How to use AutoSSL in WHM

Note: This feature is only available for Resellers, and root users on VPS or Dedicated servers.

What is AutoSSL?

cPanel has recently added a feature for VPS and Dedicated server users called AutoSSL. This interface allows you to install domain-validated SSL certificates on domains setup in cPanel accounts. It also allows you the ability to view the log files and select the users that you can secure with AutoSSL. In this article, we’ll show you how you can use AutoSSL in WHM.

The AutoSSL feature has the following limitations:

  • Certificates that cPanel, Inc. provides through AutoSSL can secure a maximum of 200 domains per certificate (Apache virtual host).
  • AutoSSL will only include domains and subdomains that pass a Domain Control Validation (DCV) test, which proves ownership of the domain.
  • AutoSSL does not secure wildcard domains.
  • If the corresponding www. domain does not pass a DCV test, AutoSSL will not attempt to secure that www. domain.
  • AutoSSL will not attempt to replace pre-existing certificates that it did not issue.

The AutoSSL feature includes:

  • AutoSSL includes corresponding www. domains for each domain and subdomain in the certificate, and those www. domains count towards any domain or rate limits. For example, if your domain is example.com, AutoSSL will automatically include www.example.com in the certificate.
  • Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example: AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days.
  • Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.
  • AutoSSL will replace certificates with overly-weak security settings (for example, RSA modulus of 512-bit or less).
  • AutoSSL uses a sort algorithm to determine the priority of domains to secure if a virtual host contains more than the provider’s limit of domain names

The users used by AutoSSL are the cPanel users created within your VPS or Dedicated server account. AutoSSL will check ALL domains within the user account unless you make an exception for them within the Manage Users option of AutoSSL.
 

How to Run AutoSSL for All Users

Before you begin, you will need to be logged into the Web Host Manager as a root user. The button labeled Run AutoSSL for All Users runs the module based on the options selected in the tabs below.
Warning before using AutoSSL to replace all SSL certificates

NOTE: If you want the AutoSSL option to replace invalid or expiring non-AutoSSL certificates, then click on the Options tab and click on Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. Make sure to read the warning. If you don’t know if you should replace your EV/OV or DV certificate, then do not select this option until you have spoken with a knowledgeable Web developer, administrator, or support person.

  1. Verify the certificate providerSelect the Certificate Provider (typically, the default certificate provider is Comodo, so you can skip this step)
  2. Manage Users for AutoSSLIf necessary, click on the tab labeled Manage Users in order to disable AutoSSL for specific users. Make to click on Save button at the bottom of the screen if you have selected a user.
  3. Run SSL for all usersOnce you are sure of the users that you want to use AutoSSL with, click on the blue button labeled Run AutoSSL For All Users
  4. NGINX users only! If you are using NGINX you will need to rebuild the NGINX configuration after running AutoSSL buy running the following commands via SSH as root.

    ngxconf -u $user -rd
    service nginx restart
    service httpd restart

How to Run AutoSSL for Specific Users

  1. Verify the certificate providerSelect the Certificate Provider (typically, the default certificate provider is Comodo, so you can skip this step)
  2. Manage Users for AutoSSLClick on the tab labeled Manage Users in order to select or disable AutoSSL for specific users. Make to click on Save button at the bottom of the screen if you make any changes. You can disable AutoSSL for all the users that you do not wish to use AutoSSL.
  3. Select UsersClick on the blue button labeled Check “user” in order to apply an SSL from AutoSSL. Note that when you check it, it checks ALL of the domains for that particular user.
  4. NGINX users only! If you are using NGINX you will need to rebuild the NGINX configuration after running AutoSSL buy running the following commands via SSH as root.

    ngxconf -u $user -rd
    service nginx restart
    service httpd restart

Note: This feature is only available for Resellers, and root users on VPS or Dedicated servers.

Thoughts on “How to use AutoSSL in WHM

  • Hello,

    We have one domain that is set to AutoSSL.  Our certificates expired last night.

    Do I simply need to RUNAutoSSL or should our web consultant do this?  He manages our domain.  

    Regards,

    Nancy

     

    • Yes, running the AutoSSL should update your certificate. I’m not familiar with your organization to know if your web consultant would need to do this or if you have the access needed to do this. If you are an InMotion Hosting customer, you can always reach out to our Technical Support for further assistance with your account specifically.

  • I had installed a certificate manually through another provider besides inmotion cpainel but now it’s expired, how to switch to auto-ssl? I just need to activate it and wait? or should i “remove/delete” the older certificate?

    thanks,

  • Hello,

    I have a issue with the AutoSSL function.  I have cpanel installed on a vps.  The vps and cpanel hostname is asd.domanin.com.  The account domain created in cpanle is domain.com and have active only the abc.domain.com subdomain. The domain.com is hosted on another vps.  
    When I run AutoSSL it give me error that all the next subdomains does not resolve to any IPv4 addresses on the internet:
    domain.com
    http://www.domain.com
    cpanel.domain.com
    webmail.domain.com
    mail.domain.com
    webdisk.domain.com

    But nothing about my active subdomain, abc.domain.com.
    How can Install ssl on this subdomain, if cpanle inly check for standard cpanel subdomains?

