What is AutoSSL?

If you host website(s) on a cPanel server environment, then an awesome feature (AutoSSL) is available to secure your cPanel websites and/or services via SSL (HTTPS://).

It is first important to mention that in some cases having a paid SSL certificate might be beneficial. This is especially the recommended route in the event of having an e-commerce based website since you are handling sensitive payment information.

A paid SSL isn’t for everyone,  but it is still recommended to secure your website with an SSL which is why cPanel has come out with the feature AutoSSL so that website owners could add a free SSL certificate to their websites/services. The SSL certificate allows the HTTPS:// version of the website to work, which allows the traffic to and from the website to be encrypted.

AutoSSL has many available providers (certificate authorities). cPanel has teamed up with Sectigo (formerly Comodo) so that they can offer their own white-labeled certificates via a known provider in the SSL industry. Another popular authority of choice is Let’s Encrypt.

Which AutoSSL provider should I use?

There are many available certificate providers that you can install and enable via the cPanel & WHM AutoSSL feature. We are going to focus on the two most widely used providers and give our recommendations on our most preferred provider.

  • cPanel via Sectigo: This provider is installed by default. The certificates provided by Sectigo are using the same encryption as some of their paid certificates. The only difference is the certificate insurance, as free certificates do not have any insurance.
  • Let’s Encrypt: This provider does not come pre-installed but has a quick and easy five-second install process. The certificates provided by Let’s Encrypt are using the same encryption as most of the available paid certificates out there. Just like cPanel via Sectigo, Let’s Encrypt does not offer certificate insurance since it’s a free certificate.

Provider Domain Control Validation (DCV)

In order for AutoSSL to work the domain requesting a certificate has to pass domain validation checks. The two different types of DCV request are:

  • DNS-based: cPanel will add a temporary record to the domains DNS zone. If the domain is pointed at the correct name servers that the local cPanel server uses for DNS control then this validation will succeed. If you host the DNS elsewhere (such as CloudFlare), then this check will fail.
  • HTTP-based: cPanel will add a file to your website accessible via HTTP://domain.com/.well-known/pki-validation/[filename.html]. If your website points to the server and this URL succeeds, then the check will succeed. If the domain is not pointed at the server or redirects to another URL, then the check will fail.

Only one of the above checks have to succeed in order for DCV validation to pass. Let’s Encrypt currently only supports HTTP-based DCV validation. The default cPanel via Sectigo provider supports both DNS-based and HTTP-based DCV validation.

Provider: Let’s Encrypt (LE)

Going with Let’s Encrypt is a great choice, as it is one of the most popular and growing certificate authorities out right now. Still, Let’s Encrypt is not installed on the server by default.  Let’s cover the steps needed to install & enable Let’s Encrypt as your default AutoSSL provider below:

Install & Enable

1. Login to your servers WHM interface.


2. In the top-left search box in WHM, enter ‘Terminal’ and choose the option for  Terminal.

3. You should now be in the servers terminal window via WHM. Enter the following command and press enter to install Let’s Encrypt. You should see the install process performing and providing output all throughout the install. This process normally takes 10-15 seconds.

/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

4. Once the Let’s Encrypt plugin install completes type ‘AutoSSL’ in the WHM top-left search box, then click the option for Manage AutoSSL.

5. You should now see the option for Let’s Encrypt under the AutoSSL providers. Select the radio button next to Let’s Encrypt to choose this as the servers default AutoSSL provider.Screen Shot 2019-06-02 at 3.33.26 PM.png832×222 14.9 KB

6. Then click the Save button to save your changes. Note that you might have to check the box to agree to Let’s Encrypt terms of service prior to being able to save the provider.Screen Shot 2019-06-02 at 3.33.46 PM.png986×406 29.7 KB

7. That’s it! Your server should now be using Let’s Encrypt as the AutoSSL provider. You can configure AutoSSL further and/or run checks manually for each user within the AutoSSL interface.

Enable protection of cPanel Services via Let’s Encrypt

Are you wanting to protect services such as WHM, cPanel, & Webmail using Let’s Encrypt? Unlike the cPanel, via Sectigo provider this is not enabled by default and will require some additional steps to configure. Click to expand the steps necessary below:

Note: In order for this to work the hostname of the server must resolve to the servers primary IP Address. In addition there can not be any already installed certificates for the cPanel services that are valid or not expired.

