How to Manage AutoSSL for Optimal Website Security

AutoSSL is a cPanel feature that automatically provisions and renews SSL/TLS certificates for all domains on a hosting account, using a trusted Certificate Authority such as Let's Encrypt or Sectigo, without requiring manual intervention. When a certificate approaches expiration, AutoSSL silently re-issues it, maintaining uninterrupted HTTPS across every domain and subdomain it manages.

For any server administrator running sites on a VPS with cPanel, AutoSSL eliminates the single most common cause of unexpected HTTPS failures: forgotten manual renewals. This guide covers the full operational lifecycle — enabling, configuring, troubleshooting, and hardening AutoSSL — with the technical depth required to manage it reliably in production.

What AutoSSL Actually Does Under the Hood

AutoSSL is not simply a cron job that calls Certbot. It is a native cPanel subsystem with its own provider plugin architecture. When triggered, it performs the following sequence:

1. Domain discovery — scans all domains, subdomains, and mail hostnames associated with the cPanel account.
2. Certificate gap analysis — compares existing certificates against the full domain list and identifies any hostname not covered by a valid, trusted certificate.
3. DCV (Domain Control Validation) — proves domain ownership using one of two methods: HTTP-based file validation (placing a token at /.well-known/pki-validation/) or DNS-based validation via a TXT record.
4. Certificate issuance — requests a new certificate from the configured CA (Let's Encrypt by default on most hosts, Sectigo on WHM-licensed servers with a Sectigo agreement).
5. Installation — installs the certificate into Apache or LiteSpeed's virtual host configuration and updates the cPanel certificate store.
6. Renewal scheduling — AutoSSL runs on a server-wide cron schedule (typically every 24 hours) and begins renewal attempts when a certificate has fewer than 15 days remaining.

Understanding this pipeline is essential for diagnosing failures, because a problem at any stage produces a different error class.

AutoSSL vs. Manual Certificates vs. Certbot: A Direct Comparison

For the vast majority of websites running on a shared or VPS environment, AutoSSL covers every requirement. Certbot is preferable when you need wildcard certificates or operate outside a cPanel environment. Paid certificates remain necessary only for OV/EV validation requirements, such as financial institutions or enterprise compliance mandates.

Prerequisites Before Enabling AutoSSL

Before running AutoSSL, verify the following conditions are met. Skipping this checklist is the primary reason first-time setups fail.

DNS resolution

• Every domain and subdomain you want covered must resolve to the server's IP address. AutoSSL's HTTP DCV will fail if a domain points elsewhere.
• Check with: dig +short yourdomain.com A

Web server accessibility

• Port 80 must be open and serving content. Let's Encrypt's HTTP challenge requires an unauthenticated HTTP response on port 80, even if you later redirect everything to HTTPS.
• Verify: curl -I http://yourdomain.com/.well-known/pki-validation/

No conflicting third-party certificates

• If a domain already has a manually installed certificate that is not expired, AutoSSL will not overwrite it unless you explicitly exclude or remove it.

WHM AutoSSL provider configured (server administrators)

• In WHM, navigate to SSL/TLS > Manage AutoSSL and confirm a provider is selected and active. On AlexHost VPS Hosting with cPanel, Let's Encrypt is typically pre-configured.

How to Enable AutoSSL in cPanel: Step-by-Step

Step 1: Access the SSL/TLS Status Interface

Log in to your cPanel account. Under the Security section, click SSL/TLS Status. This dashboard displays every domain and subdomain on the account, color-coded by certificate state:

• Green padlock — valid certificate installed
• Yellow warning — certificate present but expiring soon or using a self-signed/untrusted CA
• Red X — no valid certificate

Step 2: Select Domains for AutoSSL Coverage

Review the domain list. By default, all domains are eligible. If you want to exclude specific subdomains (staging environments, internal tools, or domains intentionally served over HTTP), check their checkboxes and click Exclude from AutoSSL. Excluded domains will not be touched by the AutoSSL process.

Step 3: Run AutoSSL

Click the Run AutoSSL button. cPanel will immediately begin the DCV and issuance process. For accounts with many domains, this can take several minutes. The interface updates in real time, showing per-domain status.

You can also trigger AutoSSL programmatically via the cPanel API:

/usr/local/cpanel/bin/autossl_check --user=cpanelusername

Or from WHM for all accounts on the server:

/usr/local/cpanel/bin/autossl_check_all_users

Step 4: Verify Certificate Installation

After AutoSSL completes, return to SSL/TLS Status and confirm all targeted domains show a green padlock. You can also verify from the command line:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -issuer

This outputs the certificate's validity window and issuing CA, confirming the correct certificate is active.

Configuring AutoSSL Notifications

AutoSSL failures are silent by default unless you configure alerts. In WHM, navigate to SSL/TLS > Manage AutoSSL > Notification Settings and enable email alerts for:

• Certificate issuance failures
• DCV failures
• Certificates expiring within a configurable threshold (recommended: 20 days)

At the cPanel account level, ensure the contact email address under Preferences > Contact Information is current. AutoSSL events are logged to /var/cpanel/logs/autossl/ on the server, with one log file per run, timestamped for easy correlation.

