Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
_Version
_Version

(Home >> SSL/TLS >> Manage AutoSSL)

Table of Contents
stylenone

Overview

This interface allows you to manage the AutoSSL feature, which automatically installs domain-validated SSL certificates on users' domains for the Apache and Dovecot services. It also allows you to review the feature's log files and select which users to secure with AutoSSL. 

Note
titleNotes:
  • cPanel & WHM ships with the cPanel (powered by Comodo) provider. To install the Let's Encrypt™ AutoSSL provider plugin, read our The Let's Encrypt Plugin documentation.

    Warning
    titleWarnings:
    • Certificates that Let's Encrypt provides through AutoSSL can secure a maximum of 100 domains per website (Apache virtual host).
    • Let's Encrypt will issue a maximum of 20 certificates per week that contain a domain or its subdomains. If you include subdomains of a domain on more than 20 certificates, Let's Encrypt will issue those during the next window, up to the limit for that week.
    • Let's Encrypt uses the domain's alias (parked domain),  not  the main domain, as the common name for AutoSSL. To use the main domain as the common name for AutoSSL, you must use cPanel or another AutoSSL provider. For more information, consult the Let's Encrypt Community Support page.
  • The AutoSSL feature requires outbound access to the store.cpanel.net server over port 443. For more information, read our How to Configure Your Firewall for cPanel Services documentation.
  • While the AutoSSL feature generally only requires a short amount of time to complete the installation process, certain factors may lead to longer wait times. Under some conditions, certificates may require up to 48 hours to process.

Domain and rate limits

The AutoSSL feature includes the following limitations and conditions:

  • Each AutoSSL provider may have a specific domain rate limit. For example:

    • Certificates that cPanel, Inc. provides through AutoSSL can secure a maximum of 200 domains per certificate (Apache virtual host).

    • Certificates that Let's Encrypt provides can secure a maximum of 100 domains per certificate.

      • Parked domains count three times towards each certificate's domains limit. When you park a domain, the system adds the following aliases to the original virtual host:
        • parkeddomain.com
        • www.parkeddomain.com
        • mail.parkeddomain.com
  • AutoSSL will only include domains and subdomains that pass a Domain Control Validation (DCV) test, which proves ownership of the domain.

  • AutoSSL includes corresponding www. domains for each domain and subdomain in the certificate, and those www. domains count towards any domain or rate limits.
    • For example, if your domain is example.com, AutoSSL will automatically include www.example.com in the certificate.

    • If the corresponding www. domain does not pass a DCV test, AutoSSL will not attempt to secure that www. domain.
    • This affects Let's Encrypt's limit of 20 certificates per week that may contain a domain or its subdomains.

  • AutoSSL does not secure wildcard domains.
  • Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example:
    • AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days.
    • AutoSSL will attempt to renew certificates that Let's Encrypt provides when they expire within 29 days.
    • Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.
  • AutoSSL will not attempt to replace pre-existing certificates that it did not issue (for more information, read the Options section below).
  • AutoSSL will replace certificates with overly-weak security settings (for example, RSA modulus of 512-bit or less).
  • If a virtual host contains more than the provider's limit of domain names, AutoSSL uses a sort algorithm to determine the priority of domains to secure (for more information, read the Which domains does AutoSSL add to the certificate first section below).

 

For example, the following table demonstrates these limitations for the cPanel AutoSSL provider: 

Virtual Host 1Virtual Host 2Result
200 domains 

AutoSSL will generate one certificate for the account which secures all 200 domains.

202 domains AutoSSL will generate one certificate for the account which secures the 200 domains with the shortest names.
100 domains100 domainsAutoSSL will generate a certificate for each virtual host that secures all of its domains.
100 domains102 domainsAutoSSL will generate a certificate for each virtual host that secures all of its domains.
100 domains202 domains

AutoSSL will generate two certificates:

  • Virtual Host 1 — Secures all of its domains.
  • Virtual Host 2 — Secures its 200 domains with the shortest names.

Select an AutoSSL provider

To select an AutoSSL provider, perform the following steps:

  1. Select the desired AutoSSL provider.

    • Select disabled to disable this feature.

  2. If the AutoSSL provider requires that you accept their Terms of Service or other similar agreement, read the document and select the appropriate checkbox to agree to those terms.
  3. If you need to reset your registration with the AutoSSL provider due to security issues, select the appropriate checkbox to agree to those terms and click Reset Registration.
  4. Click Submit.
Note
titleNote:

If the provider updates their Terms of Service, you may need to return to this interface to agree to them.

Enable AutoSSL

Users must use a package that includes the autossl feature to receive the free certificates. For more information about feature lists, read our Feature Manager documentation.

