Release Notes

v0.19.9 - June 22, 2022.

  • This release prepares the plugin for the upcoming removal of the Paper Lantern cPanel theme.
  • MISC The plugin now stores its files in /opt/fleetssl-cpanel.
    • It previously stored its files in /usr/local/cpanel/base/frontend/paper_lantern/letsencrypt, with an additional symlink at /usr/local/cpanel/base/frontend/jupiter/letsencrypt.
    • Both former locations will now contain symlinks to /opt/fleetssl-cpanel, if the theme exists on the server.
    • For servers with CloudLinux CageFS enabled, /opt is included in the filesystem skeleton by default, so no intervention should be required in that case. However, if you have removed /opt from the sekelton, you may need to re-add /opt/fleetssl-cpanel in order for users to be able access the plugin user interface in cPanel.
  • MISC: Support for the X3 theme has been fully removed. cPanel removed this theme a long time ago.
  • FIX: Fixed an RPC error related to expired Sectigo service certificates.

v0.19.8 - May 13, 2022.

  • FIX: This release tries to address the broken installer issue from the previous two releases.
    • Due to a mistake in the rpm/deb pre-uninstall script, upgrading the plugin package would result in many necessary files being deleted, which resulting in user interface disappearing. (No data is affected).

    • Upgrading to v0.19.8 will not immediately fix the issue. It will take a few minutes for your system to reinstall the plugin asynchronously.

    • You may also apply the fix manually by running this combination of commands:

      yum clean all
      yum -y install letsencrypt-cpanel
      yum -y reinstall letsencrypt-cpanel

v0.19.6 - May 12, 2022.

  • FIX: Fixed an issue with the 0.19.5 installer on CloudLinux servers.
    • It be necessary to yum -y remove letsencrypt-cpanel; yum -y install letsencrypt-cpanel in order to repair things on CloudLinux servers.

v0.19.5 - May 9, 2022.

  • FIX: When re-issuing a certificate (not renewing), certificate reuses are now applied.
    • Please note that if the replacement certificate no longer overlaps with any of the domains on the destination virtual host, it will be skipped.
  • MISC: Ubuntu 20.04 is now supported.
    • Ubuntu 22.04, recently released, is not supported yet. We will add support whenever cPanel does.

v0.19.4 - March 17, 2022

  • FIX: cPanel 102 broke the cPanel UAPI has_feature, so a workaround has been implemented to bypass the feature check on these broken servers.
  • FIX: For cPanel servers with FTP daemons enabled (disabled by default on new servers), the plugin will now explicitly restart the FTPd after a service certificate is renewed. Previously, a manual restart was required.
  • MISC: The plugin has been updated to use Go 1.18.
    • We previously put off making this upgrade because of some server configurations with low RLimitMEM values in their Apache configurations, causing crashes in the user interface.
    • If you are seeing a No response from subprocess error message instead of the user interface, you are affected. Please see this troubleshooting section.

v0.19.3 - February 20, 2022

  • FIX: autossl_skip_proxy_subdomains and autossl_skip_patterns now work independently of each other.
  • MISC: autossl_skip_proxy_subdomains and autossl_skip_patterns can now be set without restarting the service, via the WHM UI or via le-cp config.

v0.19.2 - November 29, 2021

  • FIX: The certificate expiry replacement cutoff for the AutoSSL feature was not being correctly calculated.
  • FIX: In some environments, the plugin would not always install into every theme.
  • FIX: In some environments, the plugin would not always install into the WHM UI.

v0.19.1 - October 19, 2021

  • FIX: The installer is now compatible with cPanel version >= 100.

v0.19.0 - October 01, 2021

  • FEATURE: Alternate Chain functionality has been added to provide workarounds for the expiry of the “DST CA Root X3” root certificate affecting Let’s Encrypt.
  • FIX: A bug with le-cp ssl renew --force that was causing --force to be ignored.

v0.18.0 - September 09, 2021

  • FIX: The plugin now appears in the cPanel Jupiter theme (cPanel 98+).

v0.17.2 - May 28, 2021

  • FIX: Fixed a compatibility issue with some CloudLinux servers.

v0.17.1 - November 29, 2020

  • FIX: HTML issue with the WHM user interface.
  • REMOVED: RLIMIT_AS telemetry, as promised.

v0.17.0 - September 06, 2020

  • FEATURE: Added the preferred_issuer_cn configuration option.

    • If the Let’s Encrypt CA offers multiple certificate chains for an issued certificate, the plugin will select the chain which has a path to an issuer matching that Common Name. If no chain matches, then the default certificate chain will be used.
    • The default value of this option is DST Root CA X3.
    • This change is made in preparation for Let’s Encrypt’s transition to the non-legacy chain on September 29, 2020. The plugin will continue to use the legacy chain until it is no longer available. This is to done to preserve the highest device compatibility for as long as possible.
  • FIX: Fixed a buggy interaction with another 3rd-party plugin and the chkservd file.

