1. Home
  2. SSL/TLS
  3. How does AutoSSL work?
Searching...

How does AutoSSL work?

If you’ve received an email from cPanel mentioning Potential reduced AutoSSL coverage, please refer to the section below.

The feature AutoSSL that is available on our servers ensure that SSL/TLS certificates are issued and set up automatically for all domains and subdomains on our web hosting accounts. Each time a new domain or subdomain is added to an account, AutoSSL issues a certificate from Let’s Encrypt, enabling https from the very beginning.

It usually takes a little while (often around 3-5 minutes) for AutoSSL to issue a certificate.

AutoSSL will only be able to issue certificates for domains/subdomains that are pointing at the server where the domain is added. Otherwise, the validation cannot be done.

If the domain uses our DNS servers, this will be done automatically. Otherwise, you need to point the domain/subdomain towards the IP address for the correct server.

If you have set up a wildcard subdomain, for example *.yourdomain.se, the domain must use our DNS servers for certificates to be issued. If you use DNS servers belonging to another provider, the certificate issuance will fail with an error message that mentions the following:

DNS DCV: No local authority

For domains already added to web hosting accounts, AutoSSL makes sure to renew certificates automatically well before they expire. This should ensure that https will work without interruptions, and without any manual handling.

Using AutoSSL

In most cases, you do not have to do anything for AutoSSL to work. However, there are cases when you would like to modify the settings. For these cases, follow the instructions below.

To access AutoSSL, begin by logging on to cPanel. Then click the SSL/TLS Status icon under Security.

A bit down on the page, you’ll find a table showing all domains/subdomains on your web hosting account. If the domain currently is using a certificate issued by AutoSSL, you’ll see the following:

If you have domains/subdomains that use our DNS servers, but are pointed towards servers run by another provider, and are planned to continue to do so, it can be a good idea to exclude the domains from AutoSSL. This is also applicable to domains that you’re planning to point to another provider soon. To exclude domains, click Exclude from AutoSSL. The server will no longer try to issue certificates for that specific domain/subdomain.

The opposite is also true: if you already have a domain set up on a web hosting account but it currently points towards a server from another provider and is excluded from AutoSSL, you can activate SSL for it by clicking Include during AutoSSL. As soon as the domain is pointed towards our server, a certificate will be issued.

If you choose to include a domain previously excluded from AutoSSL, a certificate will be issued the next time AutoSSL is run on the server. You may also force an AutoSSL run by clicking the Run AutoSSL button above the list of domains.

You may also choose to include/exclude multiple domains at once. To do this, click the checkbox to the left of each domain and click one of the buttons labelled Include Domains during AutoSSL or Exclude Domains from AutoSSL. Hence, you do not have to click individual include- or exclude buttons for each domain separately.

Failed renewals

If AutoSSL would fail to issue or renew a certificate due to any reason, an email will be sent to the registrered email address within cPanel. If you wish to disable these messages, they can be turned off via cPanel.

In these messages, the reason as to why the certificate couldn’t be issued or renewed will be stated. Some common reasons include:

  • The domain is not registered or has expired.
  • The domain is not pointing towards our server.
  • The domain is pointing nowhere.
  • The domain is not valid.
  • It is a wildcard subdomain and the domain uses different DNS servers than ours.

Below, an example of such a notification is shown:

Potential reduced AutoSSL coverage exempel.se: AutoSSL would normally renew this certificate now, but 2 of the website's secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until 10 nov. 2020 at 00:00:00 UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 7 days, 2 hours, and 35 minutes. AutoSSL did not renew the certificate for "exempel.se". You must take action to keep this site secure. The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:

Based on the reason as to why the renewal failed, you can take different actions:

  • Exclude the domain from AutoSSL (according to the instructions above).
  • Remove the domain from the web hosting accounts if the domain is neither pointing at our server or uses our DNS servers.
  • Register the domain if you want to use it, if it is available at the moment.
Was this article helpful?
Yes No

Related Articles