Install Let’s Encrypt SSL on cPanel shared hosting without root access

How to Install Free Let’s Encrypt SSL on cPanel shared account(Without Root Access)

If your hosting provider does not offer AutoSSL or Let’s Encrypt inside cPanel, but you do have shell access, you can install and manage your own SSL certificate using acme.sh.

This method works perfectly on shared hosting with user-level SSH.

Requirements

Before starting, make sure:

  • ✅ You have cPanel hosting
  • ✅ SSH (shell) access is enabled for your cPanel user
  • ✅ Your domain DNS is pointing to the server IP

Step 1 – Install acme.sh

Login via SSH and run:

curl https://get.acme.sh | sh

After installation, upgrade it and set Let’s Encrypt as the default CA:

~/.acme.sh/acme.sh --upgrade --auto-upgrade
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt

This ensures:

  • Auto-upgrade is enabled
  • Let’s Encrypt is used instead of ZeroSSL (default)

Step 2 – Issue the SSL Certificate

Use webroot validation (recommended for shared hosting):

~/.acme.sh/acme.sh --issue \
-d example.com \
-d www.example.com \
-w /home/username/public_html \
--server letsencrypt

Replace:

  • example.com → your domain
  • You can add additional domains using -d option, like by adding -d mail.domain.com to the issue command.
  • username → your cPanel username

If successful, the certificate will be issued and stored inside:

~/.acme.sh/example.com_ecc/

By default, acme.sh generates an ECC (ec-256) certificate, which is modern and efficient.

Step 3 – Deploy SSL to cPanel Automatically

Now deploy the certificate using the built-in cPanel hook:

~/.acme.sh/acme.sh --deploy \
-d example.com \
--deploy-hook cpanel_uapi

This installs the certificate directly into cPanel using UAPI.

If successful, the SSL will immediately appear under:

cPanel → SSL/TLS Status

Step 4 – Confirm Auto Renewal (Cron Job)

acme.sh automatically creates a cron job during installation.

Check it:

crontab -l

You should see something similar to:

0 0 * * * "/home/username/.acme.sh"/acme.sh --cron --home "/home/username/.acme.sh" > /dev/null

If present → auto-renewal is enabled.

acme.sh runs daily but only renews when the certificate is within 30 days of expiry.

Step 5 – Confirm cPanel Deploy Hook Is Stored

You must confirm the deploy hook is saved, so renewal automatically reinstalls SSL.

Option A – Using --info

~/.acme.sh/acme.sh --info -d example.com

Look for:

Le_DeployHook='cpanel_uapi,'

Option B – Check Config File Directly

cat ~/.acme.sh/example.com_ecc/example.com.conf

Confirm these lines exist:

Le_Webroot='/home/username/public_html'
Le_DeployHook='cpanel_uapi,'

If the deploy hook is missing, run:

~/.acme.sh/acme.sh --deploy -d example.com --deploy-hook cpanel_uapi

Optional – Test Renewal

You can safely test renewal:

~/.acme.sh/acme.sh --renew -d example.com

If it skips due to renewal time, that means it’s working correctly.

How It Works After Setup

Once configured:

  • Cron runs daily
  • acme.sh checks expiry
  • If within 30 days → it renews
  • Automatically runs cpanel_uapi deploy hook
  • SSL gets reinstalled in cPanel

No manual action required.

Final Result

  • ✅ Free Let’s Encrypt SSL
  • ✅ Automatic renewal
  • ✅ Automatic deployment to cPanel
  • ✅ No root access required
  • ✅ No hosting provider tools needed

If your hosting supports SSH, you can fully manage your own SSL independently — even on shared hosting.