Manual Renew Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting

Here are steps that you can take to renew your Let’s Encrypt SSL Certificate for sites hosted on GoDaddy shared cPanel hosting. While these steps have been tested on Godaddy shared cPanel hosting, they should work for any shared hosting company that has cPanel. These steps are for multi-domain certificates (also known as a “UC” or “UCC” certificates), but you can follow them for a single-site certificate, as well.

These steps assume that:

• Either you’ve already installed the original “Let’s Encrypt” client on your local computer when you created the initial certificate, or you installed certbot.
• You’re working from a command line terminal.
• You have SSH access to the hosting account. (You can enable SSH access in your GoDaddy cPanel, under “Security,” click SSH Access.)

Prerequisite

This prerequisite applies to you if your site is currently redirecting all traffic to https. Before you begin the process to renew your SSL certificate, you have to make sure that a certain directory can be reached on your site with http rather than https. The directory name is .well-known (we will create that directory in the steps, below). Right now, you need to make sure that the .well-known directory is not redirected to https. So, if you have a rewrite rule in your .htaccess file that is redirecting all traffic to https, it will look something like this:

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

You will need to add a condition that will make sure to not redirect the .well-known directory. To do that, you will need to temporarily add the following line directly above the line above in your .htaccess:

RewriteCond %{REQUEST_URI} !^/(.well-known) [NC] 

Part 1: Renew the SSL Certificate

1. This step is only required if you’re using the original “Let’s Encrypt” client instead of certbot. Navigate to your local letsencrypt directory:

   cd letsencrypt 

2. Initiate the SSL certificate renewal process. If you’re using the original “Let’s Encrypt” client, do this (change YOU@YOUREMAIL.COM to your own email address):

   ./letsencrypt-auto certonly --renew-by-default --email YOU@YOUREMAIL.COM -a manual --agree-tos 

   If you’re using certbot:

   ./certbot-auto certonly --renew-by-default --manual --agree-tos 

3. Next, it will ask you to type all of your domains which you want covered by the SSL certificate. These should be the same ones that are part of the original certificate. Separate domains by a comma. For example, type:

   yoursite.com,www.yoursite.com

   or, for more domains:

   yoursite.com,www.yoursite.com,othersite.com,www.othersite.com

   also, add any subdomains:

   subdomain.yoursite.com,blog.yoursite.com

4. Next, you will get a message like this:

   NOTE: The IP of this machine will be publicly logged as having requested this
   certificate. If you're running certbot in manual mode on a machine that is not
   your server, please ensure you're okay with that.
   
   Are you OK with your IP being logged?
   -------------------------------------------------------------------------------
   (Y)es/(N)o:

   Answer “Yes” to this message by typing Y and pressing Enter. Leave this terminal window open (we’ll call this Terminal 1).

5. At this point, open a separate terminal window (we’ll call this Terminal 2).
6. In Terminal 2, make an SSH connection to your hosting account. In the line below, replace YOUR_USERNAME with your cPanel user name. If you don’t know your cPanel user name, look in your cPanel, under the “Files” section. Click “FTP Accounts.” The “Log In” name is the user name. Also, replace “yoursite.com” with your own site:

   ssh YOUR_USERNAME@yoursite.com 

7. For the next several steps, you’re going to be switching between the 2 terminals.

The Following Steps in Part 1 (steps 8 — 13) Will Have To Be Repeated For Each Domain and/or Subdomain.

8. Back in Terminal 1, you should have a message like this:

   -------------------------------------------------------------------------------
   Create a file containing just this data:
   
   ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0.zlInmCy7UgqfujZl9OUluaOC86_5PUZRhOstad8xd9o
   
   And make it available on your web server at this URL:
   
   http://yoursite.com/.well-known/acme-challenge/ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0
   
   -------------------------------------------------------------------------------
   Press Enter to Continue
   

9. From your own terminal, copy the part of line 8, beginning with .well-known, to the end of that line (it’s line 8 in the sample above–however copy it from your own terminal 1, not from above). DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.
10. Back in terminal 2, navigate to the root directory of the site which the first terminal is referencing. Look back at the message in the first terminal, line 8 where it shows the site in reference (this is necessary if you have multiple “addon” domains.)
11. In Terminal 2, in your site’s root directory, make the required directories, “.well-known” and “acme-challenge” like this:

    mkdir -p .well-known/acme-challenge 

12. Still in Terminal 2, create the required file like this. In the terminal, type vi and then paste the line which you copied in step 9. (You should be able to paste with CTRL + Shift + V .) Then press Enter. This will open a new file in your terminal. Go back to Terminal 1, copy the entire line 4. (DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.) Come back to terminal 2 and paste that data. To save this new file in terminal 2, press the Esc key. Then type, :wq and press Enter.

