Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting

Updated March 8, 2018     53 Comments
Originally posted April 13, 2016

Hosting Issues

These are the steps to create and install a Let’s Encrypt SSL certificate on your GoDaddy shared hosting account. While these steps have been tested on Godaddy shared cPanel hosting, they should work for any shared hosting company that has cPanel. This doesn’t work with GoDaddy’s classic web hosting because it doesn’t have cPanel.

This is how to get a Let’s Encrypt SSL certificate in manual mode. Manual mode is the way you have to do it with shared hosting (if your shared host is still not providing an easy or automated way to add Let’s Encrypt certificates to your hosting acccount). Manual mode means that you are creating the certificate on your own local computer, and then uploading the certificate to your hosting account.

These steps show you how to also add the SSL certificate on multiple “Addon Domains.” Let’s Encrypt lets you create a “Multi-domain” certificate, also known as a “UC” or “UCC” certificate. This works on GoDaddy shared cPanel hosting to cover all of your sites and subdomains on that account.

These steps assume that:

  • Your local computer has a UNIX-like operating system (e.g. Mac, Ubuntu etc). If you’re local computer is Windows, these steps will not work.
  • You’re working from a command line terminal.
  • You have SSH access to the hosting account. (You can enable SSH access in your GoDaddy cPanel, under “Security,” click SSH Access.)

Part 1: Get the certbot Client

  1. Install certbot on your local machine: 
    wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Part 2: Create the Multi-Domain SSL Certificate

  1. Initiate the SSL certificate creation process: 
    ./certbot-auto certonly --manual
  2. Next, it will ask you to type all of your domains which you want covered by the SSL certificate. Separate domains by a comma. Be sure to include both your www domain and your non-www one. For example, type:

    yoursite.com,www.yoursite.com

    or, for more domains:

    yoursite.com,www.yoursite.com,othersite.com,www.othersite.com

    also, add any subdomains:

    subdomain.yoursite.com,blog.yoursite.com

  3. You will get this message: 
    NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:

    Answer “Yes” to this message by typing Y and pressing Enter. Leave this terminal window open (we’ll call this Terminal 1).

  4. At this point, open a separate terminal window (we’ll call this Terminal 2).
  5. In Terminal 2, make an SSH connection to your hosting account. In the line below, replace YOUR_USERNAME with your cPanel user name. If you don’t know your cPanel user name, look in your cPanel, under the “Files” section. Click “FTP Accounts.” The “Log In” name is the user name. Also, replace “yoursite.com” with your own site: 
    ssh YOUR_USERNAME@yoursite.com
  6. For the next several steps, you’re going to be switching between the 2 terminals.

    The Following Steps in Part 2 (steps 7 — 12) Will Have To Be Repeated For Each Domain and/or Subdomain.

  7. Back in Terminal 1, you should have a message like this: 
    -------------------------------------------------------------------------------
Create a file containing just this data:

ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0.zlInmCy7UgqfujZl9OUluaOC86_5PUZRhOstad8xd9o

And make it available on your web server at this URL:

http://yoursite.com/.well-known/acme-challenge/ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0

-------------------------------------------------------------------------------
Press Enter to Continue
  8. From your own terminal, copy the part of line 8, beginning with .well-known, to the end of that line (it’s line 8 in the sample above–however copy it from your own terminal 1, not from above). DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.
  9. Back in terminal 2, navigate to the root directory of the site which the first terminal is referencing. Look back at the message in the first terminal, line 8 where it shows the site in reference (this is necessary if you have multiple “addon” domains.)
  10. In Terminal 2, in your site’s root directory, make the required directories, “.well-known” and “acme-challenge” like this: 
    mkdir -p .well-known/acme-challenge
  11. Still in Terminal 2, create the required file like this. In the terminal, type vi and then paste the line which you copied in step 8. (You should be able to paste with CTRL + Shift + V .) Then press Enter. This will open a new file in your terminal. Go back to Terminal 1, copy the entire line 4. (DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.) Come back to terminal 2 and paste that data. To save this new file to your server in terminal 2, press the Esc key. Then type, :wq and press Enter.

