cPanel provide support for lets encrypt automated certificate management ssl via Auto SSL option in WHM
If you are running cPanel & WHM version 58.0.17 or above (the EDGE or CURRENT tiers right now), you can now install the plugin using the command line by running this command:
-
/scripts/install_lets_encrypt_autossl_provider
Running that script will add cPanel’s repo file and make sure the plugin is up to date, which will add it as a provider to the AutoSSL feature introduced in 58. If you want to enable it after you add it to the server, you will need to do so from WHM.
Domain and rate limits
The AutoSSL feature includes the following limitations and conditions:
- Each AutoSSL provider may have a specific domain rate limit. For example:
- Certificates that cPanel, Inc. provides through AutoSSL can secure a maximum of 200 domains per virtual host.
- Certificates that Let’s Encrypt™ provides can secure a maximum of 100 domains per virtual host.
- AutoSSL will only include domains and subdomains that pass a Domain Control Validation (DCV) test, which proves ownership of the domain.
- AutoSSL will not attempt to replace pre-existing valid certificates that expire in more than three days.
- AutoSSL will replace certificates with overly-weak security settings (for example, RSA modulus of 512-bit or less).
- AutoSSL includes corresponding
www.
domains for each domain and subdomain in the certificate, and thosewww.
domains count towards any domain or rate limits.- For example, if your domain is
example.com
, AutoSSL will automatically includewww.example.com
in the certificate. - If the corresponding
www.
domain does not pass a DCV test, AutoSSL will not attempt to secure thatwww.
domain. - This affects Let’s Encrypt’s limit of 20 certificates per week that may contain a domain or its subdomains.
- For example, if your domain is
- AutoSSL does not secure proxy subdomains or wildcard domains.
- If a virtual host contains more than the provider’s limit of domain names, AutoSSL uses the following conditions to determine the priority of domains to secure:
- Whether the domains are currently secured.
- Shortest domain name length.
- Domain name alphabetical order.
For example, the following table demonstrates these limitations for the cPanel AutoSSL provider:
200 domains | AutoSSL will generate one certificate for the account which secures all 200 domains. | |
202 domains | AutoSSL will generate one certificate for the account which secures the 200 domains with the shortest names. | |
100 domains | 100 domains | AutoSSL will generate a certificate for each virtual host that secures all of its domains. |
100 domains | 102 domains | AutoSSL will generate a certificate for each virtual host that secures all of its domains. |
100 domains | 202 domains | AutoSSL will generate two certificates:
|
Select an AutoSSL provider
To select an AutoSSL provider, perform the following steps:
- Select the desired AutoSSL provider.
- Select disabled to disable this feature.
- If the AutoSSL provider requires that you accept their Terms of Service or other similar agreement, read the document and select the appropriate checkbox to agree to those terms.
- If you need to reset your registration with the AutoSSL provider due to security issues, select the appropriate checkbox to agree to those terms and click Reset Registration.
- Click Submit.
Note:
If the provider updates their Terms of Service, you may need to return to this interface to agree to them.
Enable AutoSSL
Users must use a package that includes the autossl
feature to receive the free certificates. For more information about feature lists, read our Feature Manager documentation.
Feature list override
To override the feature settings and control whether AutoSSL is enabled for a user or users, perform the following steps:
- Click the Manage Users tab to display a table of users on the server.
- You can search and navigate the list of users with the navigation controls.
- To set the feature on all domains, click Enable AutoSSL on all users, Disable AutoSSL on all users, or Use Feature List for all users.
- To set the feature on multiple domains, select the appropriate checkboxes and click Enable AutoSSL on selected users, Disable AutoSSL on selected users, or Reset AutoSSL for selected users.
- To enable or disable AutoSSL on a single domain, select the appropriate option:
- Enable AutoSSL — Override the user’s Feature List settings to enable AutoSSL.
- Disable AutoSSL — Override the user’s Feature List settings to disable AutoSSL.
- Reset to Feature List Setting — Allow the user’s Feature List settings to determine whether AutoSSL is enabled or disabled.
Notes:
- Because the system adds the
/etc/cron.d/cpanel_autossl
cron daemon task to schedule the automatic provisioning of certificates, you may experience a delay between when you enable the feature and the installation of certificates. The interface displays the next time that the script will run. - AutoSSL will attempt to renew its provided certificates when they expire within 29 days. However, due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.
- The system restarts Apache after AutoSSL provisions and installs certificates for all accounts during a nightly run.
Run AutoSSL
Click Run AutoSSL for all users at the top of the interface to run the AutoSSL feature for all users with the feature enabled.
To run the AutoSSL feature for a single user, click the user’s Check button in the Run AutoSSL Check column of the table.
Review log files
To review AutoSSL log files, perform the following steps:
- Click the Logs tab.
- Select the log that you wish to view from the menu, and click View Selected Log.
- Click Refresh Logs List to refresh the list of log files.
The system stores the log files in both text and JSON format in the /var/cpanel/logs/autossl
directory.
Frequently Asked Questions
How do I revoke a certificate?
We do not support the revocation of certificates through cPanel & WHM at this time.
Let’s Encrypt won’t issue a certificate for a virtual host list (website).
Let’s Encrypt will only issue a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains.
To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let’s Encrypt interprets the virtual host as a new set of domains.
Is Manage AutoSSL available for cPanel & WHM version 56?
That version of cPanel & WHM does not support deferred Apache and Dovecot configuration restarts, which results in unacceptable downtime and a poor customer experience. As such, we will not make the plugin available for version 56.