How to Install an ACME SSL Certificate on cPanel/WHM Using ACME.sh?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Configure Acme.sh for Cpanel

To automatically install/renew an ACME SSL certificate in cPanel/WHM, you must configure an ACME client (such as ACME.sh). It has implications for server operators, web hosting companies, and website owners that rely on commercial certificate authorities for ACME compliance.

Without action, your SSL certificate will expire, visitors will see security warnings in their browsers, and HTTPS protection will be rendered useless.

In addition to supporting standard SSL certificates, AutoSSL also supports not all ACME workflows and external account binding (EAB), and integrates with any certificate authority configuration. ACME.sh fills this gap by offering automated certificate issuance, deployment, and certificate renewal via the cPanel and WHM APIs.

What Is ACME.sh and Why Should You Use It on cPanel/WHM?

ACME.sh is a lightweight ACME client for automatic issuance, deployment, and renewal of SSL certificates on Linux servers.

The main differences with AutoSSL are the support of custom ACME servers, External Account Binding (EAB), wildcard certificates, and commercial certificate authorities. You can continue to use your preferred providers and still get automated certificate management.

Some popular platforms that support ACME.sh are cPanel, WHM, Let’s Encrypt, Sectigo, and ZeroSSL. This can simplify SSL management for administrators with multiple websites and lower the chances of certificates expiring.

What Do You Need Before Installing an ACME SSL Certificate?

To install an ACME SSL certificate, you must have access to the server, as well as credentials provided by your certificate provider.

Make sure you have:

  • Access via SSH to your cPanel account/WHM server.
  • A domain name that is valid and redirects to the server.
  • ACME Directory URL from your certificate authority
  • EAB Key Identifier (EAB KID)
  • EAB HMAC Key
  • You can use the document root of the website.
  • Having root or sudo access for WHM level deployments.

Let’s Encrypt, Sectigo, and ZeroSSL are all of the most popular certificate authorities that support ACME.

These requirements will make sure that the ACME server is able to validate domain ownership and to issue the certificate.

Steps for ACME SSL Installation on cPanel/WHM

Step 1: Open the cPanel Terminal

SSH access means that you can install and manage ACME.sh directly on the server.

For cPanel Users:

  • Log in to cPanel.
  • Navigate to Advanced.
  • Click Terminal.
  • Click on the security prompt.

For WHM Administrators:

  • Connect using SSH.
  • Install PuTTY for Windows.
  • Use Terminal on macOS.
  • Run OpenSSH on Linux.

SSH login is necessary as ACME.sh is command-line-based and seamlessly integrates with server APIs.

Step 2: Install ACME.sh on a cPanel/WHM Server

The installation of ACME.sh takes less than a minute on most servers.

Run:

curl https://get.acme.sh | sh -s [email protected]

Reload your shell:

source ~/.bashrc

For cPanel servers specifically, installing to a dedicated path keeps things clean:

curl https://get.acme.sh | sh -s [email protected] home=/opt/acme.sh

Verify the installation succeeded:

bash/opt/acme.sh/acme.sh –version

The installed version number should be displayed.

This indicates that ACME is available and functioning with certificate authorities that are compatible with it.

Step 3: Register an ACME Account with Your Certificate Authority

To request certificates, you need to have an ACME account.

Run:

acme.sh --register-account \
--server "https://your-acme-server.com/v2/DV" \
--eab-kid "YOUR_EAB_KID" \
--eab-hmac-key "YOUR_EAB_HMAC_KEY"

Replace:

  • YOUR_EAB_KID with your EAB Key Identifier
  • YOUR_EAB_HMAC_KEY with your EAB HMAC Key
  • Your server URL and your certificate authority’s endpoint to access the ACME protocol.

EAB authentication is necessary for certificate authorities like ZeroSSL, Sectigo, and DigiCert. This way, only approved customers can ask for certificates.

Step 4: Issue an ACME SSL Certificate Using Webroot Validation

Webroot validation is a process that validates that you are the owner of the domain in question.

Run:

acme.sh --issue \
--webroot /home/username/public_html \
--domain example.com \
--domain www.example.com \
--server "https://your-acme-server.com/v2/DV" \
--eab-kid "YOUR_EAB_KID" \
--eab-hmac-key "YOUR_EAB_HMAC_KEY"

Replace:

  • example.com with your domain
  • /home/username/public_html with your actual document root

ACME.sh creates temporary validation files inside the webroot directory. The certificate authority then examines those files before issuing the certificate.

This process is used to verify your ownership, without changing the DNS settings.

Step 5: Deploy the SSL Certificate Automatically to cPanel?

ACME.sh includes a built-in deployment hook for cPanel.

Run:

acme.sh --deploy \
--domain example.com \
--deploy-hook cpanel_uapi

The cpanel_uapi deployment hook automatically:

  • Imports the certificate
  • Installs the private key
  • Allows the use of the CA bundle.Uses the CA bundle.
  • Configures and updates the website

This eliminates the manual certificate uploads in SSL/TLS Manager.

When you have several domains to administer, hours of repetitive work are saved with automated deployment.

Step 6 – Confirm Renewal Is Scheduled

ACME.sh automatically installs a cron job during setup.

The renewal process begins approximately 30 days before certificate expiration. To test renewal manually:

acme.sh --cron –force

Successful execution confirms:

  • Renewal works correctly
  • Deployment hooks function properly
  • Future renewals will complete automatically

Automated renewal prevents service interruptions caused by expired certificates.

How to Install Wildcard SSL Certificates using ACME.sh?

Wildcard certificates provide protection for all subdomains of a domain.

Examples include:

  • app.example.com
  • api.example.com
  • mail.example.com
  • dev.example.com

Run:

acme.sh --issue \
-d example.com \
-d ".example.com" \
--dns dns_cf

The dns_cf plugin validates DNS via Cloudflare’s API.

Wildcard certificates need to be validated by DNS since the HTTP validation can’t validate a whole subdomain namespace.

Conclusion

Unlike traditional AutoSSL solutions, installing an ACME SSL certificate on cPanel/WHM with ACME.sh has the advantage of providing more flexibility.

Convenience certificate issuance, deployment and renewal, along with support for certificate authorities, External Account Binding (EAB), wildcard certificates and custom ACME servers, ACME.sh makes certificate issuance easy and saves you from the fear of mishandled SSL expiration.

Once set up, the whole process is quite auto-pilot, making it easier to keep consistent HTTPS protection at all times, with little administrative effort.

Contact us today if you are looking for a reliable SSL certificate provider or want to get help in finding the best SSL solution that supports ACME for your website, server, or hosting. Our SSL specialists are at your service to select, set up, and install the perfect certificate for your websites to help ensure they remain secure and compliant.