Web & Software Developer

Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting

These are the steps to create and install a Let’s Encrypt SSL certificate on your GoDaddy shared hosting account. While these steps have been tested on Godaddy shared cPanel hosting, they should work for any shared hosting company that has cPanel. This doesn’t work with GoDaddy’s classic web hosting because it doesn’t have cPanel.

This is how to get a Let’s Encrypt SSL certificate in manual mode. Manual mode is the way you have to do it with shared hosting (if your shared host is still not providing an easy or automated way to add Let’s Encrypt certificates to your hosting acccount). Manual mode means that you are creating the certificate on your own local computer, and then uploading the certificate to your hosting account.

These steps show you how to also add the SSL certificate on multiple “Addon Domains.” Let’s Encrypt lets you create a “Multi-domain” certificate, also known as a “UC” or “UCC” certificate. This works on GoDaddy shared cPanel hosting to cover all of your sites and subdomains on that account.

These steps assume that:

  • Your local computer has a UNIX-like operating system (e.g. Mac, Ubuntu etc). If you’re local computer is Windows, these steps will not work.
  • You’re working from a command line terminal.
  • You have SSH access to the hosting account. (You can enable SSH access in your GoDaddy cPanel, under “Security,” click SSH Access.)

Part 1: Get the certbot Client

  1. Install certbot on your local machine:

    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    

Part 2: Create the Multi-Domain SSL Certificate

  1. Initiate the SSL certificate creation process:

    ./certbot-auto certonly --manual 
  2. Next, it will ask you to type all of your domains which you want covered by the SSL certificate. Separate domains by a comma. Be sure to include both your www domain and your non-www one. For example, type:

    yoursite.com,www.yoursite.com

    or, for more domains:

    yoursite.com,www.yoursite.com,othersite.com,www.othersite.com

    also, add any subdomains:

    subdomain.yoursite.com,blog.yoursite.com

  3. You will get this message:

    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o:

    Answer “Yes” to this message by typing Y and pressing Enter. Leave this terminal window open (we’ll call this Terminal 1).

  4. At this point, open a separate terminal window (we’ll call this Terminal 2).
  5. In Terminal 2, make an SSH connection to your hosting account. In the line below, replace YOUR_USERNAME with your cPanel user name. If you don’t know your cPanel user name, look in your cPanel, under the “Files” section. Click “FTP Accounts.” The “Log In” name is the user name. Also, replace “yoursite.com” with your own site:

    ssh YOUR_USERNAME@yoursite.com 
  6. For the next several steps, you’re going to be switching between the 2 terminals.

    The Following Steps in Part 2 (steps 7 — 12) Will Have To Be Repeated For Each Domain and/or Subdomain.

  7. Back in Terminal 1, you should have a message like this:

    -------------------------------------------------------------------------------
    Create a file containing just this data:
    
    ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0.zlInmCy7UgqfujZl9OUluaOC86_5PUZRhOstad8xd9o
    
    And make it available on your web server at this URL:
    
    http://yoursite.com/.well-known/acme-challenge/ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0
    
    -------------------------------------------------------------------------------
    Press Enter to Continue
    
  8. From your own terminal, copy the part of line 8, beginning with .well-known, to the end of that line (it’s line 8 in the sample above–however copy it from your own terminal 1, not from above). DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.
  9. Back in terminal 2, navigate to the root directory of the site which the first terminal is referencing. Look back at the message in the first terminal, line 8 where it shows the site in reference (this is necessary if you have multiple “addon” domains.)
  10. In Terminal 2, in your site’s root directory, make the required directories, “.well-known” and “acme-challenge” like this:

    mkdir -p .well-known/acme-challenge 
  11. Still in Terminal 2, create the required file like this. In the terminal, type vi and then paste the line which you copied in step 8. (You should be able to paste with CTRL + Shift + V .) Then press Enter. This will open a new file in your terminal. Go back to Terminal 1, copy the entire line 4. (DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.) Come back to terminal 2 and paste that data. To save this new file to your server in terminal 2, press the Esc key. Then type, :wq and press Enter.

    At this point, if you want to confirm that this step has worked, then open a web browser window. Go to the page on your website that is given by the URL address in terminal 1, line 8.