  • FIX: Unfortunately, the RLIMIT_AS telemetry introduced in the last release, which we promised to remove in this release, was not implemented properly; we did not receive any data. This is now fixed, and the telemetry will be disable in the next release (we hope).

v0.16.4 - July 10, 2020

  • This is a bugfix release.
  • FIX: CLI ssl renew --force would refuse to actually perform renewal if renewal was being inhibited due to too many failed attempts. This is now fixed.
  • FIX: When a renewal was inhibited, the last renewal failure reason will now always be logged.
  • FIX: cPanel has added a new Apple CardDAV APNS service. The plugin now properly excludes all APNS services during service certificate renewal.
    • This fixes the The certificate must be issued by Apple renewal failure emails you may have received.
  • MISC: Added telemetry to report current/max virtual memory limits (RLIMIT_AS) observed when the plugin is running as an HTTP UI inside cPanel.
    • We need to do this in order to determine whether we can safely upgrade the plugin from Go 1.13 to Go 1.14, before Go 1.13 goes end-of-life. This issue is the reason that upgrade in the 0.16.0 release had to be reverted, due to crashing on some servers.
    • Absolutely no user information is disclosed. All we see is your licensed server hostname and low/high values for process virtual memory limits.
    • We will remove the telemetry in the next release.

v0.16.3 - June 07, 2020

  • FEATURE: Added --verbose flag to the CLI commands ssl issue and autossl run-for-user.
    • This should make it easier to identify why a domain is not being included on a certificate.
  • FIX: There is an issue with the interaction with WHM AutoSSL where plugin certificates are being replaced with certificates that have lower domain coverage.
    • This can result in renewal failure emails with rateLimited errors.
    • As a workaround, the plugin will re-install the last issued certificate, instead of creating a new one. It may be necessary to manually disable WHM AutoSSL for affected users.
    • As always, the FleetSSL plugin will only replace existing certificates if they are expiring, revoked, self-signed or do not fully cover the domains that the user originally requested.
  • MISC: Renewal logging is more verbose.
  • MISC: Fixed licensing telemetry issue.

v0.16.2 - March 29, 2020

  • FIX: Due to a suspected bug introduced in the Go language runtime in 1.14, Go has been downgraded to 1.13.9.
    • The issue causes a panic to occur when trying to use the web-based UI, in certain Linux environments.
    • The issue presents itself as a No response from subprocess error screen in the cPanel or WHM UI.

v0.16.1 - March 19, 2020

  • FIX: Fixed a segmentation fault introduced in 0.16.0.
    • Would only affect servers where service certificates were enabled but the plugin never succeeded to issue a certificate.

v0.16.0 - March 19, 2020

  • FEATURE: Revocation checking.
    • When processing renewals (for both domain certificates and service certificates), the plugin will now check whether certificates managed by the plugin have been revoked by querying the Let’s Encrypt OCSP service.
    • If any certificate is found to be revoked, a renewal attempt will be made.
    • If the OCSP response cannot be retrieved within 10 seconds, the certificate is assumed to not be revoked.
  • FIX: Fix renewal logic bug relating to wildcards.
    • A wildcard certificate (expiring in the far future) could prevent a (expiring soon) non-wildcard certificate from renewing.
    • This bug should no longer occur, all certificates should renew completely independently of each other.
  • FIX: Fix le-cp hostcert remove <hostname> inadvertently adding the hostname if it wasn’t already in the list.
  • MISC: Add le-cp restart-insecure, in case the WHM service certificate went bad and the plugin cannot talk to the WHM API securely.
  • MISC: Revert the legacy cross-signed issuer logic introduced in 0.15.1, since Let’s Encrypt deferred the change until July 2020.
  • MISC: The installer will now rewrite /etc/yum.repos.d/*.repo to use our CDN endpoint ( if it is found to be connecting directly to our origin server.
  • MISC: If the plugin licence file (/etc/letsencrypt-cpanel.licence) is found to have unsafe permissions (anything other than 0600 or 0400), the permissions will be set to 0600. This is to protect against inadvertently exposing licence files to theft.
  • MISC: Upgrade to Go 1.14.

