Let's Encrypt SSL on cPanel: setup, auto-renewal, and fixing common errors
8 min read · 15-Nov-2024
villagehosting.in team
15 November 2024
Let's Encrypt gives you free SSL — but only if auto-renewal is configured correctly. A missed renewal means 90 days of browser security warnings until you fix it. Here is how to install it correctly the first time and keep it renewing automatically.
What Let's Encrypt is
Let's Encrypt is a free, automated Certificate Authority (CA). It issues SSL certificates valid for 90 days and provides tools to renew them automatically. Modern cPanel versions include AutoSSL — a built-in mechanism that installs and renews Let's Encrypt certificates on your domains automatically.
SSL/TLS HANDSHAKE (SIMPLIFIED)
①
Client Hello
Supported cipher suites, TLS version
②
Server Hello
Chosen cipher + SSL Certificate (public key)
③
Certificate Check
Verify cert is signed by trusted Certificate Authority
④
Key Exchange
Pre-master secret encrypted with server public key
⑤
Encrypted Connection
All traffic now encrypted with session keys
Most Indian shared hosting providers have AutoSSL enabled by default. If your domain has been hosted for more than 24 hours and still shows "Not Secure" in the browser, AutoSSL may not have run yet or there's an issue preventing it.
Never skip SSL renewal
Let's Encrypt certificates expire in 90 days. If auto-renewal fails for any reason, visitors see a "Your connection is not private" error and most browsers block the site. Set a calendar reminder to check SSL status monthly.
How to enable SSL via cPanel AutoSSL
Step 1: Log in to cPanel.
Step 2: Go to Security → SSL/TLS Status.
This page shows every domain and subdomain on your account with their current SSL status. Green padlock = valid. Red X = no certificate or expired.
Step 3: Click Run AutoSSL. cPanel will attempt to issue certificates for all domains listed as uncovered.
Wait 5–10 minutes, then refresh the page. Domains with working DNS will show as covered.
Manual installation if AutoSSL fails
If AutoSSL doesn't work, you can install a certificate manually via Let's Encrypt's ACME protocol.
Install Certbot on a VPS:
sudo apt install certbot -y
# For a domain on cPanel shared hosting, use the standalone method
# (temporarily stops your web server, verifies, then restarts it)
sudo certbot certonly --standalone -d yourdomain.in -d www.yourdomain.in
The certificates are saved to /etc/letsencrypt/live/yourdomain.in/. Copy the contents of fullchain.pem and privkey.pem and install them via cPanel → SSL/TLS → Manage SSL sites.
Checking your SSL expiry date
Via browser: click the padlock → "Certificate is valid" → shows expiry date.
Via command line:
echo | openssl s_client -connect yourdomain.in:443 -servername yourdomain.in 2>/dev/null | openssl x509 -noout -dates
Let's Encrypt certificates expire in 90 days. AutoSSL renews them at 30 days remaining. If you're at 10 days remaining and no renewal has happened, something is wrong.
Why AutoSSL renewal fails
CAA record conflict — A DNS CAA record restricts which CAs can issue certificates for your domain. If you have 0 issue "digicert.com" but not 0 issue "letsencrypt.org", AutoSSL fails.
Fix: in your DNS, add or modify the CAA record:
yourdomain.in. CAA 0 issue "letsencrypt.org"
Domain points to a different server — AutoSSL validates by placing a file on your web server at http://yourdomain.in/.well-known/acme-challenge/. If your domain points to a CDN or a different server, the file isn't found and validation fails.
Fix: temporarily disable Cloudflare proxy (use DNS-only mode, grey cloud) while AutoSSL runs.
Rate limit exceeded — Let's Encrypt limits to 5 duplicate certificates per week per domain. If you've been testing or retrying frequently, you may hit this limit.
Fix: wait until the rate limit resets (7 days from the first failed request). Check your rate limit status at crt.sh.
HTTP to HTTPS redirect before SSL is installed — If your .htaccess forces HTTPS redirect before the certificate exists, the validation request redirects and fails.
Fix: temporarily remove the HTTP→HTTPS redirect from .htaccess, run AutoSSL, then re-add the redirect.
Hostname mismatch — AutoSSL for www.yourdomain.in fails if www doesn't have a DNS record. Ensure both yourdomain.in and www.yourdomain.in have A records pointing to your server.
Multi-domain certificates
cPanel AutoSSL automatically covers:
- Your main domain (
yourdomain.in) - The www version (
www.yourdomain.in) - cPanel subdomain (
cpanel.yourdomain.in) - Webmail subdomain (
webmail.yourdomain.in) - Mail subdomain (
mail.yourdomain.in) - Any addon domains on your account
It issues a Subject Alternative Name (SAN) certificate — one certificate covering all these domains.
Wildcard certificates
Let's Encrypt wildcard certificates (*.yourdomain.in) cover any subdomain. They require DNS-01 validation (you must add a DNS TXT record) rather than HTTP validation, so cPanel AutoSSL doesn't support them directly.
For wildcard certificates on cPanel:
- Use Certbot with DNS-01 validation
- Use a DNS provider plugin that supports automatic TXT record creation (Cloudflare, Route 53)
certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.in" -d yourdomain.in
Certbot prompts you to add a TXT record to your DNS, validates it, and issues the certificate.
After SSL is installed
Force HTTPS — Add to .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
For WordPress, also set in wp-config.php:
define('FORCE_SSL_ADMIN', true);
And update WordPress URL settings (Settings → General) to https://.
Check for mixed content — After enabling HTTPS, load your site and check the browser console for mixed content warnings. Any resources (images, scripts, stylesheets) loading via HTTP will trigger warnings.
SSL is table stakes for any website in 2025. Let's Encrypt removes the cost barrier — the only remaining barrier is configuration, and now you have that covered.