    On that web page, you should see a long line of letters and numbers. This should be exactly the same as what is shown in terminal 1 on line 4.

    If this is correct, you can proceed.

  12. Go back to the first terminal. It should still say at the bottom, “Press Enter to Continue.” Now you can press Enter.
  13. It will walk you through repeating these steps (7 — 12) for each domain and subdomain that you listed for the certificate.

     

    After repeating the above steps for all of your domains, you should finally get a message like this:

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/yoursite.com/fullchain.pem. Your
       cert will expire on 201*-**-**. To obtain a new or tweaked version
       of this certificate in the future, simply run certbot-auto again.
       To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
  14. Check that your 4 certificate files were properly created. In Terminal 1, navigate to your local Let’s Encrypt /live/ directory and make sure there exists a folder for your site:

    cd /etc/letsencrypt/live/
    ls
    

    You should then see a directory named after your site. Navigate into that directory, and then list all the files:

    cd yoursite.com
    ls
    

    You should see 4 files:

    cert.pem  chain.pem  fullchain.pem  privkey.pem
    
  15. You can now remove the .well-known directory that was created on each site. To do this, go back to Terminal 2, and enter this in the root folder for each site:

     rm -rf .well-known 

    You can now exit Terminal 2.

Part 3: Install The SSL Certificate in Your GoDaddy cPanel Hosting Account

  1. While still in Terminal 1, still in your /etc/letsencrypt/live/yoursite.com/ directory, open the file fullchain.pem in your local editor, like this (replace “gedit” with your editor, if needed):

    sudo gedit fullchain.pem
    
  2. Copy the top half of the file (only the first certificate). Copy from the first “—–BEGIN CERTIFICATE—–” to the end of the first certificate, “—–END CERTIFICATE—–

     

    Once you’ve copied it, close the file.

  3. Log in to your GoDaddy cPanel shared hosting account. In the Security section, click SSL/TLS. Under Certificates (CRT), click “Generate, view, upload, or delete SSL certificates.”
  4. Take what you copied and paste it under “Upload a New Certificate”, where it says, “Paste the certificate into the following text box:”
  5. Type a description and click “Save Certificate.”
  6. Click “Go Back,” and then click “Return to SSL Manager” at the bottom of page.
  7. Under “Install and Manage SSL for your site (HTTPS),” click “Manage SSL sites.”
  8. Under “Install an SSL Website,” select your first domain. Click “Autofill by Domain” and the certificate should populate in the first box. (All 3 boxes may be automatically populated.)
  9. If the “Private Key (KEY)” field is not filled in: go back to your terminal, open the file privkey.pem (replace “gedit” with your editor, as needed):

    sudo gedit privkey.pem 

    Copy ALL of it, then close the file.

    Back in cPanel, paste into the Private Key (KEY) text box.

  10. If the “Certificate Authority Bundle” is not filled in: go back to your terminal, open the fullchain.pem file again to copy the BOTTOM half:

    sudo gedit fullchain.pem
    

    So, copy from the SECOND “—–BEGIN CERTIFICATE—–” to the end of the file: “—–END CERTIFICATE—–“.

    After you copy it, close the file.

    Paste it into the Certificate Authority Bundle: (CABUNDLE) text box.

  11. Click “Install Certificate.”

    If it’s successful, you should get a response message like this:

    SSL Host Successfully Installed
    You have successfully configured SSL.
    The SSL website is now active and accessible via HTTPS on this domain:
    yoursite.com

  12. Click “OK” to close the success message.
  13. If you created this certificate for more than one domain, then under “Install an SSL Website”, select your next domain that the certificate is for. However, if this certificate is only for one domain, then skip down to step 18.
  14. Click “Autofill by Domain.” All three boxes should automatically populate.
  15. If the “Certificate Authority Bundle” is not filled in: go back to your terminal and copy the SECOND part of fullchain.pem, like you did above (in step 10), and paste it into the Certificate Authority Bundle: (CABUNDLE) text box.
  16. Click “Install Certificate.” You should get a success message.
  17. Click “OK” to close the success message. Repeat these last few steps (steps 13 — 16) for any other domains that you added to the certificate.
  18. After a few minutes, you can confirm that the certificate is working by using this SSL Checker.

