Must I pay money for an SSL certificate in shared hosting?

I host a website on shared hosting at Namecheap. I have Cpanel there.

Namecheap tries to sell an SSL certificate for each web domain I have (whether if that web domain was purchased at Namecheap or at another web hosting company).
The starting price is 30$ for five years, then it renews at about 35$ for five years.

I can SSH into the server environment but not as root user so I can't install Certbot.

As I can't install Certbot allegedly, my question is when it comes to shared hosting companies, must I always pay money to purchase one of their SSL certificate or at least in this case, must I pay money?

I got an error when trying to post several screenshots from Cpanel, so here are the screenshots in separate posts each:

That depends. Do they also offer free certificates or only payed certificates?

If they don't offer free certs themselves, do they offer the ability to install your own certificate (for free)?

You can probably use acme.sh

(Just make sure its directory isn't accessible from outside)

With PHP, you may be able to use certsage.

From my understanding, they don't offer free cerficates.

About installing one myself from the shell command line user interface; it may be possible but because it's a shared hosting without root or sudo, I don't have a clue what to try or how to start.

cPanel can install certificates using their uapi binary to communicate with the cPanel API, e.g.:

uapi SSL install_ssl ...rest of command...

This shouldn't require root/sudo access.

Looking at the cPanel documentation at https://support.cpanel.net/hc/en-us/articles/360053404634-Using-cPanel-s-APIs-From-The-Command-Line, it's possible to check if that API call is available:

The best way to determine if an API call exists is to search through all the APIs at once. There are at least three different ways to do this:

1- Using The apitool Binary:

The apitool binary is a very handy tool that you can use to list all the available API calls at any time, so naturally, it is very useful if you are looking for a specific API function. All you need to do is to execute the binary and then pipe the output through a grep and search for a specific string that you suspect could appear in the function's name: (You need to replace the $STRING with the search term for which you wish to find relevant API calls)

/usr/local/cpanel/bin/apitool | egrep -i $STRING

Thus you could try:

/usr/local/cpanel/bin/apitool | egrep -i install_ssl

If that command gives a result, you should be able to install a certificate issued by e.g. CertSage (or acme.sh or even Certbot with the correct options so it doesn't require root).

If that command doesn't come up with anything, there are more things you could try mentioned in the documentation I linked above.

Are you puzzled about how to install / use an ACME client? Or how to apply the cert to cPanel once you get one?

If the former you could try the certsage link that rg305 provided. It does not require root and optimized for cPanel just like the link says

Also, acme.sh does not require root and many others do not either. acme.sh github (link here) says " * DOES NOT require root/sudoer access."

These are both good candidates but others are

Please note that acme.sh defaults to a commercial CA that also offers free certificates called ZeroSSL. You need to perform some things if you want certs from Let's Encrypt.

Good point. You need to specify --server letsencrypt and can set it as default too

As @rg305, @Osiris, and @MikeMcQ already pointed out, just use CertSage and be done with it. You'll have your certificate acquired and installed in under a minute.

@griffin Can CertSage install certs into cPanels yet?

Yeah, for a long time now.

Nice!

Then my stuff about uapi above is just in case something doesn't work and debugging needs to be done

Your uapi work was the basis of that implementation.

Warm hello @griffin !

From a quick Google search I didn't find even one result about the following issue:

What is the difference between certstage and certbot?

Thanks
Ben

Try it without the extra "T" in certsage.

I get generally the same Google results.

What is the difference between CertSage and Certbot?