v0.15.1 - May 16, 2019

  • This is a bugfix and quality of life release.
  • FEATURE: In preparation for Let’s Encrypt’s transition to its own root certificate, the plugin will now prioritize using the legacy (cross-signed by DST CA X3) Let’s Encrypt Authority X3 intermediate for as long as possible.
    • The decision to override the defualt intermediate (as of July 8, 2019) is driven by a desire for websites using these certificates to retain maximum device compatibility (for example, with very old Android devices).
    • Once the cross-signed intermediate is expired, the plugin will automatically fall back to using the default (signed by ISRG Root X1) intermediate.
  • FEATURE: The ssl renew CLI has two new flags:
    • --dry-run : Performs a dry-run of renewal. By default, for all domains in the cPanel user’s account.
    • --virtualhost : Limits the renewal or dry-run to a specific virtualhost.
  • FIX: Fix a case where issuing a wildcard certificate would result in two certificates being issued.
    • This would only happen when a cPanel account has a wildcard virtualhost in addition to the base virtualhost, e.g. AND *
    • When encountering this ambiguity, the plugin will now choose the intended virtualhost correctly and only issue one certificate.
  • FIX: Dry-runs now deactivate their ACME authorizations once they have completed.
    • This avoids successful authorizations being re-used during subsequent dry-runs.This previously cause dry-runs to succeed without actually testing anything.
  • FIX: DNS-01 validations now create TXT records with a TTL of 1 second (previously 360 seconds).
    • This fixes a case where if a specific domain name is involved in two certificate issuances less than 60 seconds apart (for example, this can happen with wildcards), the DNS-01 verification process could fail.

v0.15.0 - April 17, 2019

  • This is a feature release.
  • FEATURE: The plugin now features a complete HTTP JSON API.
    • Unlike the CLI, it is accessible for all regular (non-privileged) users with access to the letsencrypt-cpanel feature.
    • All supported operations: listing, issuing, removing, re-installing, and sharing/mapping.
    • See the API documentation, including examples for each API endpoint.
    • API stability is versioned and guaranteed.
    • A PHP API client is available via Composer.
  • FEATURE: Dry runs.
    • Try issue a certificate using the Let’s Encrypt staging server.
    • Discards the certificate instead of installing it.
    • Useful for avoiding rate limit issues while testing or experimenting.
  • FEATURE: systemctl reload letsencrypt-cpanel is now supported to reload most configuration parameters without restart.
    • On CentOS 6, where systemd was not yet available, you may use kill -HUP <pid> to achieve the same effect.
  • FIX: When talking to the Let’s Encrypt API servers, the plugin will now always use IPv4 (tcp4). This is due to us regularly receiving support requests about cPanel servers with only partially functional IPv6 networking causing the plugin to malfunction.
  • FIX: cPanel API response limit is increased from 20MB to 100MB, to account for servers with many accounts. This largely only affects the WHM interface and should not impact stability.
  • MISC: Self-test will now check whether the kernel setting tcp_tw_recycle is enabled. This parameter is dangerous and will cause random issuance failures.

v0.14.6 - February 13, 2019

  • This is a bugfix release.
  • FIX: Some cPanel accounts in newer versions of cPanel may experience an inability to use the interface or renew due to an unexpected warning emitted by cPanel’s LiveAPI.

v0.14.5 - December 21, 2018

  • This is a bugfix release.
  • FIX: Fresh cPanel installations may find that the Lets Encrypt SSL interface is missing from the WHM and cPanel user interfaces. This is due to a subtle change in new versions of cPanel, and this release addresses that issue.
  • MISC: Upgrade to Go 1.11.4.

v0.14.4 - December 14, 2018

  • This is a critical fix to fix a regression in 0.14.3.
  • FIX: Some systems may have failed to restart the letsencrypt-cpanel service due to the environment file change in that release. That change is now reverted.
  • If your service is stopped and won’t start, please run:
 yum clean all && yum -y install letsencrypt-cpanel

v0.14.3 - December 14, 2018

  • This is a security release.
  • FIX: Upgrade to Go 1.11.3 in order to fix potential denial-of-service via CVE-2018-16875
  • FIX: Certificate re-use uninstallation did not work properly via the CLI command
  • MISC Environment variables for the service are now sourced from /etc/sysconfig/letsencrypt-cpanel, if it exists.

v0.14.2 - December 4, 2018

  • This is primarily a bugfix release.
  • FEATURE: The time from expiry at which AutoSSL replaces an existing valid certificate can now be adjusted via autossl_expiry_replacement_cutoff (in the number of days). Previously, this was hardcoded to 48 hours. Valid range is [1,90].
  • FIX: AutoSSL would sometimes incorrectly replace existing valid certificates when there was no name overlap between the certificate being installed and the existing certificate. Now AutoSSL will avoid installing certificates to any virtual host that has a valid certificate of any kind.
  • FIX: The plugin now uses significantly less file descriptors on servers with many accounts. Previously, cpsrvd/whostmgrd’s memory usage could grow due to many keep-alive connections kept open by the plugin. The plugin now closes these much more aggressively, which should ease memory pressure.
  • FIX: In the cPanel Let’s Encrypt UI, the domain table would not render properly when using the certificate sharing feature.
  • FIX: When unsharing a certificate from a virtual host, the certificate is now uninstalled from that virtual host.
  • MISC: Updated ACME client to support latest draft.
  • MISC: Update to Go 1.11.2.

