Newer version available (1.4.0):
CertSage was designed for people of all ages and experience levels who want an incredibly quick and easy way to acquire Let's Encrypt TLS/SSL certificates. CertSage is especially helpful if you are using a shared hosting plan that does not allow root access, such as GoDaddy shared hosting. It's free, of course!
- added installation of certificates into cPanel with the push of a button - no more manual copying and pasting of certificates and keys!
- added password protection for solid security - just open password.txt then change the contents to whatever you want!
- removed the update staging contact button to prevent receiving unwanted emails
- refractored sections of code for better performance and maintainability
Assuming that your domain name is
- Download certsage.txt (30.8 KB).
certsage.txt into the webroot directory of your website (often something like
public_html) that contains the content that you access when you visit
Assuming that your domain name is
- Most people will want to enter
www.example.com as their domain names when acquiring a certificate.
- To ensure that your CertSage installation is working, you can acquire a staging (fake) certificate.
- Once you are confident that your CertSage installation is working, you can acquire a production (real) certificate.
- Once you have successfully acquired a production certificate, you can have CertSage install it into cPanel by pushing a single button.
- To renew your certificate, simply revisit
http://example.com/certsage.php every 60 days to acquire and install a new production certificate.
- You can subscribe to receive certificate expiration notifications from Let's Encrypt to serve as backup reminders to renew your certificate. Once you have subscribed, you will continue to receive certificate expiration notifications for all future certificates you acquire with CertSage. Should you wish to use different email address(es) after subscribing, simply enter all the email addresses you wish to use in the email address box then click Update Contact Information. Should you wish to stop receiving certificate expiration notifications, simply leave the email address box blank then click Update Contact Information.
WordPress Site Address Update
My trip in cpanel: SSL/TLS ---> Manage SSL Sites.
I get a form like the one below.
certsage.php I get
The content of
certificate.crt consists in three different sections, each one begins with "
-----BEGIN CERTIFICATE-----" and ends with "
-----END CERTIFICATE-----". If I copy and paste the whole content of
certificate.key I get a message telling the certificate is invalid. I experimented anyway everything apparently goes on correctly if I copy and paste just the first of the three sections. Am I supposed to stop at this result? The CA bundle input can be safely left empty?
Besides I just cannot get how the Install Certificate into cPanel could work. What is the connection between that form and the cpanel session like the one I mentioned?
Anyway many many thanks for your work!
P.S. I've just realized about three months ago I had the same problem and Griffin kindly answered. Sorry, Griffin! Instead of removing completely this recent post, I decide to leave it as it is, so that somebody could possibly confirm I acted correctly and because of the second question about the automated cpanel configuration.
- The first certificate in
certificate.crt is your leaf certificate that should go in the certificate box in your screenshot.
- The second certificate in
certificate.crt is Let's Encrypt's R3 intermediate certificate that could go in the certificate authority bundle box in your screenshot, but this is unnecessary since cPanel will retrieve a copy of R3 for you if you leave that box blank.
- The third certificate in
certificate.crt is Let's Encrypt's ISRG Root X1 intermediate certificate. This certificate is not required for cPanel installation of your leaf certificate.
When you push the Install Certificate into cPanel button...
- CertSage verifies that the password entered into the password box matches the contents of
password.txt in your CertSage folder. If
password.txt does not exist when you open CertSage (e.g. when you open CertSage for the first time or have manually removed
password.txt), CertSage will create a new
password.txt for you and fill it with a random, secure password. If you wish to set your own password, you can simply replace the contents of
password.txt with whatever you like then enter that password.
- CertSage reads your leaf certificate from
certificate.crt and its private key from
certificate.key. Both files should be in your CertSage folder. They are automatically saved there when you acquire a production certificate.
- CertSage verifies the structure of both your leaf certificate and its private key.
- CertSage verifies that your leaf certificate and its private key match each other.
- CertSage reads the common name (CN) field in your leaf certificate. This common name (CN) field will match the first domain name that you entered into the domain name box in CertSage when you acquired your production certificate, which should be your primary domain name (e.g.
example.com), not a subdomain name (e.g.
- CertSage calls an underlying cPanel API function to install your leaf certificate and its private key for the common name (CN) read from your leaf certificate.
- CertSage calls an underlying cPanel API function to enable Force HTTPS Redirect for the common name (CN) read from your leaf certificate.
Essentially, CertSage does the same thing that you would do manually, just much faster.
If you have a more complex setup (e.g. multiple domain names hosted under one cPanel account), a few minor adjustments are needed for CertSage to function properly. Much of what is needed has been thoroughly discussed in the comments of the pages of previous versions of CertSage. If those should prove to be insufficient to help, please feel free to ask your questions here.
Hi @griffin – first of all thank you for making an awesome tool. I'm not a developer or web designer, just a fella helping out a friend with her website – so CertSage has been a godsend.
I've just updated to CertSage 1.3.0 but it only presents a blank screen when I access the URL – https://www.joannemccrumdesign.co.uk/certsage.php. Reverting back to CertSage 1.2.0 works just fine, but 1.3.0 just isn't playing ball for some reason. Appreciate you can't know everyone's set up, but do you have any insight into why 1.3.0 might be failing on my set up? Is there some additional requirement for 1.3.0 that my friend's website might be objecting to? (She's hosted by Tsohost).
Sorry you're running into trouble. We'll try to get to the bottom of this. Do you see a php error log file sitting in the directory where
certsage.php is located? If you do, please email it to me (
As a side note, I've noticed that the last couple of certificates have not included
When using CertSage, you will want to type these domain names in this exact order, one per line:
That will make sure that the certificate installation function, as it is currently implemented (with an update coming soon), will have the best chance of successfully installing the certificate.
The error is because the random_bytes function is not in your PHP version, which should be at least 7. What version are you using? You can find this in cPanel (and upgrade it there too).
@griffin Is the PHP version checkable from within CertSage?
(So that a informational warning could be shown to the use)
It's possible, but that would expose security vulnerabilities. I should probably put a check with a generic error though.
Thanks @griffin – the PHP version is 7.4.
Thanks also for the advice on the domains. I got the certification expiration reminder recently so I've gone back to 1.2.0 to ensure that I can update the certificates.
I'm not sure why your PHP version doesn't have the random_bytes function. It's part of the standard PHP library.
I can still update the certificate using 1.2.0 so all is not lost.
Thanks again for your prompt attention on this.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.