    At this point, if you want to confirm that this step has worked, then open a web browser window. Go to the page on your website that is given by the URL address in terminal 1, line 8.

    On that web page, you should see a long line of letters and numbers. This should be exactly the same as what is shown in terminal 1 on line 4.

    If this is correct, you can proceed.

  12. Go back to the first terminal. It should still say at the bottom, “Press Enter to Continue.” Now you can press Enter.
  13. It will walk you through repeating these steps (7 — 12) for each domain and subdomain that you listed for the certificate.
  14. After repeating the above steps for all of your domains, you should finally get a message like this:

    IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yoursite.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yoursite.com/privkey.pem
   Your cert will expire on 2018-**-**. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

    Copy the 2 file paths since you will need them below. In this example, the 2 file paths are:

    /etc/letsencrypt/live/yoursite.com/fullchain.pem

    and

    /etc/letsencrypt/live/yoursite.com/privkey.pem

  15. You can now remove the .well-known directory that was created on each site. To do this, go back to Terminal 2, and enter this in the root folder for each site: 
     rm -rf .well-known

    You can now exit Terminal 2.

Part 3: Install The SSL Certificate in Your GoDaddy cPanel Hosting Account

  1. Log in to your GoDaddy cPanel shared hosting account. In the Security section, click SSL/TLS. Under Certificates (CRT), click “Generate, view, upload, or delete SSL certificates.”
  2. Scroll down to where it says, “Upload a New Certificate.”
  3. Back in your Terminal 1, open the fullchain.pem file. You should have noted the path to this file in Step 14 above. Open the file in your local editor, like this (replace “gedit” with your text editor, if needed): 
    gedit /etc/letsencrypt/live/yoursite.com/fullchain.pem
  4. Copy the top half of the file (only the first certificate). Copy from the first “—–BEGIN CERTIFICATE—–” to the end of the first certificate, “—–END CERTIFICATE—–

     

    Once you’ve copied it, close the file.

  5. Take what you copied and paste it under “Upload a New Certificate”, where it says, “Paste the certificate into the following text box:”
  6. Type a description and click “Save Certificate.”
  7. Click “Go Back,” and then click “Return to SSL Manager” at the very bottom of page.
  8. Under “Install and Manage SSL for your site (HTTPS),” click “Manage SSL sites.”
  9. Under “Install an SSL Website,” select your first domain. Click “Autofill by Domain” and the certificate should populate in the first box. (All 3 boxes may be automatically populated.)
  10. If the “Private Key (KEY)” field is not filled in: go back to your terminal, open the file privkey.pem (replace “gedit” with your editor, as needed, and also edit the path to the file to match what you copied in Step 14 above): 
    gedit /etc/letsencrypt/live/yoursite.com/privkey.pem

    Copy ALL of it, then close the file.

    Back in your hosting account, paste it into the Private Key (KEY) text box.

  11. If the “Certificate Authority Bundle” is not filled in: go back to your terminal, open the fullchain.pem file again to copy the BOTTOM half: 
    gedit /etc/letsencrypt/live/yoursite.com/fullchain.pem

    So, copy from the SECOND “—–BEGIN CERTIFICATE—–” to the end of the file: “—–END CERTIFICATE—–“.

    After you copy it, close the file.

    Paste it into the Certificate Authority Bundle: (CABUNDLE) text box.

