How to Install Sectigo ACME SSL Certificates on cPanel/WHM using Certbot

Securing websites with SSL/TLS is no longer optional. It is an absolute requirement. But short lifespans and compliance demands have made manual installs unscalable, especially with 397 day certs now heading toward 47-day cycles.

Sectigo offers ACME automation, but it doesn’t integrate natively into cPanel. That means sysadmins have to take the manual route. The good news: with Certbot, you can still automate issuance and renewal of Sectigo SSL certificates.

This guide walks through everything from installation, setup, wildcard support, and automation so you can manage Sectigo SSLs on cPanel/WHM servers without any issues.

Prerequisites

Before you start, check these boxes. Skipping them is the number one cause of failed SSL installations:

1. Root SSH access to your cPanel or WHM server
2. Domain setup in cPanel, with correct DNS A and AAAA records pointing to the server
3. Ports 80 and 443 open in your firewall. This is required for ACME challenges
4. EAB credentials (Key ID and HMAC key) from your Sectigo order details

 If you’re unsure whether your ports are open, use a tool like nmap from another machine

nmap -p 80,443 yourdomain.com

If they’re closed, Certbot validation will fail immediately.

Step 1 – Installing Certbot

Certbot is the client we’ll use to communicate with Sectigo’s ACME server. While cPanel doesn’t ship it by default, installation is straightforward.

Option A – Install via Snap (recommended)

sudo yum install snapd -y
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Option B – Install via Yum (basic, but may be outdated)

sudo yum install epel-release -y
sudo yum install certbot –y

This is fine for testing, but Yum packages are often old. Outdated Certbot versions can fail when Sectigo updates their ACME endpoints.

Best Practice is that you should always use Snap if possible. It guarantees you’re running the latest Certbot, reducing compatibility issues.

Step 2(A) – Requesting a Sectigo SSL (Standard Domain)

Once Certbot is installed, you can request a certificate. Sectigo requires EAB credentials (provided when you purchase Sectigo ACME certs).

1. Apache Example

   sudo certbot --apache \
   --non-interactive \
   --agree-tos \
   --email admin@example.com \
   --server https://acme.sectigo.com/v2/DV \
   --eab-kid YOUR_EAB_KID \
   --eab-hmac-key YOUR_EAB_HMAC_KEY \
   --domain example.com \
   --cert-name example-cert

2. Nginx Example

   sudo certbot --nginx \
   --non-interactive \
   --agree-tos \
   --email admin@example.com \
   --server https://acme.sectigo.com/v2/DV \
   --eab-kid YOUR_EAB_KID \
   --eab-hmac-key YOUR_EAB_HMAC_KEY \
   --domain example.com \
   --cert-name example-cert

If you get a urn:ietf:params:acme:error:badEABCredentials error that means your EAB Key ID or HMAC Key is wrong. Copy them carefully from Sectigo’s panel.

Integrate Certificate into cPanel/WHM

Certbot places the issued certificate in

/etc/letsencrypt/live/example.com/fullchain.pem  
/etc/letsencrypt/live/example.com/privkey.pem

There are two ways to bring this into cPanel.

Method 1 – WHM GUI

1. Log in to WHM as root
2. Navigate to SSL/TLS -> Install an SSL Certificate on a Domain
3. Paste the values
   • Certificate (CRT) – fullchain.pem
   • Private Key (KEY) – privkey.pem
   • CA Bundle – usually inside fullchain.pem (or use chain.pem)

Method 2 – CLI (for automation)

/usr/local/cpanel/bin/installssl domain example.com \
cert /etc/letsencrypt/live/example.com/fullchain.pem \
key /etc/letsencrypt/live/example.com/privkey.pem \
cabundle /etc/letsencrypt/live/example.com/chain.pem

Automatic Renewal in cPanel Environment

Here’s the part many admins miss. cPanel won’t auto-renew Sectigo certs. If you stop here, your SSL will expire in few days.

1. Test Renewal

   sudo certbot renew --dry-run

   If this fails, fix it now and don’t wait until renewal day.

2. Add cron job

   sudo crontab -e

3. Then insert

   0 */12 * * * certbot renew --quiet --deploy-hook "/usr/local/cpanel/bin/installssl domain example.com cert /etc/letsencrypt/live/example.com/fullchain.pem key /etc/letsencrypt/live/example.com/privkey.pem cabundle /etc/letsencrypt/live/example.com/chain.pem"

This runs twice daily. If a cert is renewed, the –deploy-hook pushes it straight into WHM.

Step 2(B) – Requesting a Sectigo Wildcard Certificate with Certbot

Wildcard certificates (*.example.com) require DNS-01 validation, since HTTP-01 validation doesn’t work with wildcards. You have two options:

1. Automatic DNS (preferred) – Use Certbot DNS plugins for supported providers (Cloudflare, Route53, DigitalOcean, etc.).
2. Manual DNS – Create TXT records manually each time, or use scripts with Lexicon.