Feature list override

To override the feature settings and control whether AutoSSL is enabled for a user or users, perform the following steps:

  1. Click the Manage Users tab to display a table of users on the server.
    • You can search and navigate the list of users with the navigation controls.
    • To set the feature on all domains, click  Enable AutoSSL on all users Disable AutoSSL on all users, or Use Feature List for all users.
    • To set the feature on multiple domains, select the appropriate checkboxes and click  Enable AutoSSL on selected users Disable AutoSSL on selected users,  or  Reset AutoSSL for selected users.
  2. To enable or disable AutoSSL on a single domain, select the appropriate option:
    • Enable AutoSSL — Override the user's Feature List settings to enable AutoSSL.
    • Disable AutoSSL — Override the user's Feature List settings to disable AutoSSL.
    • Reset to Feature List Setting — Allow the user's Feature List settings to determine whether AutoSSL is enabled or disabled.
Note
titleNotes:
  • Because the system adds the /etc/cron.d/cpanel_autossl cron daemon task to schedule the automatic provisioning of certificates, you may experience a delay between when you enable the feature and the installation of Let's Encrypt certificates. The interface displays the next time that the script will run.
  • The system restarts Apache after AutoSSL provisions and installs certificates for all accounts during a nightly run.

Anchor
OptionsAnchor
OptionsAnchor
Options

By default, AutoSSL will not attempt to replace pre-existing certificates that it did not issue. This behavior prevents the unexpected replacement of Extended Validation (EV) and Organizational Validation (OV) certificates from a certificate authority (CA) by AutoSSL-provided certificates.

However, if you wish to allow AutoSSL to replace certificates that it did not issue, select the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. option. AutoSSL will not attempt to replace pre-existing valid certificates that expire in more than three days.

Run AutoSSL

Click Run AutoSSL for all users at the top of the interface to run the AutoSSL feature for all users with the feature enabled.

To run the AutoSSL feature for a single user, click the user's Check button in the Run AutoSSL Check column of the table.

The system will automatically poll the certificate provider to determine whether each pending certificate is ready.

Age of certificate requestPolling frequency
Less than one day.Once per five minutes.
Between one and two days.Once per hour.
More than two days.Once per day.
Note
titleNote:

The cPanel (powered by Comodo) provider will not accept additional AutoSSL requests for a vhost if an AutoSSL request already exists for that vhost.

Review log files

To review AutoSSL log files, perform the following steps:

  1. Click the Logs tab.
  2. Select the log that you wish to view from the menu, and click View Selected Log.
  3. Click Refresh Logs List to refresh the list of log files. 

The system stores the log files in both text and JSON format in the /var/cpanel/logs/autossl directory.

Pending Queue

The Pending Queue section or the interface lists details and the status of the pending AutoSSL jobs on your server.

Use the navigation controls at the top of the table to sort and search through the list.

Frequently Asked Questions

How do I revoke a certificate?

We do not support the revocation of certificates through cPanel & WHM at this time.

Why won't Let's Encrypt issue a certificate for a virtual host list (website)?

Let's Encrypt will only issue a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains.

To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let's Encrypt interprets the virtual host as a new set of domains.

Anchor
sortAlgorithm
sortAlgorithm
Which domains does AutoSSL add to the certificate first?

AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to example.com versus www.subodmain.example.com.

For more information, see the following example:

Code Block
languagebash
linenumberstrue
collapsetrue
SORT_VHOST_FQDNS( USERNAME, FQDN1, FQDN2, .. )
	Returns the given FQDNs, sorted.
	NOTE: This function assumes that all of the FQDNs resolve to the same 
	virtual host. This sort order ensures that the system adds the domains that 
	users will most likely visit to the certificate first.
	
	The default sort algorithm prioritizes domains in the following order:
 
    1) Any FQDNs that the virtual host’s current SSL certificate secures
    2) The primary domain on the cPanel account and then its “www.” and 
	“mail.” subdomains.
    3) Each addon domain followed by its “www.” and “mail.” subdomains. For 
	example: 
	A cPanel user called "example" (whose primary domain is "example.com"), 
	creates an addon domain called "foo.com". This addon domain, like all 
	cPanel addon domains, exists on a separate virtual host with a subdomain 
	“foo.example.com”. In this case, the system prioritizes "foo.com" over 
	"foo.example.com".
    4) Domains with fewer dots. (e.g., prioritize "foo.com" ahead of 
	"www.foo.com")
    5) Subdomains: www, mail, whm (if reseller), webmail, cpanel,
    autodiscover, webdisk
    6) Shorter domains
    7) Apply lexicographical sort

Does AutoSSL cover proxy subdomains?

In cPanel & WHM version 64 and later, AutoSSL will add proxy subdomains to the SSL certificate in accordance with the sort algorithm.

Additional documentation

Localtab Group
Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ssl","security") and label = "whm" and space = currentSpace()

Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ssl","security") and label = "cpanel" and space = currentSpace()

Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ssl","security") and label = "whm" and space in (currentSpace(),"CKB")

Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ssl","security") and space = "SDK"