  12. Click “Install Certificate.”

    If it’s successful, you should get a response message like this:

    SSL Host Successfully Installed
    You have successfully configured SSL.
    The SSL website is now active and accessible via HTTPS on this domain:
    yoursite.com

  13. Click “OK” to close the success message.
  14. If you created this certificate for more than one domain, then under “Install an SSL Website”, select your next domain that the certificate is for. However, if this certificate is only for one domain, then skip down to step 19.
  15. Click “Autofill by Domain.” All three boxes should automatically populate.
  16. If the “Certificate Authority Bundle” is not filled in: go back to your terminal and copy the SECOND part of fullchain.pem, just like you did above (in step 11), and paste it into the Certificate Authority Bundle: (CABUNDLE) text box.
  17. Click “Install Certificate.” You should get a success message.
  18. Click “OK” to close the success message. Repeat these last few steps (steps 14 — 18) for any other domains that you added to the certificate.
  19. After a few minutes, you can confirm that the certificate is working by using this SSL Checker.

To renew the SSL certificate, see this: Manual Renew Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting.

↑ Top

See more: ,

We've 53 Responses

  1. April 14th, 2016 at 10:32 am

    This is really great, except that you need to repeat the process every 90 days manually.

    I was able to script the entire certificate generation part, but haven’t been able to figure out how to replace the certificates on the server via ssh. Do you have any insight on how that part works?

    I tried creating the initial certificates using the web interface, and then subsequently replacing the cert files with new ones, but the site still uses the original certs uploaded from the web interface.

    Reply
    Brent

  2. April 28th, 2016 at 5:52 am

    I wonder if you can write a guide on how to set up Let’s Encrypt with the free version of Cloudflare.. I know it’s possible but it’s not easy.

    Reply
    Fabio

  3. June 27th, 2016 at 3:48 am

    Thank you so much for the guide! Much appreciated.
    Even a beginner like me (my first website and my first certificate) could easily follow the steps you mentioned.

    Reply
    Akshay

  4. August 5th, 2016 at 5:25 am

    Great work Isabel and thanks. Set it up successfully using Ubuntu to generate the cert and uploading this via Windows using cpanel over the web.

    Reply
    Jonas

  7. December 14th, 2016 at 12:08 pm

    Thanks for the quick reply. I did this last night and it seemed to go well but the site seems to still be using the self signed cert. I guess I’ll contact godaddy.

    Reply
    Jason

  8. December 14th, 2016 at 1:24 pm

    Just for follow up, I spoke with GoDaddy and they said that I have to generate the CSR from within cpanel in order to get this to work. I’m not quite sure on the steps needed to do that with Lets Encrypt.

    Reply
    Jason

  9. December 22nd, 2016 at 12:06 am

    Godaddy do not give sudo permissions … so im not sure how it work for you.

    im stuck in 2nd point: 🙁
    ./certbot-auto certonly –manual
    “sudo” is not available, will use “su” for installation steps…
    Sorry, I don’t know how to bootstrap Certbot on your operating system!

    You will need to bootstrap, configure virtualenv, and run pip install manually.
    Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
    for more info.

    Reply
    gabay

    • December 22nd, 2016 at 1:05 pm

      Hi. This step (./certbot-auto certonly --manual) is done on your local machine, not while connected to your GoDaddy hosting account. You should be able to do this right after Part 1. GoDaddy has nothing to do with this step. You don’t connect to GoDaddy until Part 2, Step 7. Hope that helps.

      Reply
      Isabel

  11. December 30th, 2016 at 5:16 pm

    Hello Everyone,
    I am able to generate the fullchain.pem file successfully but when I try to paste the first off of the content to GoDaddy, GoDaddy complains that it is not a valid cert.

    1. Then, I tried uploading the cert.pem file and it got uploaded successfully.

    2. I installed SSL. I clicked on “Autofill” and the private key which GoDaddy inserted doesn’t match with what I have in privkey.pem but still I went ahead with this autofill (CA bundle is blank)

    3. I get the successful message (Point number 11) . But, guess my domain is still not working with https : https://www.assignmenthelpdesk.com/

    4. Also, when I try to manually copy paste the private key, the GoDaddy complains that “it is not a valid key”

    Any help will be highly grateful. I have been struggling with this since a long time. Please help.

    Reply
    Deepak

  13. January 11th, 2017 at 3:20 am

    Awesome guide! BTW, if you are using wordpress you can use this plugin to generate the certs https://wordpress.org/plugins/wp-encrypt/

    then you just need to ftp to your file server, download the keys, and paste them into the cpanel ssl section. Super easy.

