VestaCP Logo

Let’s Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

Steps To Use Let’s Encrypt On Vesta Login Panel

Step 1 – Login to VestaCP’s admin panel using the hostname along with port 8083 in front of it like this

Step 2 –  Navigate to the WEB section of VestaCP and locate your server’s hostname and then click on EDIT as shown in the image below –

How To Use Let's Encrypt On VestaCP Login Panel (Port 8083)


Step 3 –  Now locate SSL Support and Let’s Encrypt Support and make sure you check both of them. Then click on Save (DO NOT CLICK ANYWHERE TILL THE PROCESS IS DONE OR LETSENCRYPT MIGHT FAIL TO CREATE THE CERTIFICATE)

How To Use Let's Encrypt On VestaCP Login Panel (Port 8083)


STEP 4 –  

Let’s encrypt creates and stores its SSL certs in /home/username/conf/web

And lists them as :-

Whereas VestaCP control panel stores its hostname SSL certs in:


and lists them as:


So, we need to rename the old VestaCP cert files first to some dummy text so that VestaCP no longer use them and then Symlink the files. Please follow the next steps to know how to do this.

STEP 5 – SSH into your server and enter these two commands to rename the old files :-

mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/unusablecer.crt
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/unusablecer.key


STEP 6 – Create symlinks to point to the new ones (Replace admin with your admin username and with your server’s hostname (FQDN).

ln -s /home/admin/conf/web/ /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ /usr/local/vesta/ssl/certificate.key


STEP 7 –  Restart VestaCP

service vesta restart


STEP 8 – Clear your browser cache and then try logging in to your control along with port 8083 and Bingo, port 8083 is now SSL secure!

Broken Permissions Solution 

To fix broken permissions, enter the following commands.

Replace with your admin panel’s URL.

chgrp mail
chmod 660
chgrp mail
chmod 660
  • This broke TLS in exim4 for me. It just didn’t have access to generated certs so it couldnt follow the symlinks. Changing permissions on the files so that it could read them worked fine.

    • Hi Edward Bowden. Thanks for informing about this. I will update the post warning users about the permissions.

      • Awesome, brilliant post though otherwise. Thanks.

        • Thanks a lot for the feedback 🙂 . One question, as this is a completely new blog so I want to know how did you get to know about this blog. Through any search engine or any forum etc?

          • It was actually from a comment on the VestaCP facebook page which linked here.

    • Carina Vertedor

      Hi Edward. The same happened to me.
      How did you solve the permissions?

      • Please see the comment by Mark O Polo

        • Carina Vertedor

          Sorry, I saw Mark O Polo’s comment after I wrote you. That solution worked perfectly for me! Thank you very much for your answer 🙂

  • Mark O Polo

    To fix the broken permissions.

    chgrp mail
    chmod 660
    chgrp mail
    chmod 660

    If you do make these changes then you are good to go. Note: your email client may recognize the new certificate after the change as well.

    I want to thank Vikhyat for page and idea. It works!!!

    • Thanks a lot Mark for mentioning this. I have added your solution.

  • somenet77

    Error: DNS problem: NXDOMAIN looking up A for when creating the ssl.

    • Let’s Encrypt really has a lot of problems. I recommend issuing the certificate manually through CLI and fixing the errors. Also, VestaCP’s forum is a good place to get your problem fixed. Post your problem and you will get a lot of people who will try to help you on this

    • Salim Fourtyniners

      you try delete Aliases . it will fine

  • Junior Farrapo

    Hey man, I this that is best change the port of vestacp login page to 2083 and use cloudflare.
    Like this
    Cloudflare http and https open ports
    Try this, I’m using without errors.

  • Fernando Miguel Rojas Mosqueir

    Great! Amazing! Thanks a lot

  • hello
    I have followed this process and i was able to install the certificates successfully.
    Now the question is how to auto renew the certificates before they expire?
    Please let me know. thanks

    • VestaCP should renew the certificates automatically as the certificates were linked and not copied. Make sure that the installation was done properly.

      • yes, i got to know that after i posted the comment. i see that a cron job is set which checks everyday the validity of the certificates and updates them if necessary.

        • Nice! Glad to know that your problem is solved. 🙂

  • Leo Alvarez

    I followed each of the steps till step 8 and it worked.

  • Great tutorial! How about the webmail part?

    • I am extremely sorry for an extremely late reply. For fixing webmail see the last section “Broken Permissions Solution”