME spec permits renewal over SSL/TLS with a valid certificate in place, provided that you have rules in place to perform a 301 redirect for requests to their SSL counterpart. However, the spec is still in flux and this may change in the future.

Issuing Process

The issuing section is composed of the domain the certificate will be issued for, any alias or parked domains pointing to this domain which can be included in this certificate, and an option to install this certificate for SMTPS/POP3S/IMAPS.

The process may take anywhere from 10 to 45 seconds, so do not navigate away from the page.

At completion, the keys and certificates should be installed on the server, with a success message:

Renewing certificates

Certificate renewal is automatic in the background.

Your certificate will be attempted to be renewed every day from the point it is 30 days from expiring.

The prerequisites listed above for issuing must still be met during the renewal attempts, or the attempts will fail.

You will receieve an email for any attempt to renew, be it successful or failed, to the email account attached to your cPanel account.

Reinstalling certificates

The certificate can be reinstalled at any time through the “Reinstall” action. Possible reasons for reinstalling can be enabling SSL for mail servers post-issuing, or if the certificate was removed from the SSL/TLS manager.

The status column will show the current status of the certificate on the system. If for any reason the certificate was removed from the SSL/TLS manager without being removed from the Let’s Encrypt plugin page, this status column will display “Uninstalled”.

Removing certificates

To uninstall a certificate, it is best to press “Remove” on the Let’s Encrypt for cPanel plugin page, rather than doing through the SSL/TLS Manager that comes with cPanel.

This is because our uninstall process also removes the key and certificate from the manager, in one click.

Please note that uninstalling a certificate will not revoke it at the Let’s Encrypt CA.

You may wish to back up the private keys before you perform any uninstallations, as they are irretrevable, and you will require them if you want to use any of your previous certificates again.

  • 21 Users Found This Useful
Was this answer helpful?