How to Configure and Manage Let’s Encrypt in cPanel
It’s super easy to install and manage SSL certificates in cPanel & WHM. Certificate requests and installations happen automatically with AutoSSL and an integration such as the cPanel Let’s Encrypt™ plugin. SSL automation saves web hosting providers time and eliminates the deluge of support requests that traditionally accompany SSL certificate issues.
AutoSSL includes a default certificate provider, which we chose for its reliability, usability, and generous domain and rate limits. However, we also made it easy to switch providers. In this article, we will show you how to configure AutoSSL to use Let’s Encrypt™, which provides free SSL certificates that are valid for 90 days.
What is an SSL Certificate?
SSL certificates are files that contain information to verify a server’s identity and encrypt data before it’s sent over the internet. Their most important job is securing HTTPS connections, which enhance the web’s standard HTTP protocol with identity verification and encryption.
When you see a padlock in your browser’s address bar, it means that the domain has an SSL certificate the browser trusts and that communication between it and the server is encrypted.
How does the browser know it can trust the certificate? After all, anyone can create one; you could make your own right now with the OpenSSL software on your server or in cPanel’s SSL management interface.
This is where certificate authorities (CA) come in. A CA verifies that a person or company has legitimate control over a domain. They then sign the certificate with a digital signature. When a browser sees a CA signature, it knows it can trust the server to which it is connected.
All SSL certificates work in the same way, but there is one important difference that affects how much they cost: the amount of effort the CA puts into investigating and verifying organizations.
- Domain-validation (DV): The applicant has to demonstrate that they control the domain, usually by uploading a file to the server or adding a special DNS record.
- Organization-validation (OV): The applicant must prove they own the domain and are a legally registered business.
- Extended-validation (EV): The applicant owns the domain, is a legally registered business, and the CA spends more time investigating and authenticating the organization.
As you might expect, EV certificates are the most expensive because they take the most time. OV certs are less expensive, and DV certs are often free. Still have questions? Visit our past blog for more information on “Which SSL is right for me?”.
cPanel Let’s Encrypt Plugin’s Free SSL Certificates
Let’s Encrypt is a certificate authority specializing in free DV SSL certificates. It was a free SSL pioneer and one of the first to develop infrastructure and software to automate the request and installation process.
In 2020, several CAs offer DV certs for free, including cPanel-partner Sectigo, the default SSL provider in cPanel’s AutoSSL feature. However, if you would like to use Let’s Encrypt instead, it’s straightforward to switch.
To use Let’s Encrypt in AutoSSL, the first step is to install the cPanel Let’s Encrypt plugin. Log in to your server as the root user with SSH and enter the following command:
/scripts/install_lets_encrypt_autossl_provider
The script installs the plugin and a handful of dependencies. If you change your mind, it can be removed by running the uninstall script as root:
/scripts/uninstall_lets_encrypt_autossl_provider
Configuring the Let’s Encrypt Plugin in cPanel
Next, we’ll activate the Let’s Encrypt AutoSSL provider in WHM. Open WHM and navigate to the Manage AutoSSL page, which you’ll find under SSL/TLS in the sidebar menu.
Select Let’s Encrypt under AutoSSL Providers.
Before you can use Let’s Encrypt, you will have to agree to the provider’s terms of service. There is also an option to “Recreate my current registration with Let’s Encrypt.” This is only necessary if your license has expired or been corrupted, so there is no need to select it now.
Click Save and cPanel will switch to Let’s Encrypt. The next time AutoSSL replaces a certificate, it will use Let’s Encrypt instead of the default provider.
If you would like to immediately replace the server’s existing certs with new ones from Let’s Encrypt, manually remove the old ones by navigating to Manage SSL Hosts under SSL/TLS in the sidebar menu. Be aware that when you remove certificates, their associated sites will not be available at a secure HTTPS URL until they are replaced.
Return to Manage AutoSSL and click Run AutoSSL For All Users. cPanel will regenerate the removed certificates with replacements from the Let’s Encrypt provider.
Managing Certificates with the Let’s Encrypt Plugin in cPanel
AutoSSL is a considerable improvement on earlier SSL management systems because it is largely automatic. The complexities of dealing with the CA, deploying validation tokens, and installing certificates are handled without user intervention.
However, there are some cPanel Let’s Encrypt plugin configurations you may want to adjust. You will find them under the Options tab in Manage AutoSSL. Here, you can configure user and administrator notifications for AutoSSL events, including request failures and other issues.
At the bottom of the page is the “Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates” option.
This option gives AutoSSL permission to replace certificates that it did not issue and does not manage. It’s useful for transitioning users who sourced their certs from a different CA. However, it will replace any expiring OV or EV certificates with a DV, which may not be what your users want.
Finally, under the Manage Users tab, you can configure which cPanel users benefit from AutoSSL.
Here you can enable or disable AutoSSL for individual cPanel users, and reset to the default configured in the Feature List Settings. AutoSSL is turned on for all users by default, but you can change that in the Feature Manager, which you can find under Packages in the WHM sidebar menu.
Premium SSL Certificate Options in cPanel
AutoSSL is an incredibly low-maintenance system for providing domain-validated certificates to your users, but domain validation isn’t suitable for many sites. Owners of business sites, web applications, and ecommerce stores may prefer organization and extended validation certificates.
Sectigo is one of the world’s largest and most well-respected CAs. It offers a wide range of OV and EV SSL certificates, including multi-domain and wildcard SSL certificates, all of which are straightforward to install with cPanel’s SSL/TLS interface.
Before we introduced AutoSSL in cPanel, SSL certificate installation and unexpected certificate expiry were among the most common causes of frustrating issues for web hosts and their clients. Today, every cPanel user benefits from hassle-free DV certificates from Sectigo or Let’s Encrypt.
As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.