Troubleshooting AutoSSL: Root Causes and Fixes

Domain Validation (DCV) Failures

DCV failures are the most common AutoSSL error. The log entry typically reads: DCV failed for domain "sub.example.com".

Root causes and resolutions:

• DNS not propagated — If you recently pointed a domain to this server, DNS propagation may be incomplete. Wait up to 48 hours or verify with dig @8.8.8.8 yourdomain.com A.
• Domain behind a proxy (Cloudflare, etc.) — If Cloudflare's proxy (orange cloud) is active, AutoSSL's HTTP DCV may fail because the challenge file is served from Cloudflare's edge, not the origin. Either temporarily disable the proxy (grey cloud) during issuance, or switch to DNS-based DCV if your provider supports it.
• .htaccess blocking /.well-known/ — Some WordPress or security-hardened .htaccess configurations block access to hidden directories. Add the following exception:

RewriteRule ^.well-known/ - [L]

• Port 80 firewalled — Confirm port 80 is open in your firewall (iptables -L -n | grep 80 or via CSF/WHM firewall manager).

Mixed Content Warnings After HTTPS Activation

After AutoSSL provisions a certificate, browsers may still show a "Not Secure" warning or a padlock with a warning triangle. This is caused by mixed content — resources (images, scripts, stylesheets, iframes) loaded over http:// on an otherwise HTTPS page.

Fix for WordPress:

Install the Really Simple SSL plugin, which rewrites internal URLs and sets the HTTPS server variable. Alternatively, add this to wp-config.php:

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

Fix at the server level (Apache/LiteSpeed):

Add a global HTTP-to-HTTPS redirect in your virtual host or .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

After applying the redirect, use a tool like Why No Padlock or browser DevTools (Network tab, filter by scheme) to identify any remaining HTTP resources.

Certificate Renewal Failures

If AutoSSL fails to renew a certificate that was previously valid, check the AutoSSL log for the specific failure:

ls -lt /var/cpanel/logs/autossl/ | head -5
cat /var/cpanel/logs/autossl/LATEST_LOG_FILE

Common renewal failure causes:

• DNS changed — The domain now points to a different server. AutoSSL on the old server can no longer complete HTTP DCV.
• Let's Encrypt rate limits — Let's Encrypt enforces a limit of 5 duplicate certificates per week per domain. If you have been repeatedly triggering AutoSSL manually during testing, you may hit this limit. Check at crt.sh for recent issuances.
• Expired WHM license — On servers using Sectigo as the AutoSSL provider, an expired WHM license will block new issuances. Verify license status in WHM under Server Configuration > License Manager.
• cPanel version incompatibility — Ensure cPanel is updated. Run upcp from the server shell to apply updates.

Self-Signed or Untrusted Certificates Persisting

If a domain shows a self-signed certificate despite AutoSSL running successfully, a manually installed certificate may be taking precedence. In cPanel, navigate to SSL/TLS > Manage SSL Sites and remove any manually installed certificate for the affected domain, then re-run AutoSSL.

Advanced Configuration: AutoSSL with Wildcard Domains

AutoSSL does not natively issue wildcard certificates (*.example.com). If your application requires a wildcard — for example, dynamically generated subdomains for a SaaS platform — you have two options:

Option 1: Use Certbot with DNS challenge

certbot certonly --dns-cloudflare 
  --dns-cloudflare-credentials ~/.secrets/cloudflare.ini 
  -d "*.example.com" -d "example.com"

Then install the resulting certificate manually via cPanel's Manage SSL Sites interface or via the cPanel API.

Option 2: Purchase a wildcard DV certificate

Wildcard DV certificates from providers like Sectigo or DigiCert are available at reasonable cost and can be installed through SSL Certificates management. This is the simpler path for non-technical users who need wildcard coverage without managing Certbot.

AutoSSL and Email Hosting Considerations

AutoSSL also secures mail-related hostnames: mail.yourdomain.com, smtp.yourdomain.com, imap.yourdomain.com, and webmail.yourdomain.com. These are included automatically in the SAN (Subject Alternative Name) list of the issued certificate.

If you are running Email Hosting on the same server, verify that your mail client's server hostname matches one of the SANs on the certificate. A mismatch between the hostname configured in Outlook or Thunderbird and the certificate's SAN list will produce SSL errors in mail clients, even if the website itself shows a valid padlock.

Check the full SAN list of an installed certificate:

echo | openssl s_client -connect mail.yourdomain.com:993 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

Security Hardening Beyond AutoSSL

AutoSSL handles certificate provisioning, but certificate presence alone does not constitute a hardened TLS configuration. After enabling AutoSSL, apply the following hardening steps.

Enforce TLS 1.2 and 1.3 only

In WHM under Service Configuration > Apache Configuration > Global Configuration, disable TLS 1.0 and 1.1. For LiteSpeed, navigate to WebAdmin Console > Listeners > SSL > Protocol Version.

Enable HSTS (HTTP Strict Transport Security)

Add the following header to your virtual host or .htaccess after confirming HTTPS is stable:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Do not enable preload until you are certain all subdomains are covered by valid certificates and you intend to maintain HTTPS permanently. HSTS preloading is irreversible on short timescales.

