CLI Reference

The plugin provides a CLI interface since version 0.7.0, via the le-cp command (located at /usr/local/bin/le-cp).

It is only for use by the root user.


[root@~]$ le-cp help
   letsencrypt-cpanel - Command-line interface for FleetSSL cPanel

   le-cp [global options] command [command options] [arguments...]
     ssl         Manage SSL certificates for a user
     hostcert    Add/list/remove host service certificates for cPanel
     autossl     Manage the plugin AutoSSL feature
     reporting   Manage the reporting feature
     config      Manage plugin configuration entries
     self-test   Runs a self-test on various facilities to ensure the plugin is functioning
     email-test  Tests email translation files by sending test emails
     help, h     Shows a list of commands or help for one command

   --mode value    What mode to run the CLI under (legacy) (default: "cgi")
   --restart       Whether to restart the daemon after config changes
   --format value  Go-template like template string for output for eligible commands
   --help, -h      show help
   --version, -v   print the version


The SSL sub-command is responsible for querying and manipulating the plugin certificates on a per-account level.

Therefore, all commands must be called with:

le-cp ssl --user=<username>


Lists the plugin-configured certificates for that user.

[root@~]$ le-cp ssl --user=demo list
2016/08/07 21:20:41 2 certificates were returned
2016/08/07 21:20:41 Domain:
2016/08/07 21:20:41     AltNames: []
2016/08/07 21:20:41     Expiry: 2016-11-05 19:48:00 +1100 AEDT
2016/08/07 21:20:41     URL:
2016/08/07 21:20:41     Cert ID: blog_demo_letsencry_pt_de78e_e60db_1478335680_3d0d84b5b845d9412519530a6d48f224
2016/08/07 21:20:41     Key ID: de78e_e60db_15db379279894f899390b5c1599993f1
2016/08/07 21:20:41 Domain:
2016/08/07 21:20:41     AltNames: []
2016/08/07 21:20:41     Expiry: 2016-11-05 19:48:00 +1100 AEDT
2016/08/07 21:20:41     URL:
2016/08/07 21:20:41     Cert ID: demo_letsencry_pt_e2f39_ee56f_1478335680_1a1225430d7778523c6e01acc853f3b1
2016/08/07 21:20:41     Key ID: e2f39_ee56f_225f1efb202d340d831fa9c51dfbd7d4

With commands that return certificates, you can also use Go programming style templates to format the output:

[root@~]$ le-cp --format="{{ (index . 0).Domain }}" ssl --user=demo list


This command will try to issue a certificate for a set of names for an account. Note that the names must exist in the account as a primary, subdomain, non-redirected alias or addon domain, as per the usual operation of the plugin.

The first name passed will be the primary name, the remaining will be alternate names.

[root@~]$ le-cp ssl --user=demo  issue
2016/08/07 21:27:38 1 certificates were returned
2016/08/07 21:27:38 Domain:
2016/08/07 21:27:38     AltNames: []
2016/08/07 21:27:38     Expiry: 2016-11-05 21:28:00 +1100 AEDT
2016/08/07 21:27:38     URL:
2016/08/07 21:27:38     Cert ID: blog_demo_letsencry_pt_99a22_e018d_1478341680_a8db44c4baaf6f3797643f026fcbf9ff
2016/08/07 21:27:38     Key ID: 99a22_e018d_435794cfa065937c069871d26a71685c

You may also add a --verbose flag to the end, which will list the reason that any particular domain is not included on the resulting certificate.


This command will renew (if eligible for renewal) all plugin-configured certificates for the domain. It will return all the certificates that were renewed.

[root@~]$ le-cp ssl --user=demo renew
2016/08/07 21:26:10 No certificates were returned

You can optionally pass a --force flag on the end to always renew all of the account’s certificates and to ignore their respective expiries.

You can optionally pass a --dry-run flag on the end to just perform a test run of renewing the certificates, without installing anything or using up your Let’s Encrypt rate limits. This uses the Let’s Encrypt staging server.

You can optionally pass a --virtualhost flag on the end to perform the renewal or dry-run only for a specific virtual host within the user’s cPanel account. For example:

le-cp ssl --user=demo renew --virtualhost --dry-run


This command will remove and unconfigure the certificates for the names passed. It will return the certificates that were removed.

Note that you must pass the primary certificate names. All alt names on that certificate will be removed too.

[root@~]$ le-cp ssl --user=demo remove
2016/08/07 21:24:11 1 certificates were returned
2016/08/07 21:24:11 Domain:
2016/08/07 21:24:11     AltNames: []
2016/08/07 21:24:11     Expiry: 2016-11-05 19:48:00 +1100 AEDT
2016/08/07 21:24:11     URL:
2016/08/07 21:24:11     Cert ID: blog_demo_letsencry_pt_de78e_e60db_1478335680_3d0d84b5b845d9412519530a6d48f224
2016/08/07 21:24:11     Key ID: de78e_e60db_15db379279894f899390b5c1599993f1


This command will re-install the certificate on a virtual host, using the preferred alternate chain/issuer specified.

[root@~]$ le-cp ssl --user=demo reinstall --preferred-issuer "ISRG Root X1"

Note that omitting or passing an empt ystring for --preferred-chain will use the server’s default value.


This is the CLI analogue to the Configuration section of the WHM interface for the plugin.

List Entries

This command will list the config entries that you are able to manage using this interface.

$ le-cp config list
INFO[0000] Name:        Deferred restarts               
INFO[0000] Description: Whether to defer Apache restarts until the end of a renewal process. This is highly reccommended if you use AutoSSL. 
INFO[0000] Key:         deferred_restarts               
INFO[0000] Value:       true                            
# <output shortened>

Update an Entry

This command allows you to update config entries one at a time.

$ le-cp config set --key deferred_restarts --value true

Host Cert

See Service Certificates.


See AutoSSL.


See Installation.