    At this point, if you want to confirm that this step has worked, then open a web browser window. Go to the page on your website that is given by the URL address in terminal 1, line 8.

    On that web page, you should see a long line of letters and numbers. This should be exactly the same as what is shown in terminal 1 on line 4.

    If this is correct, you can proceed.

13. Go back to the first terminal. It should still say at the bottom, “Press Enter to Continue.” Now you can press ENTER.
14. It will walk you through repeating these steps (8 — 13) for each domain and subdomain that you listed for the certificate.
15. After repeating the above steps for all of your domains, you should finally get a message like this:

    Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert
       will expire on 201*-**-**. To obtain a new or tweaked version of
       this certificate in the future, simply run letsencrypt-auto again.
       To non-interactively renew *all* of your certificates, run
       "letsencrypt-auto renew"
    

    or like this, if you used certbot:

    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/yoursite.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/yoursite.com/privkey.pem
       Your cert will expire on 2017-01-23. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot-auto again. To
       non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    

    Copy the 2 file paths since you will need them below. In this example, the 2 file paths are:

    /etc/letsencrypt/live/yoursite.com/fullchain.pem

    and

    /etc/letsencrypt/live/yoursite.com/privkey.pem

16. Back in the other terminal (in Terminal 2), you can now remove the .well-known directory that was created on each site. To do this, go back to Terminal 2, and enter this in the root folder for each site:

     rm -rf .well-known 

    If you followed the prerequisite, at the top of this page, and added the extra line into your .htaccess file, you can go ahead and remove it now. Still in Terminal 2, while you’re still connected to your site via SSH, you can open your .htaccess file like this:

     vi .htaccess 

    Then, scroll to the line that you want to remove and type DD to delete it. Save the .htaccess file by typing the Esc key. Then type, :wq and hit Enter.

    You can now exit Terminal 2.

Part 2: Update/Renew The SSL Certificate in Your GoDaddy cPanel Hosting Account

1. Log in to your GoDaddy cPanel shared hosting account. In the Security section, click SSL/TLS. Under Certificates (CRT), click “Generate, view, upload, or delete SSL certificates.”
2. Scroll down to where it says, “Upload a New Certificate.”
3. Back in your Terminal 1, open the fullchain.pem file. You should have noted the path to this file in Step 15 above. Open the file in your local editor, like this (replace “gedit” with your text editor, if needed):

   gedit /etc/letsencrypt/live/yoursite.com/fullchain.pem
   

4. Copy the top half of the file (only the first certificate). Copy from the first “—–BEGIN CERTIFICATE—–” to the end of the first certificate, “—–END CERTIFICATE—–”

    

   Once you’ve copied it, close the file.

5. Take what you copied and paste it in your hosting account, under “Upload a New Certificate”, where it says, “Paste the certificate into the following text box:”
6. Type a description and click “Save Certificate.” An example of a description is, “Renewed certificate for yoursite.com and anothersite.com.” When presented with the success message, click “Go Back.”
7. Click “Return to SSL Manager” at the very bottom of page.
8. Under “Install and Manage SSL for your site (HTTPS),” click “Manage SSL sites.”
9. On the row for your main domain, click “Update Certificate” all the way at the right (in the Actions column).
10. Click “Autofill by Domain” and the certificate should populate in the first box. Also, the Certificate Authority Bundle: (CABUNDLE) text box should populate.
11. Back in your terminal, open the privkey.pem file (replace “gedit” with your editor, as needed, and also edit the path to the file to match what you copied in Step 15 above):

    gedit /etc/letsencrypt/live/yoursite.com/privkey.pem

12. Copy ALL of it, then close the file.
13. Back in your hosting account, paste it into the Private Key (KEY) text box.
14. Click “Install Certificate.”

    If it’s successful, you should get a response message like this:

    SSL Certificate Successfully Updated
    You have successfully updated the SSL website’s certificate.
    …

15. Click “OK” to close the success message.
16. If you only created this certificate for this one domain name, then you are finished. Congratulations on renewing your SSL certificate. On the other hand, if you made this certificate for multiple domain names, then look for the row with your next domain. On the row for your next domain, click “Update Certificate” all the way at the right (in the Actions column).
17. Click “Autofill” and all 3 text boxes should populate.
18. Click “Install Certificate.” You should get a success message.
19. Click “OK” to close the success message, and repeat these last few steps (steps 16 — 19) for any other domains that you added to the certificate.

↑ Top