How to Configure and Manage Let's Encrypt in cPanel

Managing and installing SSL certificates within cPanel & WHM has become exceptionally straightforward. Thanks to AutoSSL and integrations like the cPanel Let’s Encrypt™ plugin, certificate requests and installations are fully automated. This automation significantly reduces the time web hosting providers spend on SSL management and dramatically cuts down on support requests typically associated with certificate issues. While AutoSSL comes with a robust default certificate provider chosen for its reliability, usability, and ample domain and rate limits, cPanel also offers the flexibility to switch providers. In this comprehensive guide, we will walk you through the process of configuring AutoSSL to utilize Let’s Encrypt™, a renowned certificate authority that provides free, ninety-day valid SSL certificates.

Understanding SSL Certificates

An SSL (Secure Sockets Layer) certificate is a digital file that plays a crucial role in verifying a server's identity and encrypting data transmitted over the internet. Its primary function is to secure HTTPS connections, upgrading the standard HTTP protocol with essential identity verification and robust encryption. When a padlock icon appears in your browser's address bar, it signifies that the website's domain is protected by an SSL certificate trusted by your browser, and that all communication between your browser and the server is encrypted, safeguarding sensitive information.

You might wonder how a browser determines the trustworthiness of a certificate, especially since anyone can technically generate their own using tools like OpenSSL or cPanel’s SSL management interface. This is precisely where Certificate Authorities (CAs) become indispensable. A CA is a trusted third party responsible for verifying that an individual or organization legitimately controls a specific domain. Once verified, the CA digitally signs the certificate. When a browser encounters a certificate bearing a recognized CA's signature, it establishes trust with the connected server.

While all SSL certificates function on the same fundamental principles, a key differentiating factor, often influencing their cost, is the level of scrutiny and verification a CA applies during the issuance process for various organizations.

Types of SSL Certificates: Domain, Organization, and Extended Validation

• Domain-validation (DV): These certificates require the applicant to demonstrate control over the domain, typically by methods such as uploading a specific file to the server or adding a unique DNS record. DV certificates are the most common and are often offered for free, providing essential encryption and trust for personal blogs or informational sites.
• Organization-validation (OV): To obtain an OV certificate, applicants must prove both domain ownership and that they are a legally registered business entity. This additional layer of verification makes OV certificates suitable for businesses that need to assure their visitors of their legitimate operational status.
• Extended-validation (EV): EV certificates involve the most rigorous verification process. The applicant must prove domain ownership, confirm their status as a legally registered business, and undergo an extensive investigation and authentication by the CA. EV certificates are the most expensive due to this thorough vetting, providing the highest level of trust and security assurance, often displayed prominently in browsers.

As anticipated, Extended Validation (EV) certificates incur the highest cost due to the extensive time and effort required for their issuance. Organization Validation (OV) certificates are moderately priced, while Domain Validation (DV) certificates are frequently available at no cost. For further insights and to help you determine the best SSL option for your specific needs, we recommend exploring our detailed blog post: Which SSL is right for me?

Integrating Let's Encrypt with cPanel's AutoSSL

Let’s Encrypt stands out as a leading Certificate Authority, specifically known for providing free Domain Validated (DV) SSL certificates. This organization was a pioneer in the realm of free SSL, developing groundbreaking infrastructure and software that fully automates the SSL certificate request and installation process, making website security accessible to everyone. Today, many CAs, including cPanel's trusted partner Sectigo (the default SSL provider in cPanel’s AutoSSL feature), offer free DV certificates. However, if you prefer to utilize Let’s Encrypt, the process of switching providers is remarkably simple.

Installing the cPanel Let’s Encrypt Plugin

To leverage Let’s Encrypt within AutoSSL, the initial step involves installing the dedicated cPanel Let’s Encrypt plugin. Begin by logging into your server as the root user via SSH and execute the following command:

/scripts/install_lets_encrypt_autossl_provider

This script will seamlessly install the plugin along with any necessary dependencies. Should you decide to revert or no longer require the plugin, it can be easily uninstalled by running the following command as root:

/scripts/uninstall_lets_encrypt_autossl_provider

Configuring Let's Encrypt as Your AutoSSL Provider in WHM

Once the plugin is installed, the next step is to activate Let’s Encrypt as your preferred AutoSSL provider within WHM. Follow these detailed instructions:

