How to Install Sectigo ACME SSL Certificates on cPanel/WHM using Certbot?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Sectigo ACME Installation cPanel

SSL certificate lifespans are shrinking from 397 days to 47 days, and every sysadmin managing cPanel/WHM servers who still relies on manual installs will face expired certificates, broken sites, and compliance failures.

Sectigo’s ACME Certificate solves this, but it does not integrate natively into cPanel or WHM. Sysadmins who do nothing will spend more time chasing renewals than managing servers. Certbot bridges that gap and automates the entire issuance and renewal cycle.

What Do You Need Before Installing Sectigo SSL on cPanel?

There are four prerequisites for Certbot to ever get to your server, with all being required for success.

  • To gain root access via SSH to your cPanel/WHM server.
  • Make sure your DNS A and AAAA records have the correct information that points to the server, set up inside of cPanel.
  • Your Firewall is open on ports 80 and 443. However, both the Renewal mode and the ACME challenge engine are required by Certbot.
  • EAB certifies your Key ID and HMAC key from your Sectigo order panel.

Check your ports before going any further. Use the following command on another machine to run nmap:

nmap -p 80,443 yourdomain.com

This will immediately fail if either port is not open. You should repair the firewall before you proceed.

How Do You Install Certbot on a cPanel/WHM Server?

Step 1 – Installing Certbot

Certbot is the ACME client that communicates directly with Sectigo’s certificate infrastructure. cPanel does not ship it by default, so you install it manually.

Option A: Snap

sudo yum install snapd -y
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Option B: Yum

sudo yum install epel-release -y
sudo yum install certbot -y

Always use Snap. Yum packages are outdated. An outdated Certbot version breaks compatibility when Sectigo updates its ACME endpoints, and Sectigo does update them.

Step 2(A) – Requesting a Sectigo SSL

Sectigo requires EAB credentials on every certificate request. These are the Key ID and HMAC key from your Sectigo account panel or through the enrollment page, not optional, not interchangeable with Let’s Encrypt credentials.

Apache:

 sudo certbot --apache \
--non-interactive --agree-tos \
--email [email protected] \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--domain example.com \
--cert-name example-cert

Nginx:

sudo certbot --nginx \
--non-interactive --agree-tos \
--email [email protected] \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--domain example.com \
--cert-name example-cert

If Certbot returns a urn:ietf:params:acme:error:badEABCredentials error, your Key ID or HMAC key is copied incorrectly. Go back to Sectigo’s panel and copy them character by character.

Install the Sectigo Certificate into cPanel or WHM

Certbot stores every issued certificate in these locations

  • /etc/letsencrypt/live/example.com/fullchain.pem
  • /etc/letsencrypt/live/example.com/privkey.pem

cPanel and WHM don’t automatically read this path. You’ll need to add it manually or via the CLI.

Method 1: WHM GUI:

  • Log in to WHM as root
  • Navigate to SSL/TLS → Install an SSL Certificate on a Domain
  • Paste fullchain.pem into the Certificate (CRT) field
  • Paste privkey.pem into the Private Key (KEY) field
  • Use chain.pem for the CA Bundle

Method 2: CLI (Best for Automation):

/usr/local/cpanel/bin/installssl domain example.com \

cert /etc/letsencrypt/live/example.com/fullchain.pem \

key /etc/letsencrypt/live/example.com/privkey.pem \

cabundle /etc/letsencrypt/live/example.com/chain.pem

Use the CLI method if you’re managing more than one domain. The WHM GUI method does not scale.

Automatic Renewal in cPanel Environment

cPanel’s AutoSSL feature does not renew Sectigo certificates. If you skip this step, your SSL expires silently and your site breaks without warning.

First, Test Renewal Immediately after Setup:

sudo certbot renew --dry-run

If this fails, fix it now. Do not wait until the certificate is days away from expiry.

Then add a Cron Job that runs Twice Daily:

sudo crontab -e

Insert this line:

0 */12 * * * certbot renew --quiet --deploy-hook "/usr/local/cpanel/bin/installssl domain example.com cert /etc/letsencrypt/live/example.com/fullchain.pem key /etc/letsencrypt/live/example.com/privkey.pem cabundle /etc/letsencrypt/live/example.com/chain.pem

The –deploy-hook flag is what makes this work. It pushes the renewed certificate directly into WHM the moment Certbot finishes renewing it. Without this flag, the cert renews, but cPanel never picks it up.

How Do You Get a Sectigo Wildcard Certificate Using Certbot?

Wildcard certificates (*.example.com) require DNS-01 validation. HTTP-01 validation does not work with wildcards. This is an ACME protocol requirement, not a Sectigo limitation. You have two paths:

Method 1: DNS Plugin (Recommended)

Certbot has native plugins for Cloudflare, AWS Route53, DigitalOcean, Google Cloud DNS, Hetzner, OVH, and Linode. If your DNS provider is on this list, use the plugin.

Cloudflare Example:

sudo snap install certbot-dns-cloudflare
mkdir -p ~/.secrets/certbot
echo "dns_cloudflare_api_token = YOUR_TOKEN" > ~/.secrets/certbot/cloudflare.ini
chmod 600 ~/.secrets/certbot/cloudflare.ini
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--email [email protected] --agree-tos \
--cert-name example-wildcard \
-d "*.example.com" -d example.com

PATH 2: Lexicon (For Unsupported DNS Providers)

Use Lexicon if your DNS provider (e.g., GoDaddy) doesn’t have a DNS plugin for Certbot. Lexicon is a universal DNS management library that supports the DNS providers not supported by Certbot.

pip install dns-lexicon

Create auth.sh:

#!/bin/bash
lexicon godaddy create "$CERTBOT_DOMAIN" TXT \
--auth-key "YOUR_KEY" --auth-secret "YOUR_SECRET" \
--name "_acme-challenge.$CERTBOT_DOMAIN" \
--content "$CERTBOT_VALIDATION"

Create a cleanup.sh:

!/bin/bash
lexicon godaddy delete: "$CERTBOT_DOMAIN" TXT
--auth-key YOUR_KEY --auth-secret YOUR_SECRET \
--name "_acme-challenge.$CERTBOT_DOMAIN" \
--content "$CERTBOT_VALIDATION"

Use –manual-auth-hook and –manual-cleanup-hook to point Certbot at both of them.

Please always encrypt every credentials file with chmod 600. A leaked API token can give anybody access to changing your DNS records.

Conclusion

Installing Sectigo ACME SSL certificates on cPanel/WHM with Certbot simplifies certificate management and eliminates the risk of missed renewals. Once configured, Certbot automatically handles issuance and renewal, helping you maintain secure, uninterrupted HTTPS protection for both standard and wildcard domains.

Need a Sectigo SSL certificate? Contact us today to purchase the right SSL solution for your website and get expert assistance with deployment and automation.