v0.14.0 - July 30, 2018

  • This release also includes the contents of the unreleased 0.13.6 release.
  • FEATURE: Certificates can now be shared between virtual hosts in a way that will persist through renewal.
  • MISC: Whether the www. and mail. subdomains are selected by default in the user interface is now controllable via a configuration setting: ui_autochecked_prefixes
    • Its default value (null) is implicit for ['www.','mail.']
    • Setting it to [] will ensure neither is selected by default.

v0.13.6 - June 07, 2018 [NEVER RELEASED]

  • FIX: Renewal will no longer treat “unknown” domains as a fatal error (resulting in “Failed to group domains” emails)
    • This would happen when a user deleted a subdomain, alias domain etc, but did not re-issue their SSL certificate without these domains
    • Previously, these unknown domains would prevent renewal for any managed certificates on an account from succeeding and would email the user with an error. This was an intentional design, to ensure that the user’s original intent was being fulfilled.
    • Based on user feedback, we are changing this to ignore domains that no longer exist in any virtual host, and proceed with renewal without those domains.
    • For example,
      • If a user issued a certificate for and, which are the Primary Domain and an Alias Domain, respectively.
      • The user deletes the Alias Domain from cPanel.
      • Previously: FleetSSL cPanel would fail to renew the certificate because the wanted domain was missing.
      • Now: FleetSSL cPanel will renew the domain without, now and in future.
    • This does not affect domains that fail validation, only domains that are missing from the cPanel account entirely.
  • FIX: Fix panic that occurs a user manually modifies their NVData in an unexpected way.
  • MISC: CLI can now bypass x.509 verification errors when invoked as FLEETSSL_INSECURE_RPC=y /usr/local/bin/le-cp ...

v0.13.5 - May 12, 2018

  • FIX: AutoSSL will now try to avoid consuming the full ACME Registrations per IP Address rate limit.
    • This is so end-users are still able to issue certificates when AutoSSL is very busy.
    • This is tuned to 70% of the current rate limit.
    • This can be tuned via autossl_acme_registrations_limit

v0.13.4 - April 4, 2018

  • FEATURE: The plugin now supports wildcard-only virtual hosts.
    • For example, when creating a subdomain in cPanel for *, which causes * to be served from a different virtual host/document root to the base domain.
    • Using cPanel in this way is mostly applicable if you need dynamic subdomain matching.

v0.13.3 - March 26, 2018

  • FIX: A regression was discovered where certificates with wildcard names would try to renew every renewal cycle.
    • This was due to a failure to identify that e.g. * covers when evaluatign whether a certificate needed to be renewed or not.
    • Customers with wildcard certificates may have received a renewal failure email with the error: Error finalizing order :: too many certificates already issued for exact set of domains
    • The only remediation required is to update the plugin.

v0.13.2 - March 21, 2018

  • FIX: A bug was found and fixed relating to DNS zone edits for the wildcard functionality.
    • It would manifest itself as a failure on the first attempt, and success on the second attempt.
    • No existing certificates will be adversely affected.
  • IMPROVEMENT: DNS validation will now attempt to verify that the updated DNS records are propagated before attempting to use them.
    • Previously, WHM admins would need to tune the DNS Challenge Delay (see 0.13.0 release notes).
    • That tuning is still possible, but the plugin will also spend upto 3 * challenge_delay waiting for the record to be actively served by the nameserver. By default, this is 3 * 5 seconds = 15 seconds.
    • This is done via a non-caching iterative DNS query descending from the root nameservers.

v0.13.1 - March 20, 2018

  • FIX: Due to an upcoming change in Boulder, the plugin now removes any names from certificate requests that are already covered by a wildcard name.
    • e.g. If ordering [ *], will be automatically stripped.
    • This will not adversely affect any certificates that have already been issued.

