Sounds to me like you’re probably using shared hosting through somewhere like GoDaddy. I generally agree with the suggestions that @JuergenAuer has made. However, I’m getting the feeling that you might not consider yourself particularly comfortable with some of the more code/script approaches. From these considerations, I’ll try to offer a few tips to get started.
If you are using GoDaddy or a similar hosting provider, you most likely will find a setting in the server section of their website outside of cPanel to enable SSH access. You need to check that box in order to either use an external SSH login or, perhaps more usefully, the internal terminal in cPanel. Once you enable SSH access, the Terminal should appear in the ADVANCED section of cPanel. See the two screenshots below:
You may need to refresh the page for cPanel a few times after enabling the SSH access (or logout and login again) for the Terminal to appear.
If you don’t intend to use an external SSH connection, you don’t need to mess with the SSH section in cPanel at all. When using the Terminal directly in cPanel you also never need to create separate login credentials. It’s not the most powerful or convenient way, but it will get the job done. When running any scripts or clients through there, you can take advantage of using “> filename” at the end of commands to output to a file that you can then open through the cPanel File Manager. You should be able to create your private keys and certificate signing requests (CSRs) as well as upload certificates in the cPanel SECURITY section under SSL/TLS. There will probably also be an SSL/TLS Status icon you can click as well to check the validity of your certificate installation. If your situation is anything like mine for a new cPanel instance, you probably have a self-signed certificate installed, which you’ll want to replace ASAP.
To get you started, here are a couple of terminal commands to generate a private key and a certificate signing request (CSR) in the Terminal. The second command will prompt you for the information for your domain:
openssl genrsa -out private.key 4096
openssl req -new -key private.key -out your.csr -sha256
The first command will put your new private key in the current (usually root) folder in private.key. The second command will put your new CSR in the current folder in your.csr.
The important steps for getting your certificate are:
- Generate your private key and csr using either a Let’s Encrypt acme script/client, the cPanel SECURITY SSL plugin, or the commands above. Note that many of the acme scripts/clients will take care of the private key and csr generation for you as well as automate your renewals.
- Use an acme client to process your csr and communicate with the Let’s Encrypt servers so that they can issue challenges to prove your ownership of the domain. These typically involve creating DNS TXT records or uploading files to a certain place on your server. I find the DNS method easier personally. There are various acme clients out there that will let you obtain a certificate from your csr without needing heavy permissions or code, one of which can be used directly on my website.
- Once you’ve done what is asked (or had the client do it for you if it has access to do so), the client can then verify your ownership and acquire your new certificate.
- Lastly you need to install your private key and certificate in the appropriate place on your server. The easiest way to accomplish these is if the client does it for you. The next best way is just to copy and paste them into the corresponding SSL pages in cPanel.