Child pages
  • Manage AutoSSL
For cPanel & WHM version 70

Skip to end of metadata
Go to start of metadata

(WHM >> Home >> SSL/TLS >> Manage AutoSSL)

Overview

This interface allows you to manage the AutoSSL feature, which automatically installs domain-validated SSL certificates for the Apache, Dovecot, and Exim services on users' domains. It also allows you to review the feature's log files and select which users to secure with AutoSSL.

Warning:

Let's Encrypt™ imposes significant rate limits. For more information, read our SSL FAQ and Troubleshooting documentation.

Notes:

  • The AutoSSL feature requires outbound access to the store.cpanel.net server over port 443. For more information, read our How to Configure Your Firewall for cPanel Services documentation.
  • While the AutoSSL feature generally only requires a short amount of time to complete the installation process, certain factors may lead to longer wait times. Under some conditions, certificates may require up to 48 hours to process.

Domain and rate limits

The AutoSSL feature includes the following limitations and conditions:

  • CAA (Certificate Authority Authentication) records in the domain's zone file restrict which CAs (Certificate Authority) may issue certificates for that domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA.

    For example, a CAA record for Comodo would resemble the following example, where example.com represents the domain name:

    example.com. 86400 IN CAA 0 issue "comodoca.com"

    You can manage CAA records through WHM's Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone) or through cPanel's Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

    For more information about a CA's requirements, read their documentation.

  • Each AutoSSL provider may use a specific domain rate limit. For example:

    • Certificates that cPanel, Inc. provides through AutoSSL can secure a maximum of 200 domains per certificate (Apache virtual host).

    • Certificates that Let's Encrypt provides can secure a maximum of 100 domains per certificate.

      • Parked domains count three times towards each certificate's domains limit. When you park a domain, the system adds the following aliases to the original virtual host:
        • parkeddomain.com
        • www.parkeddomain.com
        • mail.parkeddomain.com
  • AutoSSL only includes domains and subdomains that pass a domain control validation (DCV) test, which proves ownership of the domain.

  • AutoSSL includes corresponding www. domains for each domain and subdomain in the certificate, and those www. domains count towards any domain or rate limits.
    • This affects Let's Encrypt's limit of 20 certificates per week that may contain a domain or its subdomains.

    • For example, for the example.com domain, AutoSSL automatically includes www.example.com in the certificate.

    • If the corresponding www. domain does not pass a DCV test, AutoSSL will not attempt to secure that www. domain.
    • This affects Let's Encrypt's limit of 20 certificates per week that may contain a domain or its subdomains.

  • AutoSSL does not secure wildcard domains.
  • Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example:
    • AutoSSL attempts to renew certificates that cPanel, Inc. provides when they expire within 15 days.
    • AutoSSL attempts to renew certificates that Let's Encrypt provides when they expire within 29 days.
    • Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.
  • AutoSSL will not attempt to replace preexisting certificates that it did not issue (for more information, read the Options section below).
  • AutoSSL replaces certificates with overly-weak security settings (for example, an RSA modulus of 512-bit or less).
  • If a virtual host contains more than the provider's limit of domain names, AutoSSL uses a sort algorithm to determine the priority of domains to secure. For more information, read our SSL FAQ and Troubleshooting documentation.

For example, the following table demonstrates these limitations for the cPanel AutoSSL provider: 

Virtual Host 1Virtual Host 2Result
200 domains 

AutoSSL generates one certificate for the account, which secures all 200 domains.

202 domains AutoSSL generates one certificate for the account, which secures the 200 first domains from the sort algorithm.
100 domains100 domainsAutoSSL generates a certificate for each virtual host that secures all of the domains on that virtual host.
100 domains102 domainsAutoSSL generates a certificate for each virtual host that secures all of the domains on that virtual host.
100 domains202 domains

AutoSSL generates two certificates:

  • Virtual Host 1 — Secures all of the virtual host's domains.
  • Virtual Host 2 — Secures the 200 first domains from the sort algorithm.

Select an AutoSSL provider

To select an AutoSSL provider, perform the following steps:

  1. Select the desired AutoSSL provider or select disabled to disable this feature.

  2. If the AutoSSL provider requires that you accept their Terms of Service or other similar agreement, read the document and select the appropriate checkbox to agree to those terms.
  3. Click save.

Note:

If the provider updates their Terms of Service, you may need to return to this interface to agree to them.