v0.13.0 - March 19, 2018

  • FEAUTURE: Wildcard certificates can now be issued.
    • See the Wildcard documentation for more details.
    • It is only available when using DNS-based validation (which is a decision left to the end-user)
    • You may need to tune the DNS Challenge Delay if your hosting environment has large DNS clusters or a high zone count.
  • FEATURE: DNS-based validation is now available and is no longer a feature preview.
    • This is an alternative to the default, HTTP-based validation method
    • Both HTTP and DNS methods are available on all new and upgraded installations, but can be controlled by the WHM administrator.
    • The HTTP method remains the default option for new certificate issuances and the recommended option for most users
    • The HTTP method remains the only option for certificates issued via the AutoSSL feature
    • End-users may choose which validation method to use on a per-certificate basis
  • IMPROVEMENT: The AutoSSL feature has been significantly extended:
    • It will now try to include cPanel proxy subdomains e.g. webmail., cpanel., webdisk. This can be disabled by the autossl_skip_proxy_subdomains configuration flag
    • AutoSSL will stop retrying domains that fail continuously for an extended period.
    • AutoSSL will try to issue certificates for virtual hosts without a valid or imminently expiring certificate (48h). Previously, it would refuse to run on any account that had any third-party certificates.
    • AutoSSL remains disabled by default.
  • IMPROVEMENT: Renewals that fail repeatedly are now subject to a number of inhibitions.
    • Only 1 email every 2 days, at most, will be sent per certificate
    • Failing renewals now follow a linear back-off after a threshold.
      • After 10 consecutive renewal failures (~5 days), a delay of max(1 week, (12 hours * max(0, Fail_Count - 10))) is applied at each attempt. This is reset after a successful renewal.
      • This is designed to deprioritize abandoned accounts/domains and save server and CA/rate limit resources.
    • It is always possible to immediately re-issue the certificate from the user interface.
  • MISC: The ACME client implementation has been completely rewritten for ACME v2
    • This should be fully compatible with all existing accounts and certificates and there should be no perceptible difference to end-users.
    • The library is available under an open source licence at
  • FIX: BoltDB (embedded database used for non-critical state) has been upgraded and now automatically deals with corruption.
  • MISC: Self-test now tests that BoltDB is functional.
  • MISC: Added a le-cp fetch-licence <order ID> <auth code> convenience command.
  • MISC: Added a le-cp send-logs convenience command.
  • MISC: Upgraded to Go 1.10.

v0.12.3 - February 20, 2018

  • FIX: The WHM user interface had broken in cPanel 70+ due to cPanel removing some 3rdparty stylesheets and scripts. They are now bundled with the plugin.

v0.12.2 - January 20, 2018

  • FIX: cPanel maximum API response size has been raised from 5MB to 20MB to account for servers with a large number of virtual hosts.
  • FIX: A cleanup process has been added to the plugin. Prior to renew and issuance via UI, the plugin will attempt to safely and gradually (over time) remove expired, unused Let’s Encrypt certificates, in order limit growth of cPanel user data.

v0.12.1 - December 19, 2017

  • FIX: A regression in 0.12.0 which broke proxy subdomains on the cPanel LTS version (cPanel 62).

Please note that we still intend to discontinue support for the cPanel LTS version, instead requiring STABLE or newer. See the 0.12.0 release notes for more information.

v0.12.0 - November 24, 2017

  • FIX: Previously, the option to include proxy subdomains was only available when an existing certificate already existed. Now it is always available.
    • However, cPanel may not always choose to use every proxy subdomain (such as when they are on a subdomain virtual host).
  • FEATURE PREVIEW: The dns-01 challenge is now available, but disabled by default
    • This means that SSL validation can be performed automatically via TXT DNS records rather than relying on the http-01/webroot challenge
    • This is only available if cPanel is controlling the DNS for the zone. Domains with external DNS cannot take advantage of the dns-01 challenge.
    • Admins may enable either or both of the challenges (http-01, dns-01). If more than one is enabled, then the user is prompted to choose one on a per-certificate basis. Existing certificates will be assumed to use the http-01 challenge.
    • To enable the dns-01 challenge, visit WHM->Let’s Encrypt SSL->Configuration and set “Challenge Methods” to http-01,dns-01 as required.
    • We are introducing this feature at this time in order to prepare for wildcard certificates, which will be coming in January or February 2018.
    • This is a BETA-quality feature and we will appreciate any testing/feedback/bugs.
    • IPv6 in cPanel 68: Due to a regression in cPanel 68, IPv6 is broken for the service certificate and proxy subdomain renewals. Please refer to this published article for a workaround
    • The dns-01 challenge incurs a 5 second sleep after every DNS record change, this is to allow BIND to reload the zone before Let’s Encrypt tries to validate it. This will be fixed before the feature is out of beta.
  • DISCONTINUED LTS SUPPORT: We will be abandoning the cPanel LTS version in the near future. We will be moving to supporting only the STABLE version or newer.
    • The reason for this is that we have found that the churn of features and bugs in cPanel makes it too difficult for us to reasonably produce a single plugin that works well on both LTS and current versions.

v0.11.1 - November 16, 2017

  • Renewals will now occur by default 32 days prior to certificate expiry
    • The reason for this change is to stay ahead of the upcoming expiration notices at 30 days, introduced in cPanel 68
    • The interval duration can be set via the renewal_countdown_days config key (must be above 0 and below 60)
  • Licensing is no longer a fatal error
    • This means that you will no longer receive a “letsencrypt-cpanel is down” email message if the cause is an invalid licence
    • The cPanel user interface is disabled if the plugin is not correctly licensed
    • All renewals disabled if the plugin is not correctly licensed
    • A warning will be displayed in the WHM user interface if the plugin is not correctly licensed

v0.11.0 - November 15, 2017

  • CRITICAL: Fixes bug in underlying library relating to changes to Let’s Encrypt ACME/Boulder directory. This is a mandatory upgrade.

v0.10.5 - November 01, 2017

This is a bugfix release.