    What I’m looking for is a way to auto renew / upload them? That plugin has auto renew but not sure if I’ll have to reupload to cpanel. Guess I’ll cross that bridge soon enough.

    Reply
    Jeff

  15. January 21st, 2017 at 11:21 am

    Hi, great tutorial. I’m at Part 2 #13, where I have to verify that files exist on my local machine in /etc/letsencrypt/live. I’m getting a Permission denied error when I try to navigate to that location using console. So, I used finder to navigate to the folder. The “live” folder has a red minus icon and again I get a message saying I don’t have permissions to open it. Additionally, it has no sub folders and the size of the folder reads “Zero bytes”, as do all of the other sub folders in the “letsencrypt” folder that contain a red minus icon. There are however, a couple of .conf files in the “renewal” folder relating to my domain names. Not sure what the problem is. Any help would be great, thank you.

    Reply
    Uncle Slug

  17. January 23rd, 2017 at 10:22 pm

    Does anyone know whether using an LE certificate is possible on a GoDaddy Windows Shared Hosting account (“Ultimate Windows Hosting with Plesk”)?

    Naturally one would expect the steps to be different, but you can certainly use LE with IIS if you manage the server yourself.

    Reply
    Michael

    • April 5th, 2017 at 3:36 pm

      Update: I got it working with a modified version of [LEScript](https://github.com/analogic/lescript). I had to make a few small changes to get OpenSSL working correctly on GoDaddy’s Windows hosting. Changes included adding “openssl.cnf”. The script generates some PEM files. To install them, you simply go into Plesk, select “Secure Your Sites”, then click “Add SSL Certificate”. The files it wants are “private.pem”, “cert.pem”, and “lets-encrypt-x3-cross-signed.pem”. You then go into “Hosting Settings” and select the certificate.

              public $config = array(
            "private_key_type" => OPENSSL_KEYTYPE_RSA,
            "private_key_bits" => 4096,
            "config" => "G:/PleskVhosts/mydomain.com/openssl.cnf"
        );
        // ... then later:
        $res = openssl_pkey_new($config);
        openssl_pkey_export($res, $privateKey, NULL, $config);
      Reply
      Michael

  18. February 1st, 2017 at 12:07 pm

    HAVE ERROR Is there any solution! Has anyone found a solution?

    I tried following your steps but I got the below error after Part 2, 

    ./certbot-auto certonly –manual

“sudo” is not available, will use “su” for installation steps…
Sorry, I don’t know how to bootstrap Certbot on your operating system!

You will need to bootstrap, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.
    Reply
    Martin

  19. February 9th, 2017 at 10:46 pm

    I failed miserably 🙁

    After pasting the code from Step #4, I received this error:
    socket.error: [Errno 13] Permission denied

    To try to resolve this, I thought I’d change the permissions for the /usr folder, but I quickly came to the conclusion that I do not have access to change the permissions to that folder.

    If anyone can point me in the right direction, please let me know, and thank you! Also, thanks @Isabel for this article.

    Reply
    Aaron

  22. March 28th, 2017 at 2:07 pm

    hello thanks for the guide.

    i have already added my domain with ssl. now i have a sub domain. and i am not able to verify the file at step 12.

    can any one guide me please.

    Reply
    Jigar Lodaya

    • April 1st, 2017 at 12:59 pm

      I added a troubleshooting step in Part 2, step 10, that should help pinpoint the problem. It helps you confirm that the domain is accessible.

      Reply
      Isabel

  23. April 8th, 2017 at 10:57 am

    Thanks for this information; I easily followed the instructions using on my linux systems to create the cert, and my godaddy site is now using https.