Disable weak cipher suites

In WHM's Apache configuration, set the SSLCipherSuite directive to a modern cipher list. A safe baseline:

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

Test your configuration

Run your domain through SSL Labs Server Test after applying changes. Target an A or A+ rating. AutoSSL alone typically yields a B rating on default cPanel configurations; the cipher and protocol hardening above pushes it to A+.

Best Practices for Production AutoSSL Management

Keep cPanel and WHM updated. AutoSSL's Let's Encrypt integration depends on the ACME client bundled with cPanel. Outdated versions may fail against Let's Encrypt API changes. Run updates via WHM or schedule them with:

/scripts/upcp --force

Maintain accurate DNS records. Any DNS change — nameserver migration, IP change, CDN activation — can break DCV. Before migrating a domain to a new server or CDN, plan the AutoSSL re-issuance as part of the migration checklist.

Do not rely solely on AutoSSL logs. Set up external certificate monitoring using tools like certspotter, Uptime Robot's SSL monitoring, or a custom cron that alerts you if a certificate's expiry drops below 20 days:

#!/bin/bash
DOMAIN="yourdomain.com"
EXPIRY=$(echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2>/dev/null 
  | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "${EXPIRY}" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
if [ "$DAYS_LEFT" -lt 20 ]; then
  echo "WARNING: ${DOMAIN} certificate expires in ${DAYS_LEFT} days" | mail -s "SSL Alert" admin@yourdomain.com
fi

Use separate certificates for high-value domains. For domains handling payment processing or sensitive user data, consider supplementing AutoSSL's DV certificate with a paid OV or EV certificate installed manually. AutoSSL and manually managed certificates can coexist on the same server — AutoSSL simply skips domains that already have a valid, trusted certificate installed.

Audit excluded domains periodically. Domains excluded from AutoSSL are easy to forget. Schedule a quarterly review of the exclusion list in SSL/TLS Status to ensure staging or development domains have not accidentally gone live without certificate coverage.

Decision Matrix: When AutoSSL Is and Is Not Sufficient

Key Technical Takeaways

• AutoSSL runs on a server-wide cron schedule and checks all accounts daily; manual triggers are available via WHM or the cPanel API for immediate issuance.
• HTTP DCV requires port 80 to be open and the /.well-known/pki-validation/ path to be publicly accessible — this is the single most common configuration mistake.
• Cloudflare's orange-cloud proxy mode blocks HTTP DCV; switch to grey-cloud during initial issuance or use DNS-based DCV.
• AutoSSL does not issue wildcard certificates; use Certbot with a DNS plugin or a purchased wildcard certificate for that requirement.
• HSTS should only be enabled after AutoSSL is confirmed stable across all subdomains; premature HSTS deployment with an incomplete certificate can lock users out of subdomains.
• External certificate monitoring is non-optional in production — AutoSSL's internal alerts are a supplement, not a replacement, for independent expiry monitoring.
• For servers requiring more granular control over TLS configuration, provisioning a Dedicated Server gives full access to the web server's SSL stack without shared-environment constraints.
• VPS Control Panels other than cPanel (Plesk, DirectAdmin, CyberPanel) have their own AutoSSL equivalents with different configuration paths but the same underlying ACME protocol mechanics.

Frequently Asked Questions

Does AutoSSL work if my domain is behind Cloudflare?

Only if Cloudflare is in DNS-only mode (grey cloud). When the orange-cloud proxy is active, Cloudflare intercepts HTTP requests, preventing Let's Encrypt from reaching the DCV token file on your origin server. Either temporarily disable the proxy during issuance or configure Cloudflare's SSL mode to "Full (Strict)" and use a Cloudflare Origin Certificate instead.

How often does AutoSSL attempt to renew certificates?

The AutoSSL cron runs every 24 hours server-wide. It begins renewal attempts when a certificate has 15 or fewer days remaining. Let's Encrypt certificates have a 90-day validity period, so renewal typically occurs around day 75.

Can AutoSSL coexist with a manually installed paid SSL certificate?

Yes. AutoSSL skips any domain that already has a valid, trusted certificate installed. If you install a paid certificate manually via cPanel's SSL manager, AutoSSL will not overwrite it. Once the paid certificate expires, AutoSSL will step in and issue a Let's Encrypt certificate at its next scheduled run, provided the domain passes DCV.

Why does my mail client show an SSL error even though the website has a valid AutoSSL certificate?

The mail client is connecting to a hostname (e.g., mail.yourdomain.com) that may not be included in the certificate's SAN list, or a different certificate is installed on the mail ports (993, 587, 465). Run the openssl s_client command against the mail port and verify the SAN list matches the hostname your client is configured to use.

What happens if AutoSSL fails to renew and the certificate expires?

Browsers will display a full-page "Your connection is not private" warning, and most users will not proceed. Search engine crawlers may also flag the site. If you have HSTS enabled, the browser will refuse to connect entirely without a bypass option. Monitor expiry proactively with external tools and configure WHM email alerts to catch renewal failures before they reach expiry.