First, go to cPanel's SSL/TLS, Private Keys, View. Note the ID of your TLS key; copy it to your clipboard or something. (Be careful not to grab any extraneous spaces or anything; triple-clicking to select the whole line did work for me, but just be sure you're paying attention.)

Then, go to cPanel's Terminal and execute the following commands:

  • mkdir -p ~/virtualenv
  • /opt/alt/python37/bin/python3 -m venv ~/virtualenv/simp_le
  • bash
    • . ~/virtualenv/simp_le/bin/activate
    • pip install simp-le-client
    • mkdir -v ~/ssl/simp_le
    • pushd ~/ssl/simp_le
      • read -p "Paste the TLS key ID you copied earlier: " tls_key_id
      • ln -vsf ../keys/${tls_key_id}.key key.pem
      • printf '\n' > newline.txt
      • exit

Then, edit a new file (you can either use nano or vi directly from the Terminal, or go out to the file manager to do this):

#!/bin/sh
#	~/ssl/renew.sh
# https://www.ishygddt.xyz/~blog/2021/01/namecheap-lets-encrypt
. ~/virtualenv/simp_le/bin/activate
cd "${workdir=$HOME/ssl/simp_le}"
logfile="$(date -u +'%Y%m%d%H%M%S').log"
# https://github.com/zenhack/simp_le
simp_le ${acme_endpoint+--server "${acme_endpoint}"}\
	--email "${email-${USER}@${HOSTNAME}}"\
	--default_root "${default_root=$HOME/public_html}"\
	-f account_key.json\
	-f account_reg.json\
	-f key.pem --reuse_key\
	-f cert.pem\
	-f chain.pem\
	"${@}" 2>> "$logfile"
s=$? #TODO refactor with https://unix.stackexchange.com/a/178541/26420
if [ $s -eq 1 ] ; then exit 0 ; fi # Renewal not needed

cat "$logfile" 1>&2
cat chain.pem newline.txt
exit $s

Add something like the following crontab entry (note that specifying the e-mail is optional; if you leave it unset, it'll use your Namecheap cPanel user system account's, which is deliverable):

0 	0 	0 	* 	* 	email='ssladmin@example.com' sh $HOME/ssl/renew.sh -d example.com -d www.example.com -d static.example.com:$HOME/static --valid_min 3000000

However, that said, I'll be leaving them at some point due to this lack of proper support for third-party SSL providers.

They told one user (who was unsubscribing over this very issue) that they “truly believe purchased SSL is a better choice in most cases”, and deleted a comment from another user on their support page pointing out that it would cost the whole organization just $150 for the official cPanel plugin to add support for arbitrary SSL certificates for their many, many users (or could be done with an unofficial plugin for $30).

Leave a Reply

Your email address will not be published. Required fields are marked *