Leaderboard

Sub accounts cannot log into cpanel. They're for FTP accounts only, and should access the server using plain unencrypted ftp on port 21. Unblocked.

Correct. We do not use or support HSTS. If the website needs to force SSL, you must add an exception for the .well-known folder in the .htaccess file. This folder must be accessible over unsecured http or the certs will not issue. WHM is for root admins only. That will never work for you and would only serve to get your IP address blocked for failed logins. Also, be aware that certificates take up to 24 hours to issue after a domain is added and configured correctly.

Um, you are able to proceed as HSTS is not enabled. Also you don't need WHM. It is only for the admins. The problem with cpanel DCVs are that they must check with non secure HTTP, any forcing of SSL will stop the certificate getting issued. You can use wildcard domains on let's encrypt too.