  • FIX: Bug with uninstaller and cPanel service monitor
  • FIX: Reload RPC server automatically if cPanel service certificate is replaced.
  • MISC: Add le-cp config rpc-force-reload

v0.10.4 - October 03, 2017

  • FEATURE: Try both /usr/local/apache/htdocs and /var/www/html for hostcert validation, if they exist, in addition to any configured path.
  • FIX: Plugin will restore Let’s Encrypt cabundle which may be deleted incorrectly by cPanel in some environments (cPanel case 8829413).
  • FIX: Fix error spam issue with API tokens on cPanel servers too old to support API-token-based authentication.
  • FIX: Avoids graceful Apache restarts on servers that aren’t using deferred_restarts.
  • FIX: Handle fetch_ssl_vhost API being changed in upcoming cPanel version 68.

These release notes also include the changes that occured in 0.10.3, which was released a month ago:

  • FIX: Try to use API token before resorting to access hash
  • MISC: ACME poll timeout increased to 90s to give better error information when nameservers not supporting CAA are timing out.

v0.10.2 - July 24, 2017

  • FEATURE: Support for cPanel 66 Api Tokens
  • FIX: Fix downloading an invalid licence to replace expired trial versions

v0.10.0 - July 15, 2017

  • FEATURE: Proxy subdomains/cPanel subdomains
  • e.g. cpanel., webmail. etc subdomains for customer domains
  • Forward DNS records are required in place for all proxy subdomains. This will typically only affect domains that have their DNS hosted externally to cPanel’s nameservers.
  • These can be enabled on a per-domain basis when issuing a certificate in the Let’s Encrypt cPanel interface
  • We apologize for the delay in getting this feature out, but there were some technical hurdles to get over first
  • MISC: For servers licensed under Individual licences, the plugin will attempt to download a valid licence automatically
  • This happens when the service starts up and additionally during licence checks
  • The forward DNS record for the server hostname must exist and be correct for this to work
  • MISC: Licence check now runs every 6 hours, down from 24 hours

v0.9.6 - July 10, 2017

  • FIX: Fixed a problem where trial licences were not behaving properly.

Status Update

Improvements always coming! Here’s what we are working on:

  • Soon: Support for proxy subdomains (cpanel., webmail., webdav. etc)
  • Medium term: Option for validation via DNS than webroot/http-01 (experimental)
  • Medium term: Support for IETF ACME v2 protocol
  • Jan 2018: Support for free wildcard certificates.

v0.9.5 - April 13, 2017

  • FIX: AutoSSL: Fixed preflight bug which mistakenly identified account as having pre-existing certificates
  • FIX: Service Certificates: Fix bug where service cert was being installed to apple mail push in cPanel 64 and failing

v0.9.4 - April 01, 2017

  • FIX: 0.9.2 introduced a nil panic for deployments where plugin AutoSSL was enabled.
  • FIX: 0.9.3 did not properly address the above bug and has been pulled

v0.9.2 - March 30, 2017

  • FIX: Compatibility fixes for cPanel bugs that currently exist in the CURRENT/Release Candidate tier.
    • Please note, if you are on a buggy 64 release, then the Let’s Encrypt feature will be available for all users regardless of their status in feature manager. This is unavoidable due to the nature of the bug.
  • FIX: Plugin will not try to install certs for Apple APN service in cPanel 64
  • FEATURE: Mail can now be relayed via an external server rather than the system MTA

v0.9.0 - March 01, 2017

  • FEATURE: Reporting
  • Reporting is a feature that enables sending of periodic reports to the administrator that detail renewal failures, successes, or both.
  • Documentation for Reporting is here
  • FEATURE: There is now a ‘Configuration’ section in the WHM Let’s Encrypt SSL.
    • This is only a subset of the total configuration options available, but it should be most of the useful ones
    • CLI: Added config list, config set --key k --value v. Refer to CLI docs
  • FEATURE: Add config option autossl_skip_patterns, which is an array of regex patterns that the plugin should test against when processing AutoSSL.
  • FEATURE: Add config options disable_success_mail, disable_mail which globally disable renewal success emails, and all renewal emails globally
    • These are also available in the WHM interface
  • UI: Automatically select already-selected domains when issuing a certificate for a virtual host with an existing plugin certificate (i.e. to prevent RSI when there are many alias or subdomains)
  • FIX: le-cp ssl issue will now always include the main domain of the virtual host, regardless of arguments.
    • This fixes the ‘/.well-known’ nil virtualhost permissions error
  • FIX: le-cp will now print useful info when run rather than assuming it is running as CGI
  • FIX: le-cp self-test should now be more useful for licensing issues
  • FIX: More changes to try improve installer reliability in some environments
  • UI: WHM interface is now ’tabbed’
  • MISC: Now built with Go 1.8 (previously 1.6.4)

