One of the more popular topics talked about amongst the cPanel Community is AutoSSL, a tool that automatically installs domain-validated SSL certificates for cPanel services and users’ websites. Since we haven’t touched on AutoSSL on our blog for a bit, some of the recent changes added to cPanel & WHM have created an opportune time to revisit one of cPanel’s most popular features.
What is AutoSSL?
AutoSSL is the solution for one of the most prominent SSL pain points for cPanel & WHM users: SSL installations and renewals. The AutoSSL feature will automatically install a free domain-validated SSL certificate for the Apache®, Dovecot, Exim, Web Disk, and cPanel Server services for users’ domains. It also allows you to review the feature’s log files and select which users receive AutoSSL certificates. Better yet, your SSL coverage will never lapse. At the time of expiration a new, free SSL is requested and automatically installed. The AutoSSL system also inspects all of the installed certificates and replaces those that do not meet security needs.
By default, AutoSSL performs certificate checks on a scheduled basis, with once-per-day being the greatest length of time, and the polling frequency is determined by the age of the certificate. If you prefer though, you have the option to run the checks manually using the “Run AutoSSL For All Users” button.
Manage AutoSSL in WHM
How do you enable AutoSSL?
Enabling is a piece of cake! In WHM navigate to the AutoSSL interface, and adjust the selected toggle to cPanel. Then click save.
Selecting a Provider
In cPanel & WHM version 76, we added usability scores in the Providers tab of WHM’s Manage AutoSSL interface, This score displays the service capabilities of each AutoSSL provider and allows a user to select a provider based on their AutoSSL needs.
A usability score ranks each provider based on the following capabilities:
- The Domain Control Validation (DCV) methods the provider offers
- Whether the provider supports ancestor DCV
- The number of unique domains per certificate
- The average delivery time a provider requires to issue a certificate
- The maximum number of HTTP-based DCV domain redirects the provider supports
- The number of certificates registered per domain per week
- The interface also displays information for each provider’s AutoSSL delivery method and the validity period of a certificate before it expires
You can monitor the actions taken by the AutoSSL system by visiting the Logs tab. You can load the log by selecting the log file you’d like to view and clicking “View Log.” There is not a whole lot of activity in the example below, but in very active servers you may see a range of warnings, informational events, and errors, indicated by text coloration and corresponding icons.
In the “Manage Users” tab you can enable, disable AutoSSL on any of your accounts, or reset the account to the setting in its Feature Manager List. The Feature Manager functionality allows you to manage all of the features available to your user’s accounts in one place. Using the green and red buttons at the top in conjunction with the checkboxes along the left side you can manage AutoSSL for your accounts in bulk.
If you have a pending certificate in your queue for any reason (for example, when a rate limit is reached), you’ll see them appear in this interface with some additional details. For FAQs about rate limits, please visit our SSL FAQ and Troubleshooting documentation.
Updates in Version 74
Starting in cPanel & WHM Version 74, we streamlined the number of configuration options, which makes it efficient for users and administrators to configure AutoSSL notifications.
For WHM users, we updated the Options tab in WHM’s Manage AutoSSL interface. Administrators can now configure user notifications independent of their settings in WHM, such as all events or failures only, or disable all AutoSSL notifications.
For cPanel users, we updated cPanel’s Contact Information interface to reduce the AutoSSL Notifications user notification preferences to four options.
- Notify the user for all AutoSSL events and normal successes.
- Notify the user for AutoSSL certificate request failures, warnings, and deferrals.
- Notify the user for AutoSSL certificate request failures only.
- Disable AutoSSL user notifications.
This setting defaults to Notify the user for AutoSSL certificate request failures, warnings, and deferrals.
Some settings only appear based on the notification level that your WHM administrator sets in the Manage AutoSSL interface.
Additionally, we added DNS-based Domain Control Validation (DCV), which the server automatically runs if HTTP-based DCV fails. DNS-based DCV provides an additional method for cPanel & WHM servers to prove domain control to certificate authorities. This new method will significantly improve SSL issuance rates and reduce AutoSSL notifications.
AutoSSL in My cPanel? It’s More Likely Than You Think
WHM isn’t the only portion of the product that received AutoSSL improvements in the last few released versions. In the cPanel user interface (cPanel >> SSL/TLS Status), as well as via API, the ability to exclude individual domains from AutoSSL was introduced in version 66. Additionally, messaging providing each domain’s AutoSSL status (if the information exists) was added to the cPanel UI in version 68. These messages include information about pending orders, validation problems, or changes to the domains on a certificate for renewal.
Updates in Version 76
We added a preflight check to AutoSSL. This check adds a Certificate Authority Authentication (CAA) record in the domain’s zone file before AutoSSL orders a new certificate for that domain as well as adding the Usability Scores which we mentioned above when discussing “Selecting a Provider.”
Updates in Version 78
We have reduced the polling intervals for system checks on cPanel (powered by Sectigo) certificates to the following:
If you want to discuss AutoSSL further, or have ideas on how to make AutoSSL work better for you, please reach out to us via our cPanel Forums, Discord or Slack, or on our Reddit community at /r/cPanel!