Free SSL certificate setup on cPanel: a step-by-step guide

Every website needs HTTPS. Google has marked HTTP sites as "Not Secure" since 2018. Without SSL, Chrome shows a warning to your visitors, and your rankings suffer.

The good news: SSL is free. Let's Encrypt has issued over 4 billion certificates since 2015. On cPanel, installing one takes under 2 minutes.

What is SSL and why does it matter?

SSL (Secure Sockets Layer, now technically TLS) encrypts the connection between your visitor's browser and your server. Without it:

• Passwords and form data travel as plain text over the internet
• ISPs and mobile networks can inject ads into your pages
• Google flags your site as "Not Secure" in Chrome
• Your site ranks lower in search results (Google confirmed HTTPS as a ranking signal in 2014)

Step 1: Check if SSL is already installed

Log into cPanel → SSL/TLS Status (under Security). If your domain shows a green padlock and a valid expiry date, you are already covered.

If you see a red icon, continue to Step 2.

Step 2: Install Let's Encrypt via AutoSSL

cPanel's AutoSSL feature installs free Let's Encrypt certificates automatically.

1. cPanel → Security → SSL/TLS Status
2. Click Run AutoSSL button at the top
3. Wait 60–120 seconds for the check to complete
4. Your domain, www subdomain, and mail subdomain should all show green padlocks

AutoSSL runs every night. If your domain fails verification, the most common reasons are:

• Domain not pointing to this server — check your DNS A record in cPanel → Zone Editor
• CAA DNS record blocking Let's Encrypt — add letsencrypt.org to your CAA record
• Domain behind Cloudflare (orange cloud) — temporarily pause Cloudflare while AutoSSL runs, then re-enable

Step 3: Force HTTPS (redirect all HTTP traffic)

Installing SSL does not automatically redirect HTTP visitors to HTTPS. You need to do this separately.

Option A: cPanel (easiest)

cPanel → Domains → select your domain → click the Force HTTPS Redirect toggle → enable it.

Option B: .htaccess (for Apache/LiteSpeed)

Add to the top of your .htaccess file (before any WordPress rules):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Option C: WordPress (if on WordPress)

Settings → General → change both "WordPress Address" and "Site Address" from http:// to https://. Then install the Really Simple SSL plugin to handle the redirect and fix mixed content automatically.

Step 4: Fix mixed content warnings

After enabling HTTPS, some pages may show a broken padlock — this means the page is loading some resources (images, scripts, stylesheets) over HTTP instead of HTTPS.

Find mixed content using the browser console (F12 → Console) — you will see errors like:

Mixed Content: The page at 'https://...' was loaded over HTTPS, but requested an insecure resource 'http://...'

Fix for WordPress: Install Better Search Replace → do a database search/replace of http://yourdomain.com → https://yourdomain.com. Back up your database first.

Fix for static sites: Find and replace all hardcoded http:// URLs in your HTML/CSS files via the cPanel File Manager.

Step 5: Verify auto-renewal

Let's Encrypt certificates expire every 90 days. AutoSSL renews them automatically before expiry, but confirm this:

cPanel → SSL/TLS Status → check the expiry date. If it is being renewed correctly, you will see a date approximately 60–90 days in the future.

You can also set up email alerts: cPanel → Contact Information → add your email → check "SSL certificate expiry."

Wildcard SSL (for subdomains)

The free AutoSSL certificate covers your domain and www.yourdomain.com. If you need a wildcard certificate (covering *.yourdomain.com — all subdomains), you need a Let's Encrypt wildcard certificate.

On our Grove and Orchard plans, wildcard SSL is issued automatically via DNS validation. No extra cost.

Troubleshooting common errors

"Your connection is not private" (ERR_CERT_AUTHORITY_INVALID) The certificate is self-signed or expired. Run AutoSSL again or contact support.

"SSL_ERROR_RX_RECORD_TOO_LONG" Usually means you are hitting HTTP port 80 instead of HTTPS port 443. Check your web server configuration.

"ERR_SSL_VERSION_OR_CIPHER_MISMATCH" Old TLS version (TLS 1.0 or 1.1) enabled. Disable in cPanel → SSL/TLS → Manage SSL Hosts → ensure TLS 1.2 and 1.3 only.

If you are on VillageHosting and AutoSSL fails after following these steps, contact us on WhatsApp. We will fix it at no charge — SSL is included in every plan we sell.