Setup SSL from Cpanel Terminal / Installing and Fixing SSL Issues with Let’s Encrypt (acme.sh) on Linux

Posted on Latest In Blogs
16

In this tutorial, We will set up an SSL certificate on kahanelawgroup.com using Let’s Encrypt and acme.sh, covering installation, troubleshooting, CABUNDLE issues, and server configuration for Apache and Nginx.

Step 1: Install acme.sh (if not installed)

If you haven’t already installed acme.sh, do so with the following commands:

bash
curl https://get.acme.sh | sh

Once installed, reload your shell environment to use acme.sh:

bash
source ~/.bashrc

Alternatively, restart your session:

bash
exec $SHELL

Step 2: Issue an SSL Certificate Using acme.sh

To issue an SSL certificate for your domain (e.g., kahanelawgroup.com), run:

bash

acme.sh --issue -d kahanelawgroup.com --standalone --keylength ec-256  

~/.acme.sh/acme.sh –issue -d ratsamyconsulting.com -d www.ratsamyconsulting.com –webroot /home/kahayzin/ratsamyconsulting.com

  • If you are using a web server like Apache or Nginx, use the Webroot method instead:

    bash
    ~/.acme.sh/acme.sh --issue -d kahanelawgroup.com -d www.kahanelawgroup.com --webroot /home/YOUR_CPANL_USERNAME/public_html

Common Issue: If the domain validation fails, make sure:

  • Your domain is pointing to the correct server.
  • Port 80 (HTTP) is open for standalone mode.

You can check if port 80 is open by running:

bash
sudo netstat -tulnp | grep :80

If another process is using port 80, temporarily stop it, run the SSL command, and restart the service:

bash
sudo systemctl stop apache2
sudo systemctl stop nginx

Then, run the acme.sh –issue command again.

Step 3: Install the SSL Certificate

Once the SSL certificate is issued successfully, install it:

bash
~/.acme.sh/acme.sh --install-cert -d kahanelawgroup.com \ --key-file /home/YOUR_CPANL_USERNAME/ssl/kahanelawgroup.com.key \ --fullchain-file /home/YOUR_CPANL_USERNAME/ssl/kahanelawgroup.com.crt \ --reloadcmd "service apache restart"

This command ensures the certificate is correctly placed on your system.

Step 4: Locate Your Certificate Files

After installation, check where the certificates are stored:

bash
ls -l /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/

You should see:

  • kahanelawgroup.com.cer → Your domain certificate
  • kahanelawgroup.com.key → Private key
  • fullchain.cer → Full chain certificate
  • ca.cer → Certificate Authority Bundle (CABUNDLE)

Step 5: Fix CABUNDLE Issues

The CABUNDLE is often required by servers and applications to complete the SSL chain.

To verify your CABUNDLE file, run:

bash
cat /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/ca.cer

If it contains multiple BEGIN CERTIFICATE and END CERTIFICATE blocks, it’s correct.

Step 6: Configure SSL on Your Web Server

For Apache

Edit your Apache SSL configuration file (usually located at /etc/apache2/sites-available/default-ssl.conf):

apache
<VirtualHost *:443>
ServerName kahanelawgroup.com
SSLEngine on
SSLCertificateFile /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/kahanelawgroup.com.cer
SSLCertificateKeyFile /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/kahanelawgroup.com.key
SSLCertificateChainFile /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/ca.cer
</VirtualHost>

Then, restart Apache:

bash
sudo systemctl restart apache2

For Nginx

For Nginx, concatenate the full chain and CABUNDLE:

bash
cat /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/fullchain.cer /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/ca.cer > /etc/ssl/certs/cabundle.pem

Then, edit your Nginx configuration file (e.g., /etc/nginx/sites-available/default):

nginx
server {
listen 443 ssl;
server_name kahanelawgroup.com;ssl_certificate /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/fullchain.cer;
ssl_certificate_key /home/kahayzin/.acme.sh/kahanelawgroup.com_ecc/kahanelawgroup.com.key;
}

Restart Nginx:

bash
sudo systemctl restart nginx

Step 7: Verify Your SSL Installation

Check if your SSL certificate is installed correctly:

bash
openssl s_client -connect kahanelawgroup.com:443 -servername kahanelawgroup.com -showcerts

You can also verify using an online tool:
🔗 SSL Labs SSL Test

Step 8: Enable Auto-Renewal for SSL Certificate

To ensure your SSL certificate renews automatically, set up a cron job:

bash
crontab -e

Add this line at the bottom:

bash
0 3 * * * "/home/kahayzin/.acme.sh/acme.sh" --cron --home "/home/kahayzin/.acme.sh/" > /dev/null

This runs the renewal check daily at 3 AM.

Conclusion

You’ve now successfully installed an SSL certificate using Let’s Encrypt with acme.sh, resolved CABUNDLE issues, and configured it for Apache/Nginx.

Key Fixes Included:

  • Ensuring port 80 is open for domain validation
  • Finding and using the CABUNDLE correctly
  • Restarting web servers after installation
  • Setting up automatic SSL renewal

🚀 Your site should now be secured with HTTPS. 🎉