Manage AutoSSL in WHM

This article will cover the Manage AutoSSL feature for WHM with the following topics:

Features of AutoSSL

cPanel has recently implemented a new feature in WHM called AutoSSL. This feature will allow domain validated SSL certificates to be automatically installed on cPanel accounts for VPS and Dedicated Server packages. The Manage AutoSSL feature will let select an SSL certificate provider, view logs, and manage which users can be secured with a SSL Certificate. For more information regarding the AutoSSL in WHM, please refer to cPanel's documentation,

Note: To allow AutoSSL to replace invalid or expiring non-AutoSSL certificates, proceed to the Options tab click the option to Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. If you are unsure that you should replace the certificates, we do recommend consulting with a developer.
  • The AutoSSL does cover the www. subdomain for each domain and subdomain listed in the certificate. These certificates do count towards any daily rate limits. For example, domain example.com and www.example.com will both be included in the certificate.
  • AutoSSL does prioritize new certificates over the renewal of existing certificates due to rate limits.
  • The AutoSSL sorting algorithm determines the priority of the domains to secure if a virtual host contains more than the provider's limit of domain names.
  • Different providers may wait for a certain amount of time to replace an AutoSSL provided certificate before it is due to expire. Such as, certificates provided by cPanel will attempt to renew within 15 days of expiry.
  • Certificates with overly-weak security settings will be replaced by AutoSSL. Example: RSA modulus of 512-bit or less.

AutoSSL will automatically check that all domains within the cPanel user account have a certificate unless you exclude them within the Manage Users option. Please see the Disable for Certain Users section below for instructions on how to complete this.

Limitations of AutoSSL

  • cPanel provided certificates through AutoSSL can secure up to 200 domains per certificate (Apache virtual host).
  • Domains and subdomains must pass a Domain Control Validation (DCV) test to provide ownership of the domain.
    • Corresponding www. Domains will not be included if they also do not pass the DCV test.
    For the AutoSSL DCV to function, the domain must be pointed to HostGator via either by nameservers or an A record to your server's IP address. This change must be completed where the domain is managed at.
  • Pre-existing certificates will not be attempted to be replaced if it was not issued via AutoSSL.
  • Wildcard domains are not secured by AutoSSL.

Enabling AutoSSL

To enable AutoSSL login to root WHM and navigate to SSL/TLS, then Manage AutoSSL. Under Choose an AutoSSL provider, check cPanel (powered by Comodo).

Disable for Certain Users

  1. Click on the Manage Users tab, and then click the checkbox on the left-hand side of each user that you wish to disable.
  2. Once all of the users are selected, click Disable AutoSSL on selected users at the top.
  3. Then click Save at the bottom of the screen.
Note: Disabling the AutoSSL will be for all of the domains under that user.

Enable for Certain Users

  1. Click on the Manage Users tab, and then click the checkbox on the left-hand side of each user that you wish to enable.
  2. Once all of the users are selected, click Enable AutoSSL on selected users at the top.
  3. Then click Save at the bottom of the screen.

Change AutoSSL Provider

Within Manage AutoSSL you can change the SSL provider by selecting which provider that you would like to use. The provider may require that you read and accept their Terms of Service by selecting the checkbox to agree to the terms.

To reset your registration with the provider, select the appropriate checkbox to agree to the terms, then Reset Registration, and then click Submit.

Let's Encrypt™ AutoSSL Plugin

The Let's Encrypt™ plugin will automatically provision cPanel accounts with Let's Encrypt SSL certificates for sites that do not already have valid CA-signed SSL certificates. The plugin only integrates with the AutoSSL feature, which generates SSL certificates for cPanel accounts. It does not generate hostname certificates for your system's services.

  1. Using SSH, login as the root user of the server.
  2. Run the following command:
    /scripts/install_lets_encrypt_autossl_provider

To disable and uninstall the Let's Encrypt plugin, run the following command via SSH:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider

AutoSSL Troubleshooting

The Log tab within the AutoSSL manager will display issue once the first cronjob has run. Viewing the log is done by selecting the date of the file, then clicking View Log.