Acme.sh renew on Namecheap - how to activate?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
geersen.net

I ran this command:
acme.sh --force --renew -d geersen.net -d www.geersen.net -w /home/sbstynuu/geersen.net

It produced this output:
(certificate)
-----END CERTIFICATE-----
[Mon Mar 11 04:09:02 EDT 2024] Your cert is in: /home/sbstynuu/.acme.sh/geersen.net_ecc/geersen.net.cer
[Mon Mar 11 04:09:02 EDT 2024] Your cert key is in: /home/sbstynuu/.acme.sh/geersen.net_ecc/geersen.net.key
[Mon Mar 11 04:09:02 EDT 2024] The intermediate CA cert is in: /home/sbstynuu/.acme.sh/geersen.net_ecc/ca.cer
[Mon Mar 11 04:09:02 EDT 2024] And the full chain certs is there: /home/sbstynuu/.acme.sh/geersen.net_ecc/fullchain.cer

My web server is (include version):
Namecheap / Cpanel 110.0.12
Apache Version 2.4.58 (according to server information page in Cpanel anyway)

The operating system my web server runs on is (include version):
Linux, doesn't tell me a version sorry

My hosting provider, if applicable, is:
Namecheap

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
N/A

After running the command to renew I thought that would be all I'd have to do. Apparently not.
In Cpanel, when I go to SSL/TLS > Manage SSL sites, it has a couple of options for that domain name. Uninstall, update, Certificate details, Use certificate for new site.
If I click update (after running the acme.sh renew), am I supposed to

  1. click "Autofill by domain"? This doesn't seem to work.
  2. delete and reinstall? I thought acme.sh script was supposed to auto-renew.

If I've renewed via the terminal as pasted above, what is the next step to having Cpanel/Namecheap see the renewed certificate?
One thing I noticed is that if I go to the file manager in Cpanel, then the acme.sh folder, into geersen.net, all the certificate files are updated EXCEPT the .key. Is this a problem or expected behaviour?

acme.sh --list
gives
geersen.net "ec-256" www.geersen.net LetsEncrypt.org 2024-03-11T08:09:02Z 2024-05-09T08:09:02Z

So it's OK according to acme and LetsEncrypt, just not Namecheap, and I can't figure out why.

I have 4 other domains with the same issue. All were installed on the same day some months ago, and I thought I had solved my SSL problems forever with auto-renew. SSL is the worst part of the internet these days, and I'm still dealing with headaches. My certs expired on Feb 14 and I had no idea until today - that's a month they've been giving errors and warnings to people. :frowning:

Is there a walkthrough on ensuring auto-renew using services like Cpanel and Namecheap?
I am considering changing servers because this is so bad, but for now I am here and need to solve this ASAP.

Thanks

Ah I may have found an answer to (most of) my own question, leaving it here in case it helps.

I found this line of code
acme.sh --deploy --deploy-hook cpanel_uapi --domain yourdomain.com

And that seemed to do the trick!

The rest of my question remains though - can anyone help me understand what I need to do / read up on, to get these certs to auto-renew next time?

1 Like

As you are using the acme.sh client, you should review their documentation.
And, as you are using cPanel, you should also review their documentation.

3 Likes

Yeah maybe but I'm not a pro web dev or a coder, and so I thought if someone here has had this problem and knows how to solve it without me having to read through pages of code-related docs that I won't understand half of, then I'd ask.

While you wait for a reply here...
You might also try a support channel closer to the problem.

3 Likes

I'm going through the acme.sh github discussions / issues to try to find a resolution. So far not much luck. I've done a recommended --update so I suppose I can see what happens in 60 days, unless someone replies back here first.

I'm not against getting my hands dirty and I know my way around a terminal, I code as a hobby but I certainly don't mess with Apache/nginx/other stuff like that. Sometimes it's just a matter of not knowing what you need to look for or be aware of, and if someone points you at the thing you should research, it helps.

I get it.
But your problem isn't very simple/easy.

Your topic starts with:

That's already a "trigger word" here.
Not sure where you got that command, nor why you thought it would help.
It doesn't.

Then you mention:

But you aren't using that to obtain/manage your certs.
[no clue why you wouldn't]

You wrote that cPanel asked you to:

That implies it has a cert.

We are not acme.sh experts here.
I'd guess that it's either:

  • reusing the same key [possible, but unusual]
  • the key file was somehow locked down to read-only [or something similar]
    [but this would imply that the key was supposed to change and it didn't]
    [if that was the case, then a reboot would have broken the encryption on that site - as the cert and key no longer match]

What does that mean?
What is NameCheap saying that disagrees with acme.sh and LetsEncrypt?

It sounds like the entire server may need [similar] help.

I have to disagree with you.
If you follow bad instructions, then you will likely get bad results [and headaches].
I'm not sure where you got your instructions, but I'm pretty sure they didn't come from this site.

What does your domain registrar / possible DNS provider have to do with renewing certificates using HTTP authentication?:

^ using -w implies HTTP-01 authentication.

3 Likes

Force as a trigger word

I did read that in some other posts, but I also read responses saying it didn't make a different if people used it or not. The instructions on various pages said to do that, I did it, it worked the first time, I had no reason to suspect there was anything wrong with doing that.

using Cpanel 110.0.12 to manag certs?

  • But you aren't using that to obtain/manage your certs.

Obtain no, manage, well we kind of have to with Namecheap. Although with the deploy command I think maybe no longer. I at least have to verify that Namecheap is seeing things as green/OK.

cPanel` asked you to:
delete and reinstall?
That implies it has a cert.

I didn't say Cpanel asked me that, I said should I do that, because Cpanel/namecheap wasn't registering that the certs had been updated.

What does that mean?

It meant, that terminal /acme was reporting the cert as OK/new, but Namecheap was saying I still had invalid ones installed. Since solved, when I found the --deploy command, I only had half the puzzle, now I know a little more.

SSL is the worst part of the internet these days, and I'm still dealing with headaches.

I have to disagree with you.

OK but that doesn't invalidate my experience. A lot of hosts don't make it simple to renew/reinstall. Every year it's a PITA, which is the whole reason I'm looking into this autorenewal and LetsEncrypt.

What does your domain registrar / possible DNS provider have to do with renewing certificates using HTTP authentication?:
When did I say "using http authentication"?

using -w implies HTTP-01 authentication.

Oh OK I didn't know that?? Now I do, thanks.
Again, I googled how to set up renewing LetsEncrypt, a bunch of websites all said the same thing, that's where that command came from. Sorry it wasn't letter perfect the first time. Good grief.

use cpanel autossl to get cert for that ( unless your hosting provider is evil and disabled it)

3 Likes

Yeah they are evil! Namecheap have disabled it.
They're in cahoots with an SSL merchant and push them hard. One of my difficulties. I will move once hosting renewal comes up.

I think I've got it sorted for the next 60 days at least... come auto-renew time I will see what happens. Cron job says it's there... but why it didn't work 3 weeks ago, I don't know.

you may want to use certsage? it supports call cpanel api to install certificate for you and made for webhosting env

3 Likes

OR
You may want to change hosting providers.
I think by "namecheap" you mean to specifically address their hosting services.

4 Likes

Yes 100% going to change, and I would definitely advise anyone using namecheap to also consider moving away!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.