/ Articles ^

Let's Encrypt SSL certificates on Namecheap shared hosting

Last updated 14 Aug 2023

Namecheap do not support automatic provisioning of free SSL/TLS certificates from services like Let's Encrypt because of a long-standing deal with a CA that sells certificates. They offer a free certificate for the first year of a domain but then they need to be paid for annually thereafter. Although you can't automate Let's Encrypt certificates on Namecheap, you can generate and install them manually (but this needs to be done every 90 days).

This guide assumes you have access to a computer running a Linux operating system such as Debian or Ubuntu. You don't need to set up any filesharing, you just need to be able to SSH into it in order to copy/paste the verification challenges, certificates and keys. If you're using Windows you can use a tool like PuTTY to connect to it.

Get started by installing certbot using the following command (if you're not using a Debian-based Linux distribution then you'll need to check the relevant commands and package names). Linux commands prefixed with # need to be run as root or using sudo whereas lines beginning with $ can be run as a normal user.

# apt update && apt install certbot

Once it's installed, you can run the following command - you'll need to go through some intial setup questions about your IP address and email address etc. By default, the verification challenge is set to HTTP - this means you need to create .well-known/acme-challenge folder structure in the root of your public_html folder of your Namecheap hosting. You then need to create a file with the name and contents given by certbot. Alternatively, we will use --preferred-challenges dns which will instead require us to add a TXT record to the domain in DNS.

# certbot certonly --manual --preferred-challenges dns

When it prompts you for the domain, you should also add a wildcard subdomain so that other URLs (eg for mail addresses) will also have a valid certificate. This needs to be specified before your main domain - for example (obviously replacing roddie.digital with your domain):

*.roddie.digital roddie.digital

Log in to the Namecheap website and select the Manage option for the domain you're dealing with and switch to Advanced DNS tab. Under the Host Records section select Add New Record, selecting TXT record from the dropdown and adding _acme-challenge as the Host and the string provided by certbot as the Value then save your changes. If you're on Windows, you can use the following Powershell command to check the record exists:

ipconfig /flushdns; resolve-dnsname _acme-challenge.roddie.digital -type TXT

Or from your Linux machine, you can use this command:

$ dig _acme-challenge.roddie.digital -t TXT +short

Once you've confirmed it exists, complete the prompt in certbot and it should write the certificate/chain and private key to a directory in /etc/letsencrypt. In Namecheap, go back to the dashboard and select Go to cPanel from the dropdown of the server icon next to your domain. Scroll down to the Security section and select SSL/TLS then Manage SSL sites from the bottom-right of the next screen. Select Update Certificate under Actions for your domain and then go back to your Linux machine running certbot and print the contents of the certifcate using the following command:

# cat /etc/letsencrypt/live/roddie.digital/fullchain.pem

This contains the full chain which is the server certificate, intermediate CA and root CA. The cPanel SSL/TLS application won't accept the full chain, so you need to make sure you only copy the first third of this file (upto and including the first line with END CERTIFICATE) to copy into the Certificate (CRT) textbox. For the Private Key (KEY) textbox run the following command on the Linux machine:

# cat /etc/letsencrypt/live/roddie.digital/privkey.pem

You can leave the CABUNDLE textbox blank and then hit the Install Certificate button to complete the process.

If you need to answer a DNS challange to generate a certificate for an additional domain on your hosting, go to the cPanel for your primary domain, go to the Domains section and select Zone Editor. Click the Manage button for your additional domain and select Add "TXT" Record from the Add Record dropdown on the right. Enter _acme-challenge into the first field (and it should automatically append your domain because Namecheap classes it as a subdomain of your primary domain for shared hosting) and the string from certbot into the Record field. Again, you can use the dig or resolve-dnsname commands against this domain to check when the record has been created so you can then complete the process.

Also, if you are using EasyWP hosting for WordPress, you need to specify the CA Bundle by pasting in the middle certificate from the fullchain.pem file. Most functionality will work without it but URL previews when sharing links (eg OpenGraph) will not. If you have previews configured you can test them at opengraph.xyz where you will see an SSL/TLS error if you do not have the CA Bundle configured.

Return to roddie.digital / top