Installing Let's Encrypt SSL Certificates On Namecheap Hosting
Acme.sh
This process only needs to be performed once. Running the acme.sh script creates a cron job that will handle certificate renewals.
- How to use acme.sh with cPanel for automatically renewing Let's Encrypt SSL (Gist)
- Let’s Encrypt SSL certificate in Namecheap AutoRenewal – Verified & working – Using ACME.sh (dev.to)
Same basic instructions as above, but with comments and some extra information.
Updating acme.sh
$ acme.sh --upgrade
Specifying default acme.sh CA server
$ acme.sh --set-default-ca --server letsencrypt
See https://github.com/acmesh-official/acme.sh/wiki/Server
Renewals
Renewals are supposed to happen automatically after installing a certificate with acme.sh, but I have been receiving expiration notices for domains up to two days prior to the expiration date. Not sure when exactly a domain would be renewed?
Confirm expiration date of a certificate
Using a browser
- Load the site in a Chrome browser.
- Open Developer Tools.
- Click the Security tab.
- Certificate > View Certificate button.
- Expiration Date is displayed in the dialog.
Using cPanel
- Log into cPanel.
- Security > SSL/TLS
- Generate, view, upload, or delete SSL certificates will show who issued the certificates in use.
- Manage SSL Sites will show which sites have certificates, and when those certificates expire.
Troubleshooting
Certificate not renewing
After installing a certificate with acme.sh it should be renewed automatically. However, it's possible to manually renew certificates.
Certificate failing to verify using .well-known challenge
Use case
- Log into the server using ssh.
- Run
acme.shscript from the command line to renew certificate. - There will be errors to effect of
"verify error"and"invalid response from [domain]/.well-knonwn/acme-challenge/...".
Cause
Permissions errors prevent the script from writing the file to .well-known/acme-challenge/ that is used to verify ownership of the domain.
Fix
The last time this happened, I compared the permissions for the web roots and .well-known directories for two sites hosted on the same server where one site's certificate was being renewed and the other was failing. I could not find any differences in the permissions.
What I ended up doing was to move the root directory of the site, create a new directory for the site, put a potboiler index html page in the directory, and then run the acme script. After this allowed me to renew the certificate, I copied all the content from the original directory back into the new one.
Also! Remember that the root of many of the web apps is in the app/ subdirectory! When issuing the certificate make sure to set the web root option appropriately, e.g. --webroot ~/mydomain.com/app
Timeout polling order status while issuing certificate
Use case
Manually issue a certificate with the following command:
$ acme.sh --issue --webroot ~/my_webapp_root -d mydomain.com --force
Expected result
acme.sh sends request to the CA server and receives successful response.
Actual result
[Sat Apr 9 17:40:56 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:40:59 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:40:59 EDT 2022] Retry after: 15 [Sat Apr 9 17:41:15 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:41:18 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:41:18 EDT 2022] Retry after: 15
Over and over again until finally the script times out with an error similar to this:
[Sat Apr 9 17:42:29 EDT 2022] Sign error, wrong status
Solution
This happened using the default acme.sh CA server which is ZeroSSL. Changing the default CA server to Let's Encrypt fixed this.
$ acme.sh --set-default-ca --server letsencrypt
See also
Let's Encrypt SSL Certificates on Namecheap Hosting (Legacy)