Enable LetsEncrypt on cPanel DNSOnly

I’ve finally found a easy way to enable AutoSSL using LetsEncrypt without messing with installing certbot

Step 1 – Login via SSH as root

ssh [email protected]

Step 2 – Add LetsEncrypt via WHM API

whmapi1 set_autossl_provider provider='LetsEncrypt' x_terms_of_service_accepted https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
--- 
metadata: 
  command: set_autossl_provider
  reason: OK
  result: 1
  version: 1

You should see the success message

--- 
metadata: 
  command: set_autossl_provider
  reason: "API failure: (XID fhddyx) You must accept the current terms of service (https://letsencrypt.org/documents/LE-SA-New_TOS_Document.pdf) to proceed."
  result: 0
  version: 1

If you get an error its most likely due to the incorrect agreement url, use the url referenced in the error instead.

whmapi1 set_autossl_provider provider='LetsEncrypt' x_terms_of_service_accepted https://letsencrypt.org/documents/LE-SA-New_TOS_Document.pdf

Step 3 – Activate the cPanel LetsEncrypt module

/usr/local/cpanel/3rdparty/bin/perl -MCpanel::Install::LetsEncrypt -e 'Cpanel::Install::LetsEncrypt::activate();'

Step 4 – Run AutoSSL for the first time manually

/usr/local/cpanel/bin/checkallsslcerts

The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
...
...
Attempting to verify your certificate.....
Querying Apache TLS for installations of the previous certificate …
warn [checkallsslcerts] Cannot connect to database: /var/cpanel/ssl/apache_tls/.index.sqlite: unable to open database file (Cpanel::Exception::Database::ConnectError/(XID 2s3trv) The system failed to connect to the “SQLite” database “/var/cpanel/ssl/apache_tls/.index.sqlite” because of an error:
...
...
warn [checkallsslcerts] The system has recreated the Apache TLS index database. Rebuilding entries …

warn [checkallsslcerts] Apache TLS entries rebuilt.

As there is no Apache TLS database you will see errors the first time, the script should recreate the database.

You should now be done, you can go to your WHM login for the DNSOnly host and there now should not be any certificate errors.