1. Navigate to the Manage AutoSSL page within WHM. You can locate this option under the SSL/TLS section in the sidebar menu.
2. On the Manage AutoSSL page, select Let’s Encrypt from the list of available AutoSSL Providers.
3. Before proceeding, you will be prompted to agree to Let’s Encrypt’s terms of service. You may also notice an option to “Recreate my current registration with Let’s Encrypt.” This option is typically only necessary if your existing Let's Encrypt license has expired or become corrupted, so it is generally not required for a new setup.
4. Click Save to confirm your selection. cPanel will now be configured to use Let’s Encrypt. Moving forward, AutoSSL will automatically use Let’s Encrypt to issue certificates whenever a replacement is needed.
5. (Optional) Immediately replace existing certificates: If you wish to replace your server’s current SSL certificates with new ones from Let’s Encrypt without waiting for their natural expiry, you can manually remove the old certificates. Go to Manage SSL Hosts, found under SSL/TLS in the sidebar menu, and delete the relevant certificates. Please be aware that removing certificates will temporarily render their associated websites insecure (not accessible via HTTPS) until new certificates are installed.
6. After removing old certificates (if applicable), return to the Manage AutoSSL interface and click Run AutoSSL For All Users. cPanel will then proceed to regenerate all removed certificates, obtaining replacements from the newly configured Let’s Encrypt provider.

Advanced Management of Let's Encrypt Certificates in cPanel

AutoSSL represents a significant leap forward in SSL certificate management, largely due to its automated nature. The intricate processes of interacting with Certificate Authorities, deploying validation tokens, and installing certificates are all handled seamlessly without requiring direct user intervention. However, the cPanel Let’s Encrypt plugin does offer several customizable configurations that administrators may wish to adjust to suit specific operational needs.

Customizing AutoSSL Options and Notifications

These advanced options can be accessed under the Options tab within the Manage AutoSSL interface. Here, you have the flexibility to configure various notification settings for both users and administrators. This includes alerts for critical AutoSSL events such as certificate request failures, renewal issues, or any other pertinent problems, ensuring you stay informed about the status of your SSL certificates.

Further down the page, you will find the “Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates” setting.

Activating this option grants AutoSSL permission to replace certificates that were not originally issued or managed by AutoSSL. This feature can be particularly useful for transitioning users who have previously obtained their certificates from a different Certificate Authority. However, it's crucial to be aware that enabling this will replace any expiring Organization Validation (OV) or Extended Validation (EV) certificates with a Domain Validation (DV) certificate from Let's Encrypt. This might not align with the security requirements or preferences of users who specifically chose OV or EV certificates for higher levels of validation.

Managing AutoSSL for Individual Users

Under the Manage Users tab, you can finely control which cPanel users on your system benefit from the AutoSSL feature.

This interface allows you to individually enable or disable AutoSSL for specific cPanel accounts, or to reset their settings to the default configuration defined in the Feature List Settings. By default, AutoSSL is enabled for all users; however, this system-wide default can be modified within the Feature Manager, which is accessible under the Packages section in the WHM sidebar menu.

Exploring Premium SSL Certificate Options in cPanel

While AutoSSL offers an incredibly efficient and low-maintenance solution for providing free Domain Validated (DV) certificates, it's important to recognize that DV validation may not be sufficient for all types of websites. Business websites, complex web applications, and e-commerce stores often require a higher level of trust and verification. For these critical online presences, Organization Validation (OV) and Extended Validation (EV) certificates are frequently preferred due to their enhanced verification processes and the greater assurance they provide to visitors.

For those seeking premium SSL solutions, Sectigo, one of the world's largest and most reputable Certificate Authorities, offers an extensive portfolio. Their offerings include a wide array of OV and EV SSL certificates, alongside specialized options like multi-domain and wildcard SSL certificates. All these advanced certificates can be seamlessly installed and managed using cPanel’s intuitive SSL/TLS interface, ensuring a smooth deployment process for even the most demanding security needs.

The introduction of AutoSSL in cPanel has profoundly transformed the landscape of SSL certificate management. Prior to its implementation, issues related to SSL certificate installation and unexpected certificate expirations were frequent sources of frustration for both web hosts and their clients. Now, every cPanel user enjoys the significant advantage of hassle-free DV certificates, whether provided by Sectigo as the default or by Let’s Encrypt, significantly streamlining web security for millions of websites worldwide.

Conclusion

The integration of Let’s Encrypt within cPanel’s AutoSSL feature provides a powerful and convenient way to secure your websites with free, automated SSL certificates. By following the steps outlined in this guide, you can confidently install the Let’s Encrypt plugin, configure it as your AutoSSL provider, and manage your certificates with ease. This automation not only enhances website security but also streamlines administrative tasks, allowing you to focus on other important aspects of your online presence. Whether you opt for the automated efficiency of Let’s Encrypt or require the enhanced validation of premium OV/EV certificates, cPanel provides all the tools necessary for comprehensive SSL management.

We are always eager to hear your thoughts and feedback. Should you have any comments or require further assistance, please do not hesitate to reach out. You can connect with us on Discord, the cPanel forums, and Reddit.