v0.8.1 - February 07, 2017

  • FIX: Renewal error relating to ‘mkdir permissions’ fixed (only affecting certificates from old versions that did not include the main virtualhost domain)
  • FIX: Stop BoltDB writing to disk every 5 seconds
  • FIX: Emails now come from ‘Let’s Encrypt SSL’ again instead of ‘FleetSSL’

v0.8.0 - February 02, 2017

  • FIX: Renewal was significantly reworked to handle cases where the type of a virtualhost (addon, alias, etc) for a domain changed between renewals(thanks Joseph).
  • FEATURE: HTML Email support
  • Please see Translation for more information.
  • FEATURE: Added config flags to set day of week & time of day to begin processing renewals.
  • Please see Configuration for more details.
  • FEATURE: Post renewal hook
  • Run a command/script when certificates are renewed
  • Please see Configuration for more details.
  • FIX: Fixed a race condition in the installer which sometimes caused the background service to not install properly.
  • FIX: Restart Apache every hour during renewals.
  • FIX: AutoSSL now properly uses deferred restarts.
  • UI: Only auto-select www. and mail. subdomains of primary domain, instead of all domains, when issuing a new certificate.
  • UI: Misc UI changes, including links to rate limits on issue page and service status widget on main page.
  • MISC: Rebranding to FleetSSL where applicable.

v0.7.9 - January 09, 2017

  • FIX: Implemented fix for “unknown error” during installation or renewals

v0.7.8 - December 08, 2016

  • FEATURE: Deferred apache restarts for certificate renewals (beta)
  • Currently behind a feature flag
  • See Configuration to enable it.
  • FEATURE: Now compatible with redirected alias domains.
  • FEATURE: le-cp ssl renew now has an optional --force flag
  • FIX: Sometimes installer would fail on cPanel 60+
  • UI: Added descriptions to user settings page
  • MISC: Updating all logging to use consistent structured logging
  • FEATURE: Plugin checks writability and availability of /.well-known/acme-challenge/ prior to issuing attempts
  • Pushed back to 0.8.x.

v0.7.7 - October 29, 2016

This is a minor bugfix release. The next major upcoming release will introduce deferred webserver restarts when doing renewals/AutoSSL to reduce the overall server load on servers with a lot of accounts.

  • FIX: Ensure that AutoSSL always enables SNI (redundant after cPanel v60)
  • UI: Plugin will now show up in cPanel when user searches for ‘SSL’
  • MISC: Add hasSuffix, contains functions to template functions
  • MISC: Add rpc ‘ping’ to self-test

v0.7.6 - October 03, 2016

  • FIX: Compatible with cPanel v59/v60 api changes

v0.7.4 - August 20, 2016

  • FIX: Simplified certificate issuing process for end users
  • FIX: autossl [enable/disable] would only take effect after the second invocation
  • FIX: Remove extended sleeps between accounts during AutoSSL/Renewal
  • FIX: Make it harder to accidentally have two certificates for the same virtualhost
  • FIX: Fixed regression where plugin wasn’t removed properly from chkservd on uninstallation
  • MISC: Add config flag to control renewal/AutoSSL delay between accounts (for managing server load)

v0.7.2 - August 09, 2016

  • FIX: Version 0.7.0 introduced checking for user quotas, which caused a regression where issuing and renewal would fail if the server did not have the quotas package available and quotas were disabled. This addresses that regression.

v0.7.1 - August 09, 2016

This is a bugfix patch to 0.7.0.

  • FIX: New hostcerts were incorrectly using ECDSA
  • FIX: WHMCS Hook didn’t handle the case where domain registration was delayed
  • MISC: Add le-cp hostcert reset CLI command

v0.7.0 - August 07, 2016

  • FEATURE: ‘AutoSSL’ - automatic certificates for all domains
  • See AutoSSL.
  • FEATURE: CLI API interface
  • See CLI Reference.
  • Issue certificates immediately after account provisioning in WHMCS
  • Please see:
  • FEATURE: Ability for admin to configure parameters for private keys:
  • RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384
  • Uses ECDSA by default for Let’s Encrypt account key (significantly faster)
  • Reduces default RSA private key size for certificates to 2048 from 4096
  • FEATURE: self-test command to make sure environment is OK
  • FIX: Fix $LANG{} cosmetic error that occurs on some minority of servers
  • FIX: httpoxy vulnerability (not viable to exploit in this instance)
  • FIX: Detect when hostname has changed for service certificates
  • FIX: Plugin does not try to alter accounts with no disk quota remaining
  • FIX: Fix annoying cosmetic WHM Service Manager bug
  • MISC: Add some styling to WHM interface

v0.0.5 (December 06, 2015) through v0.6.5 (July 15, 2016)