  1. Login to your servers WHM interface.
  2. In the top-left search box in WHM, enter ‘Terminal’ and choose the option for Terminal.
  3. You should now be in the servers terminal window via WHM. Enter the following command and press enter to download the Let’s Encrypt package repository.

    wget https://cpanel.fleetssl.com/static/letsencrypt.repo -O /etc/yum.repos.d/letsencrypt.repo
  4. Next, install the Let’s Encrypt plugin via yum with the below command:

    yum -y install letsencrypt-cpanel

    Note: The repository will install the plugin to the system - this might take a minute.
  5. Once the installation completes enter the below command to enable the server’s hostname to be secured via Let’s Encrypt.

    le-cp hostcert enable
  6. Once you run the command above, then Let’s Encrypt should have received the request for the SSL certificate to cover the hostname of the server. If you have the hostname configured properly (pointing to the servers primary IP), then the SSL should succeed and automatically be installed for the servers cPanel services (cPanel, WHM, etc.).

    We recommend that you run the command below to view the last few entries of the Let’s Encrypt log file. If the request for the certificate failed, then the reason why should be here.

    tail -f /var/log/letsencrypt-cpanel.log
  7. The cPanel services should now be secured when using the hostname of the server to access them. If the hostname of the server is not secure after following the steps outlined above, then please feel free to submit a ticket to our team for assistance.

Provider: cPanel (via Sectigo)

The default cPanel via Sectigo provider is another great choice. This is a great option as it’s already installed by default when cPanel is setup and configured.

Install & Enable

This provider already comes pre-installed. We default new servers with having this feature enabled already, but just in case follow the steps below to ensure that the provider is enabled:

  1. Login to your servers WHM interface.
  2. In the top-left search box in WHM, enter ‘AutoSSL’ and choose the option for Manage AutoSSL.
  3. You should now see the option for cPanel (powered by Sectigo) under the AutoSSL providers. Select the radio button next to cPanel (powered by Sectigo) to choose this as the servers default AutoSSL provider.
  4. Then click the Save button to save your changes.

Enable protection of cPanel Services via cPanel

Are you wanting to protect services such as WHM, cPanel, & Webmail using Let’s Encrypt? If using the default AutoSSL provider (cPanel via Sectigo), then this feature is already enabled by default.

If the hostname of your server is not allowing secure access to services such as WHM, cPanel, or WebMail then you likely have one of the two below issues:

  1. The hostname of the server might not resolve to the servers primary IP Address. This is needed in order for AutoSSL to succeed in validation checks and apply a valid certificate.or
  2. You might already have a valid certificate installed for the cPanel services. Navigate to 'WHM > Manage Service SSL Certificates’ and check if a valid certificate is already applied.

Once the server hostname is pointed at the servers primary IP Address and no valid certificates are installed on the cPanel services, then go back to ‘WHM > Manage AutoSSL’ and click the button labeled Run AutoSSL For All Users. The AutoSSL certificate check will run for all cPanel users and the cPanel services on the server.

Enabling SSL for a domain (manual check)

If you have an AutoSSL provider already enabled, then the chance of your domain already having an SSL is very likely. However, if you find yourself needing to run a manual check for a website follows the steps below:

1. Login to your servers WHM interface.

2. In the top-left search box in WHM, enter ‘AutoSSL’ and choose the option for Manage AutoSSL.

3. Next, click on the tab labeled Manage Users.

4. Use the search field to find the cPanel account you want to enable the SSL check for.

Note: You can find the username of a cPanel domain via WHM > List Accounts if needed.

5. Once you find the cPanel account you’d like to run the check against, click the button labeled Check next to the user.

6. The AutoSSL provider that you have enabled will now be performing a check on the cPanel account in question. We recommend that you click the Logs tab to view the logs and get a status update on the request.

Be sure to click the Refresh button so that the new log file is shown. It might take AutoSSL a minute to complete the check fully, so you might have to press this again until it completes.

7. When the new log appears you can select it and then click the button labeled View Log. This will give you insight into any errors that AutoSSL is running into so that you can fix these errors and get SSL working for the website.

Example of a successful check with the certificate being added to the website properly:

Example of a failed check due to DCV validation failures. No SSL would be applied in this case.

Did this answer your question?