Using Certbot DNS Plugins (Example: Cloudflare)

Install the plugin

sudo snap install certbot-dns-cloudflare

Create a credentials file

mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini

Contents

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

Secure the file using

chmod 600 ~/.secrets/certbot/cloudflare.ini

Request the wildcard

sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--email admin@example.com \
--agree-tos \
--cert-name example-wildcard \
-d "*.example.com" -d example.com

Check if Your DNS Provider is Supported

Certbot provides plugins for many DNS providers. A few examples:

If your provider is on this list, install the relevant plugin.

Example: AWS Route53

Install the plugin

sudo snap install certbot-dns-route53

Request wildcard certificate

sudo certbot certonly \
--dns-route53 \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--email admin@example.com \
--agree-tos \
--cert-name example-wildcard \
-d "*.example.com" -d example.com

Example: DigitalOcean

Install the plugin

sudo snap install certbot-dns-digitalocean

Create API token file

mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/digitalocean.ini

Contents

dns_digitalocean_token = YOUR_DO_API_TOKEN

Secure it

chmod 600 ~/.secrets/certbot/digitalocean.ini

Request wildcard certificate

sudo certbot certonly \
--dns-digitalocean \
--dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--email admin@example.com \
--agree-tos \
--cert-name example-wildcard \
-d "*.example.com" -d example.com

If No Official Plugin Exists – Use Lexicon

If your DNS provider does not have an official Certbot plugin, you can use Lexicon, a universal DNS management library.

Install Lexicon

pip install dns-lexicon

Create Hook Scripts

• Auth.sh

  #!/bin/bash
  lexicon godaddy create "$CERTBOT_DOMAIN" TXT \
  --auth-key "YOUR_GODADDY_KEY" \
  --auth-secret "YOUR_GODADDY_SECRET" \
  --name "_acme-challenge.$CERTBOT_DOMAIN" \
  --content "$CERTBOT_VALIDATION"

• Cleanup.sh

  #!/bin/bash
  lexicon godaddy delete "$CERTBOT_DOMAIN" TXT \
  --auth-key "YOUR_GODADDY_KEY" \
  --auth-secret "YOUR_GODADDY_SECRET" \
  --name "_acme-challenge.$CERTBOT_DOMAIN" \
  --content "$CERTBOT_VALIDATION”

Make them executable

chmod +x auth.sh cleanup.sh

Request wildcard with lexicon

sudo certbot certonly \
--manual \
--preferred-challenges dns \
--manual-auth-hook /path/to/auth.sh \
--manual-cleanup-hook /path/to/cleanup.sh \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--email admin@example.com \
--agree-tos \
--cert-name example-wildcard \
-d "*.example.com" -d example.com

Configure Certificates in WHM
Once issued, your certificates are stored in

/etc/letsencrypt/live/example.com/

Install it in cPanel or WHM

/usr/local/cpanel/bin/installssl domain example.com \
cert /etc/letsencrypt/live/example-wildcard/fullchain.pem \
key /etc/letsencrypt/live/example-wildcard/privkey.pem \
cabundle /etc/letsencrypt/live/example-wildcard/chain.pem

Automate Renewal

Certbot handles renewals automatically. For DNS challenges (like Lexicon), make sure your auth.sh and cleanup.sh scripts remain accessible.

To enforce automation, add a cron job

0 */12 * * * certbot renew --quiet --deploy-hook "/usr/local/cpanel/bin/installssl domain example.com cert /etc/letsencrypt/live/example-wildcard/fullchain.pem key /etc/letsencrypt/live/example-wildcard/privkey.pem cabundle /etc/letsencrypt/live/example-wildcard/chain.pem"

Best Practices

1. Check renewal logs every now and then
   Certbot does a great job automating renewals, but things can still break, a DNS change, firewall update or expired API token can stop renewals without warning. Skim through the renewal logs occasionally to make sure certificates are refreshing as expected. It’s a small step that can prevent big pitfalls.
2. Use different names for staging and production
   When testing new certificates, don’t reuse the same –cert-name. It’s easy to accidentally overwrite your live cert if you’re experimenting. Give staging and production certificates clear, separate names so you know exactly what’s safe to test.
3. Validate your setup
   Once you’ve installed the certificate, double-check it externally. There are many tools online available that show how the world sees your site, spotting weak ciphers, chain issues or incomplete installations before visitors run into errors.
4. Lock down API keys and credentials
   If you’re using DNS APIs or Lexicon scripts, treat those tokens like passwords. Store them in restricted files with chmod 600 so nobody else on the server can access them. A leaked API key could let someone else modify your DNS records.

Conclusion

Installing Sectigo ACME certificates on cPanel or WHM isn’t as seamless as using AutoSSL, but with Certbot in place, the process becomes largely automated. You’ll gain reliable Sectigo SSL coverage suitable for compliance and enterprise requirements, with automatic renewals that integrate directly into cPanel. Both standard and wildcard domains are supported, so you can cover multiple use cases at once. By setting up the right cron jobs and keeping an eye on logs, you eliminate the risk of certificates expiring unnoticed. Investing the time to configure this upfront means less manual intervention, fewer certificate renewals, and a more secure, hassle-free hosting environment over the long term.

Related Articles:

• What is ACME Protocol and How does it Work: A Complete Guide
• How ACME Is Transforming SSL Automation for Modern Enterprises
• How to Install an ACME SSL Certificate on Apache & NGINX using Certbot