Have you ever logged into your CyberPanel dashboard, hit “Reissue SSL,” and… absolutely nothing happened? Or worse, you find your site stuck with an expired certificate from ZeroSSL when you strictly use Let’s Encrypt? Are you looking for a CyberPanel SSL renewal fix?
You aren’t alone. CyberPanel occasionally gets “stuck” in its internal logic. Even deleting the website and re-adding the domain often fails because the server holds onto cached certificate data like a bad habit.
If your UI buttons are failing you, it’s time to hop into the terminal and clear the path manually. Here is how to break the cycle and get your green padlock back.
Why is this happening?
CyberPanel’s internal SSL script sometimes caches ZeroSSL configurations. Even if you try to force a change via acme.sh, the local domain folders often override the global settings. To fix it, we have to “nuke” the old data and use CyberPanel’s specific Python wrapper to request a fresh start.
Step 1: Wipe the Slate Clean
The most common reason a reissue fails is that the script sees “expired” files and thinks the job is already done. We need to delete these so the system is forced to request a brand-new certificate.
Run these commands as root:
Bash
# 1. Remove the acme.sh directory for your domain
rm -rf /root/.acme.sh/yourdomain.com_ecc
rm -rf /root/.acme.sh/yourdomain.com
# 2. Clear out any leftovers in the standard Let's Encrypt path
rm -f /etc/letsencrypt/live/yourdomain.com/privkey.pem
rm -f /etc/letsencrypt/live/yourdomain.com/fullchain.pem
rm -f /etc/letsencrypt/live/yourdomain.com/cert.pem
Note: Other times I have just done this via FTP
Step 2: Set the Global Default
Now that the old files are gone, we tell the system-wide ACME client exactly who we want to talk to: Let’s Encrypt.
Bash
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
Note: I have left it like this and haven’t seen any issues so far
Step 3: Use the CyberPanel “Secret Sauce” Script
Instead of using generic ACME commands, use the specific Python script CyberPanel uses to bridge the gap between the certificate and the LiteSpeed server. This handles the .well-known challenge directory perfectly.
Bash
/usr/local/CyberCP/bin/python /usr/local/CyberCP/plumbum/scripts/issue_ssl.py yourdomain.com
Note: Watch the output. If it fails here, it will usually give you a specific hint—like a DNS record mismatch.
Note: Other times I have just re-issued using the CyberPanel interface, because I got an error from the command not existing
Step 4: Wake up LiteSpeed
Sometimes the certificate updates on the disk, but LiteSpeed is still serving the old “expired” version from its memory. Give it a quick nudge:
Bash
systemctl restart lsws
# Or use the CyberPanel daemon restart
systemctl restart lscpd
Still seeing an error? Check your Proxy.
If the steps above don’t work, the culprit is likely Cloudflare.
If you have the “Orange Cloud” (Proxy) active, Let’s Encrypt sometimes fails to verify your server. Switch your domain to DNS Only (Grey Cloud) in Cloudflare, wait 5 minutes, and run the Step 3 script again. Once the SSL is active, you can flip the proxy back on.
Quick Reference: SSL File Paths
| Component | Path |
| ACME Configs | /root/.acme.sh/ |
| Active SSL Files | /etc/letsencrypt/live/yourdomain.com/ |
| Error Logs | /home/cyberpanel/error-logs.txt |
Struggling with a different CyberPanel quirk? Drop a comment below or check out our other “Concept Clarity” guides for server management!