v0.6.5 - July 15, 2016

v0.6.4 - July 03, 2016

  • FIX: 2FA support was not working when JSON-API was protected in WHM Security Policies

v0.6.3 - June 30, 2016

  • FIX: Accounts with a large number of LE certificates configured were failing to renew properly

v0.6.2 - June 18, 2016

  • FIX: Rewrite x3 installer to future proof for cPanel 56+ and prevent issues with older themes

v0.6.1 - June 18, 2016

  • FIX: Change access method for WHM plugin to use access hash and restrict to root

v0.6.0 - June 16, 2016

  • FEATURE: Provisional support for WHM servers with 2FA enabled (no config required)
  • FEATURE: Theming support for custom (non X3/Paper Lantern) themes
  • FEATURE: Basic read-only WHM interface so you can see what certs have been issued (work-in-progress)
  • FEATURE: ‘Settings’ page for users so they can disable renewal emails via the UI
  • FEATURE: ‘Select All’ button on UI for issuing certs
  • FIX: Renewals for suspended accounts and accounts that no longer have the letsencrypt feature will no longer be processed
  • FIX: Less confusing Feature Manager descriptions
  • MISC: ListenAddr is no longer a config option

v0.5.8 - May 07, 2016

  • FIX: Trap/Abort error on some kernels/architectures
  • FIX: Process/PID handling on reboots on sysv systems

v0.5.7 - April 25, 2016

  • FEATURE: allow extra names on service certificate (see service certificate docs)
  • FIX: X1->X3 intermediate transition could fail in rare circumstances
  • FIX: validation filename may have broken validation in rare circumstances
  • FIX: mail SNI status being lost between renewals

v0.5.0 - April 3, 2016

  • FEATURE: New issuing interface with better support for alias domains
  • FEATURE: Multiple language localisation files
  • FEATURE: Localised renewal emails
  • FEATURE: Global renewal mail disable
  • FEATURE: Service certificate renewal sends email to root@hostname
  • FIX: Improved detection for whether the feature is enabled in WHM
  • FIX: Improved status detection of installed certificates
  • FIX: Improved removal of certificates
  • MISC: Check install mail sni by default

v0.4.7 - March 10, 2016

  • FIX: edge case with new forks not handling let’s encrypt response properly

v0.4.5 - March 09, 2016

This is a bugfix build in anticipation of a major release, with better alias/parked domain UX.

  • FEATURE: 32-bit releases now available
  • FEATURE: service certificates out of beta
  • FIX: daemon renewal now forks as user rather than using privileged API
  • FIX: template string unparsed when using x3
  • FIX: more reliable service restarts

v0.4.1 - February 15, 2016

Featuring, the most-often requested feature ever: Service Certificates.

  • FEATURE: Added support for Let’s Encrypt certificates for the WHM host domain
  • This is the first release of this feature, consider it in beta.
  • FEATURE: Added cron mode for users who don’t have root but want Let’s Encrypt
  • This is a technical preview
  • FEATURE: Multi-locale translation support
  • FIX: Renewal process now supports document roots containing symlinks (thanks Mike H).
  • FIX: Improved installation scripts and error handling
  • FIX: for status not showing installed when primary domain isn’t first in certificate
  • MISC: Automatic fetching of trial licence during install, when possible.

v0.3.2-3 - January 31, 2016

!!! Emergency Update !!! For more information, click here.

  • Packaging fix for upgrades

v0.3.2-2 - January 31, 2016

  • Fix for previous FQDN fix

v0.3.2-1 - January 30, 2016

This is a bugfix release in anticipation of a major release in the next two weeks.

  • Installer more reliable now
  • Fix: when WHM hostname is not a FQDN but has a valid certificate

For Developers,

  • Makefile now forces a static binary for compilation
  • Added reproducible builds via docker

v0.3.0 - December 23, 2015

(Install only available via yum repository now)

  • Now works on x3 theme. We strongly recommend the switch to Paper Lantern.
  • Customisable template and translation files
  • Parked domains support
  • Improved subdomain support (www. etc)
  • View and reinstall actions for existing certificates
  • Mail SNI!
  • Yum repository (automated installation possible now)

v0.1.2 - December 17, 2015

Permanent link to download

  • Renewal processing is now rate limited in order to prevent cpsrvd from getting overwhelmed.
  • Installer will now proceed if an existing licence is already installed

v0.1.1 - December 15, 2015

Permanent link to download

Fix bug in cgi on user accounts with large numbers of domains

v0.1.0 - December 07, 2015

Permanent link to download

Now supports issuing certificates with www. prefixes with subjectAltName.

Parked domains are disabled temporarily due to awkward API behavior

v0.0.5 - December 06, 2015

This is the initial release of the Let’s Encrypt for cPanel plugin.

Permanent link to download

Known issues:

  • Not issuing www. certificate at same time as root prefix.