To renew the SSL certificate, see this: Manual Renew Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting.

↑ Top

By

We've 43 Responses

  1. April 14th, 2016 at 10:32 am

    This is really great, except that you need to repeat the process every 90 days manually.

    I was able to script the entire certificate generation part, but haven’t been able to figure out how to replace the certificates on the server via ssh. Do you have any insight on how that part works?

    I tried creating the initial certificates using the web interface, and then subsequently replacing the cert files with new ones, but the site still uses the original certs uploaded from the web interface.

    avatar
  2. April 28th, 2016 at 5:52 am

    I wonder if you can write a guide on how to set up Let’s Encrypt with the free version of Cloudflare.. I know it’s possible but it’s not easy.

    avatar
  3. June 27th, 2016 at 3:48 am

    Thank you so much for the guide! Much appreciated.
    Even a beginner like me (my first website and my first certificate) could easily follow the steps you mentioned.

    avatar
  4. August 5th, 2016 at 5:25 am

    Great work Isabel and thanks. Set it up successfully using Ubuntu to generate the cert and uploading this via Windows using cpanel over the web.

    avatar
  5. December 14th, 2016 at 12:08 pm

    Thanks for the quick reply. I did this last night and it seemed to go well but the site seems to still be using the self signed cert. I guess I’ll contact godaddy.

    avatar
  6. December 14th, 2016 at 1:24 pm

    Just for follow up, I spoke with GoDaddy and they said that I have to generate the CSR from within cpanel in order to get this to work. I’m not quite sure on the steps needed to do that with Lets Encrypt.

    avatar
  7. December 22nd, 2016 at 12:06 am

    Godaddy do not give sudo permissions … so im not sure how it work for you.

    im stuck in 2nd point: 🙁
    ./certbot-auto certonly –manual
    “sudo” is not available, will use “su” for installation steps…
    Sorry, I don’t know how to bootstrap Certbot on your operating system!

    You will need to bootstrap, configure virtualenv, and run pip install manually.
    Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
    for more info.

    avatar
    • December 22nd, 2016 at 1:05 pm

      Hi. This step (./certbot-auto certonly --manual) is done on your local machine, not while connected to your GoDaddy hosting account. You should be able to do this right after Part 1. GoDaddy has nothing to do with this step. You don’t connect to GoDaddy until Part 2, Step 7. Hope that helps.

      avatar
  8. December 30th, 2016 at 5:16 pm

    Hello Everyone,
    I am able to generate the fullchain.pem file successfully but when I try to paste the first off of the content to GoDaddy, GoDaddy complains that it is not a valid cert.

    1. Then, I tried uploading the cert.pem file and it got uploaded successfully.

    2. I installed SSL. I clicked on “Autofill” and the private key which GoDaddy inserted doesn’t match with what I have in privkey.pem but still I went ahead with this autofill (CA bundle is blank)

    3. I get the successful message (Point number 11) . But, guess my domain is still not working with https : https://www.assignmenthelpdesk.com/

    4. Also, when I try to manually copy paste the private key, the GoDaddy complains that “it is not a valid key”

    Any help will be highly grateful. I have been struggling with this since a long time. Please help.

    avatar
  9. January 11th, 2017 at 3:20 am

    Awesome guide! BTW, if you are using wordpress you can use this plugin to generate the certs https://wordpress.org/plugins/wp-encrypt/

    then you just need to ftp to your file server, download the keys, and paste them into the cpanel ssl section. Super easy.

    What I’m looking for is a way to auto renew / upload them? That plugin has auto renew but not sure if I’ll have to reupload to cpanel. Guess I’ll cross that bridge soon enough.

    avatar
  10. January 21st, 2017 at 11:21 am

    Hi, great tutorial. I’m at Part 2 #13, where I have to verify that files exist on my local machine in /etc/letsencrypt/live. I’m getting a Permission denied error when I try to navigate to that location using console. So, I used finder to navigate to the folder. The “live” folder has a red minus icon and again I get a message saying I don’t have permissions to open it. Additionally, it has no sub folders and the size of the folder reads “Zero bytes”, as do all of the other sub folders in the “letsencrypt” folder that contain a red minus icon. There are however, a couple of .conf files in the “renewal” folder relating to my domain names. Not sure what the problem is. Any help would be great, thank you.

    avatar
  11. January 23rd, 2017 at 10:22 pm

    Does anyone know whether using an LE certificate is possible on a GoDaddy Windows Shared Hosting account (“Ultimate Windows Hosting with Plesk”)?