    Regards,

    Andrei

    • Hello Andrei.
      AutoSSL will check any domains/subdomains to properly pass Domain Control Validation. If you are using third party nameservers you need to make sure that the DNS will properly route the subdomains to the correct websites. If DCV fails then the Certificates will not be issued as cPanel is unable to validate the ownership of the domains/subdomains you are using.

  • I have a question about auto SSL renewal & your advice to proceed further, I have a domain abcd.com

    Currently, following host has SSL & it will expire in 5 day’s.

     

    abcd.com

    cpanel.abcd.com

    webdisk.abcd.com

    webmail.abcd.com

    http://www.abcd.com

     

    Today I got a notification regarding SSL renewal.

     

    ++++++++++++++++++

    abcd.com: AutoSSL would normally renew this certificate now, but 1 of the website’s secured domains just failed DCV. To provide you with more time to resolve this problem, AutoSSL will defer the renewal until Jul 2, 2018 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 5 days, 21 hours, and 17 seconds.

    AutoSSL did not renew the certificate for “abcd.com”. You must take action to keep this site secure.

     

    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problem:

     

    webdisk.abcd.com (checked on Jun 29, 2018 at 2:59:38 AM UTC)

     

    “webdisk.abcd.com” does not resolve to any IPv4 addresses on the internet.

     

    For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications.

     

    To upgrade to an EV or OV certificate, navigate to the “SSL/TLS Wizard” interface.

    ++++++++++++++++++

     

    The webdisk.abcd.com not pointing to the server, so My question is, it will affect the remaining domain from autorenewal

    like

     

    abcd.com

    cpanel.abcd.com

    webmail.abcd.com

    http://www.abcd.com

     

    or only it affect for webdisk.abcd.com ?, Non resolving subdomain blocks the autorenewal process of remaining domains ?

     

    Please let me know regarding auto SSL update process. 

    • “After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV.”

      To clarify, this means that the failure of the subdomain would not affect the main domain. Although, it is causing a delay the next time it is checked for renewal it will proceed to renew certificates except for that subdomain (if at that time it still does not pass DCV). I hope this helps!

      Sincerely,
      Carlos D

    • Once AutoSSL is enabled, it will auto-renew the certificate by default. But, it must be enabled via WHM.
      Thank you,
      John-Paul

    • Thanks for your question about the SSL certificates. If you want to specify the free SSL on your VPS, yes you can do that through the Manage SSL interface. There you can enable or disable the free SSL per user. You can also purchase SSL certificates as they are domain specific. Then you can turn off the free SSL option, then the only sites secured with SSLs would be the ones that have purchased them.

    • You must have root access to log into WHM to maintain the AutoSSL feature. If you are not seeing this option, you should speak with your systems administrator to determine why it is not appearing.

      If you are logged into WHM as root, you will see the “Manage AutoSSL” option. That is where the “Run AutoSSL For All Users” button is located, as outlined by our guide.

  • I have a VPS with 2 domains, one has already got an SSL from comodo if I select “Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.” will it replace this certificate? (It still has 2 years before expiry)

    I want be able to auto renew on the other domain (without an existing SSL cert)

    • It is meant to automatically install and renew, yes, but I advise checking with our Live Support for help setting it up to make sure you don’t have a lapse between the outgoing SSL and the Auto SSL.

  • I have accounts on my WHM that have multiple domains (ex: example.com, example.org, example.net or myexample.com, examplesite.com, someotherdomain.com) in their cPanel.

    The primary domain manages to get the auto SSL cert, however the others do not. How do I get auto SSL for all the domains in their website?

     

  • I have two vps with whm for the same domain one for web and one for mail and in the second server cant use auto SSL

    ADVERTENCIA The domain “domain.cl” failed domain control validation: The system queried for a temporary file at “http://domain.cl/.well-known/pki-validation/4EA9DE45DB6FC4D860FE68C65598E448.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “domain.cl” resolved to an IP address “xx.xx.xx.xx” that does not exist on this server.

    • Hello,

      Auto SSL requires the domain to be pointed to the IP of the server. If you wanted to use AutoSSL on the secondary server that is only running the mail you would need to run it on the main server and manually copy over the certificates as needed.

      Best Regards,
      Kyle M

  • Hello I have a dedicated server where i have more then 600 a/c. Does this SSL free for all 600 a/c. or is their any limitation??

    • Hello Alan,

      The information for the SSL is in the article above. If you require more information, please indicate what you mean by “specification”. It is a domain-validated certificate.

      If you have any further questions or comments, please let us know.

      Regards,
      Arnel C.

  • Once you’ve changed your settings to enable AutoSSL how long does it typically take for the provider to issue the certificate?

    • Hello Travis,

      It should not take longer than 24 hours. If you’re seeing it take longer, then please contact your host technical support.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

Leave a Reply to Holly Cancel reply