First, go to cPanel's SSL/TLS, Private Keys, View. Note the ID of your TLS key; copy it to your clipboard or something. (Be careful not to grab any extraneous spaces or anything; triple-clicking to select the whole line did work for me, but just be sure you're paying attention.)

Then, go to cPanel's Terminal and execute the following commands:

  • mkdir -p ~/virtualenv
  • /opt/alt/python37/bin/python3 -m venv ~/virtualenv/simp_le
  • bash
    • . ~/virtualenv/simp_le/bin/activate
    • pip install simp-le-client
    • mkdir -v ~/ssl/simp_le
    • pushd ~/ssl/simp_le
      • read -p "Paste the TLS key ID you copied earlier: " tls_key_id
      • ln -vsf ../keys/${tls_key_id}.key key.pem
      • printf '\n' > newline.txt
      • exit

Then, edit a new file (you can either use nano or vi directly from the Terminal, or go out to the file manager to do this):

#!/bin/sh
#	~/ssl/renew.sh
# http://www.ishygddt.xyz/~blog/2021/01/namecheap-lets-encrypt
. ~/virtualenv/simp_le/bin/activate
cd "${workdir=$HOME/ssl/simp_le}"
logfile="$(date -u +'%Y%m%d%H%M%S').log"
# https://github.com/zenhack/simp_le
simp_le ${acme_endpoint+--server "${acme_endpoint}"}\
	--email "${email-${USER}@${HOSTNAME}}"\
	--default_root "${default_root=$HOME/public_html}"\
	-f account_key.json\
	-f account_reg.json\
	-f key.pem --reuse_key\
	-f cert.pem\
	-f chain.pem\
	"${@}" 2>> "$logfile"
s=$? #TODO refactor with https://unix.stackexchange.com/a/178541/26420
if [ $s -eq 1 ] ; then exit 0 ; fi # Renewal not needed

cat "$logfile" 1>&2
cat chain.pem newline.txt
exit $s

Add something like the following crontab entry (note that specifying the e-mail is optional; if you leave it unset, it'll use your Namecheap cPanel user system account's, which is deliverable):

0 	0 	0 	* 	* 	email='ssladmin@example.com' sh $HOME/ssl/renew.sh -d example.com -d www.example.com -d static.example.com:$HOME/static --valid_min 3000000

However, that said, I'll be leaving them at some point due to this lack of proper support for third-party SSL providers.

They told one user (who was unsubscribing over this very issue) that they “truly believe purchased SSL is a better choice in most cases”, and deleted a comment from another user on their support page pointing out that it would cost the whole organization just $150 for the official cPanel plugin to add support for arbitrary SSL certificates for their many, many users (or could be done with an unofficial plugin for $30).

Leave a Reply

Your email address will not be published.

Warning: This site uses Akismet to filter spam. Until or unless I can find a suitable replacement anti-spam solution, this means that (per their indemnification document) all commenters' IP addresses will be sent to Automattic, Inc., who may choose to share such with 3rd parties.
If this is unacceptable to you, I highly recommend using an anonymous proxy or public Wi-Fi connection when commenting.