    Naturally one would expect the steps to be different, but you can certainly use LE with IIS if you manage the server yourself.

    avatar
    • April 5th, 2017 at 3:36 pm

      Update: I got it working with a modified version of [LEScript](https://github.com/analogic/lescript). I had to make a few small changes to get OpenSSL working correctly on GoDaddy’s Windows hosting. Changes included adding “openssl.cnf”. The script generates some PEM files. To install them, you simply go into Plesk, select “Secure Your Sites”, then click “Add SSL Certificate”. The files it wants are “private.pem”, “cert.pem”, and “lets-encrypt-x3-cross-signed.pem”. You then go into “Hosting Settings” and select the certificate.

              public $config = array(
                  "private_key_type" => OPENSSL_KEYTYPE_RSA,
                  "private_key_bits" => 4096,
                  "config" => "G:/PleskVhosts/mydomain.com/openssl.cnf"
              );
              // ... then later:
              $res = openssl_pkey_new($config);
              openssl_pkey_export($res, $privateKey, NULL, $config);
      
      avatar
  12. February 1st, 2017 at 12:07 pm

    HAVE ERROR Is there any solution! Has anyone found a solution?

    I tried following your steps but I got the below error after Part 2,

    ./certbot-auto certonly –manual
    
    “sudo” is not available, will use “su” for installation steps…
    Sorry, I don’t know how to bootstrap Certbot on your operating system!
    
    You will need to bootstrap, configure virtualenv, and run pip install manually.
    Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
    for more info.
    
    
    avatar
  13. February 9th, 2017 at 10:46 pm

    I failed miserably 🙁

    After pasting the code from Step #4, I received this error:
    socket.error: [Errno 13] Permission denied

    To try to resolve this, I thought I’d change the permissions for the /usr folder, but I quickly came to the conclusion that I do not have access to change the permissions to that folder.

    If anyone can point me in the right direction, please let me know, and thank you! Also, thanks @Isabel for this article.

    avatar
    • February 16th, 2017 at 1:16 pm

      I’m sorry. These steps only work on computers with a UNIX-like operating system (e.g. Mac, Ubuntu etc). Certbot doesn’t work on Windows. Try searching for “Let’s Encrypt manual mode on Windows.”

      avatar
        • February 16th, 2017 at 3:21 pm

          Okay, yes, but I’m referring to your local computer. Is it Windows? Part 1, and the first few steps of Part 2 are done on your local computer. The Let’s Encrypt ssl certificates will be created on your local computer, and then we upload them to the GoDaddy hosting. (I tested with your same exact hosting plan, and it works well.) But, the first steps with Certbot don’t work on a local Windows computer. I’ve updated the intro above to specify that. Sorry.

          avatar
  14. March 28th, 2017 at 2:07 pm

    hello thanks for the guide.

    i have already added my domain with ssl. now i have a sub domain. and i am not able to verify the file at step 12.

    can any one guide me please.

    avatar
    • April 1st, 2017 at 12:59 pm

      I added a troubleshooting step in Part 2, step 10, that should help pinpoint the problem. It helps you confirm that the domain is accessible.

      avatar
  15. April 8th, 2017 at 10:57 am

    Thanks for this information; I easily followed the instructions using on my linux systems to create the cert, and my godaddy site is now using https.

    avatar
  16. July 2nd, 2017 at 2:22 am

    Great Post !!
    Loved it. But I used ftp to login then I opened it in terminal I use Ubuntu 16.04 and then I performed mdkir ….. . Great worked for me too. Thanks Isabel Castillo

    avatar
  17. September 27th, 2017 at 2:43 pm

    Godaddy is the worst host. Any real host has this all automated, including the renewal, and you don’t have to do anything at all. You just start using https:// and it works. I hate Godaddy hosting.

    avatar

Questions and Comments are Welcome

Your email address will not be published. All comments will be moderated.

Please wrap code in "code" bracket tags like this:

[code]

YOUR CODE HERE 

[/code]