    Reply
    Rick Hale

  27. July 2nd, 2017 at 2:22 am

    Great Post !!
    Loved it. But I used ftp to login then I opened it in terminal I use Ubuntu 16.04 and then I performed mdkir ….. . Great worked for me too. Thanks Isabel Castillo

    Reply
    Kuldeep Pisda

  29. August 17th, 2017 at 9:03 am

    Hi Isabel,

    Thank you for a very clear guide. However, I would like to suggest some amendments for Mac users.

    First, you start by assuming that the OS can use wget. This is not installed by default on Mac OS. To install it is a bit complex but I managed it only to get a message saying it had been deprecated! It referred me to the certbot site which explained that it now needs to be installed with Homebrew using the command ” brew install certbot”.

    When it was installed, I could only open some of the folders as they were protected so had to use info and unlock the data to add myself as a read only user and replicate it throughout the directory tree (I could have done this through the terminal but chose not to at the time).

    The next problem is that gedit also doesn’t exist on the Mac! I tried vi but it would not let me copy and paste correctly. So I used the installed text editor but of course it cannot navigate to /etc/.

    So I had to copy the entire folder to a readable area (I chose my downloads file) and then, at last, I could open the certificates.

    All is now installed and working, thanks.

    You might want to update the tutorial (as I am sure it will become increasingly popular) to reflect these Mac anomalies.

    I will run through your renewal tutorial in 89 days (well, 74 probably) and see if it also needs any Mac based changes.

    Finally, have you done a tutorial for adding domains to the existing certificate for idiots like me that forgot to add the www. alternatives when initially generating the certificate?

    Geoff

    Reply
    Geoff Jankowski

    • August 17th, 2017 at 9:13 am

      BTW I forgot to mention that the command I had to use was;

      sudo certbot certonly –manual

      Might also be worth highlighting that the certificate details are NOT THE SAME as the file name that has to be used. Only the first part of the certificate ID needs to be used for the filename.

      Geoff

      Geoff

      Reply
      Geoff Jankowski

  30. August 22nd, 2017 at 10:42 pm

    What happened to the printf from the older versions of certbot? That made creating the file super easy and quick. When one has 20+ subdomains to secure, this new process will take forever.

    Reply
    Kratos

  31. September 27th, 2017 at 2:43 pm

    Godaddy is the worst host. Any real host has this all automated, including the renewal, and you don’t have to do anything at all. You just start using https:// and it works. I hate Godaddy hosting.

    Reply
    Chun Borque

  33. November 2nd, 2017 at 11:39 am

    Good news everyone!

    We are on shared hosting through godaddy. For us, updating the SSL certificate manually was not an option.

    I was able to make our godaddy shared hosting server generate the SSL cert. This means the server should be able to automatically renew the SSL certs using a Cron Job. This was just successfully configured 10/31/2017, so I haven’t had 3 months to verify the Cron Job works properly. If it does not work, I promise I will update. I don’t like to give bad information.

    In the mean time, I hope this helps everyone!

    https://www.hostinger.com/tutorials/ssl/how-to-install-free-ssl-from-lets-encypt-on-shared-hosting

    https://supertechx-ray.com/QuoteRequest/quoteform.php
    You can verify the SSL cert works here. I made sure that page had the green padlock first because of user input. I am currently going through our site to get rid of all references to http to make sure the entire site has the green padlock.

    https://www.whynopadlock.com/
    I found that a valuable resource when trying to find where I may have overlooked something

    Again guys, I hope this helps everyone.

    Have a great day all!

    Reply
    matt

  36. November 13th, 2018 at 12:08 pm

    This doesn’t work for mac.

    WARNING: certbot-auto support for this macOS is DEPRECATED!
    Please visit certbot.eff.org to learn how to download a version of
    Certbot that is packaged for your system. While an existing version
    of certbot-auto may work currently, we have stopped supporting updating
    system packages for your system. Please switch to a packaged version
    as soon as possible.

    Reply
    Simar

Questions and Comments are Welcome

Your email address will not be published. All comments will be moderated.

Please wrap code in "code" bracket tags like this:

[code]

YOUR CODE HERE 

[/code]