Enable AutoSSL

Users must use a package that includes the autossl feature in order to receive the free certificates. For more information about feature lists, read our Feature Manager documentation.

Feature list override

To override your sever's feature list settings and control whether AutoSSL is enabled for a user or users, perform the following steps:

  1. Click the Manage Users tab to display a table of users on the server.
    • You can search and navigate the list of users with the navigation controls.
    • To set the feature on all domains, click  Enable AutoSSL on all users Disable AutoSSL on all users, or Use Feature List for all users.
    • To set the feature on multiple domains, select the appropriate checkboxes and click  Enable AutoSSL on selected users , Disable AutoSSL on selected users, or  Reset AutoSSL for selected users.
  2. To enable or disable AutoSSL on a single domain, select the appropriate option:
    • Enable AutoSSL — Override the user's Feature List settings to enable AutoSSL.
    • Disable AutoSSL — Override the user's Feature List settings to disable AutoSSL.
    • Reset to Feature List Setting — Allow the user's feature list settings to determine whether AutoSSL is enabled or disabled.

Notes:

  • Because the system adds the /etc/cron.d/cpanel_autossl cron job to schedule automatic certificate provisioning, you may experience a delay before the system installs Let's Encrypt certificates. The interface displays the next time that the script will run.
  • The system restarts Apache after AutoSSL provisions and installs certificates for all accounts each night.

Options

By default, AutoSSL does not attempt to replace preexisting certificates that it did not issue. This behavior ensures that AutoSSL-provided certificates do not unexpectedly replace Extended Validation (EV) and Organizational Validation (OV) certificates with AutoSSL-provided certificates. However, if you wish to allow AutoSSL to replace certificates that it did not issue, select the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. option. AutoSSL will not attempt to replace preexisting valid certificates that expire in more than three days.

To enable AutoSSL notifications, select the following options:

Notes:

  • If you deselect any of the following options, it will also remove the corresponding option in cPanel's  Contact Information interface (Home >> cPanel >> Preferences >> Contact Information).
  • The system will not send notifications to cPanel users for options that you disable.
  • These options override the user's current settings.
  • Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV. — AutoSSL cannot request a new certificate if all of the domains on a website fail DCV.
  • Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV.  — AutoSSL will not attempt to renew a certificate if a currently-secured domain fails DCV. All currently secured domains must pass DCV for AutoSSL to attempt to renew a certificate during normal circumstances. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a renewal.
  • Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV . — AutoSSL will not attempt to secure new domains if a currently-secured domain fails DCV. All of the currently secured domains and at least one of the unsecured domains must pass DCV for AutoSSL to attempt to issue a new certificate. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a reissue.
  • Notify when AutoSSL has renewed a certificate successfully.  — When AutoSSL renews a certificate, the system will send a notification.
  • Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website’s domains. — AutoSSL renews a certificate even if the new certificate does not contain any of the domains from the previous certificate.
  • Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured. — AutoSSL renews certificates even if the new certificate does not contain any domains from the previous certificate.

Run AutoSSL

Click Run AutoSSL for All Users at the top of the interface to run the AutoSSL feature for all users for whom you enabled the feature.

To run the AutoSSL feature for a single user, select the checkbox next to that user, then click Enable AutoSSL on the selected 1 user.

The system automatically polls the certificate provider to determine each pending certificate's status.

Age of certificate requestPolling frequency
Less than one day.Once per five minutes.
Between one and two days.Once per hour.
More than two days.Once per day.

Notes:

  • The system runs the AutoSSL feature for all users when it performs nightly system updates via the /usr/local/cpanel/scripts/upcp script. When this script runs, the system will issue pending SSL certificates for any newly-created domains.
  • To run the AutoSSL feature for all users via the command line, run the /usr/local/cpanel/bin/autossl_check --all command.
  • The cPanel (powered by Comodo®) provider does not accept additional AutoSSL requests for a virtual host if an AutoSSL request already exists for that virtual host.

Review log files

To review AutoSSL log files, perform the following steps:

  1. Click the Logs tab.
  2. Select the log that you wish to view from the menu, and click View Selected Log.
  3. Click Refresh Logs List to refresh the list of log files. 

The system stores the log files in both text and JSON format in the /var/cpanel/logs/autossl directory.

Pending Queue

The Pending Queue section of the interface lists the details and the status of the pending AutoSSL jobs on your server.

Use the navigation controls at the top of the table to sort and search through the list.