Managing and installing SSL certificates in cPanel & WHM is designed to be exceptionally straightforward. With features like AutoSSL and seamless integrations, such as the cPanel Let’s Encrypt™ plugin, certificate requests and installations occur automatically. This automation significantly reduces the time web hosting providers spend on SSL management and largely eliminates the common support requests associated with certificate issues.
While AutoSSL includes a robust default certificate provider chosen for its reliability, ease of use, and generous domain and rate limits, cPanel also offers the flexibility to switch providers. In this comprehensive article, we will guide you through configuring AutoSSL to utilize Let’s Encrypt™, a leading certificate authority that provides free SSL certificates valid for 90 days.
Understanding SSL Certificates
SSL (Secure Sockets Layer) certificates are essential digital files that contain critical information to verify a server’s identity and encrypt data before it is transmitted across the internet. Their primary function is to secure HTTPS connections, which significantly enhance the web’s standard HTTP protocol by adding layers of identity verification and robust encryption. When a user visits a website secured with an SSL certificate, all data exchanged between their browser and the server remains private and protected from eavesdropping.
When you observe a padlock icon in your browser’s address bar, it signifies that the domain possesses an SSL certificate that your browser trusts. This also confirms that all communication between your browser and the server is encrypted, providing a secure browsing experience. But how does your browser ascertain the trustworthiness of a certificate? After all, anyone can technically create a self-signed certificate using tools like OpenSSL on their server or through cPanel’s SSL management interface.
This is precisely where Certificate Authorities (CAs) play a crucial role. A CA is a trusted entity that verifies an individual or organization's legitimate control over a specific domain. Once verified, the CA digitally signs the certificate. When a browser encounters a certificate with a valid CA signature, it recognizes this as a mark of authenticity and trustworthiness, thereby establishing a secure connection with the server.
While all SSL certificates function similarly, they differ significantly in cost based on the varying levels of effort a CA invests in investigating and verifying organizations. These levels include:
- Domain-Validated (DV): The applicant simply needs to demonstrate control over the domain. This is typically achieved by uploading a specific file to the server or adding a unique DNS record. These certificates offer basic encryption and are often free.
- Organization-Validated (OV): To obtain an OV certificate, the applicant must not only prove domain ownership but also confirm they represent a legally registered business. This involves a more thorough vetting process by the CA.
- Extended-Validation (EV): EV certificates demand the most rigorous verification. The applicant must own the domain, be a legally registered business, and the CA conducts an extensive investigation and authentication of the organization. These certificates provide the highest level of trust and are often indicated by a green address bar in some browsers.
As anticipated, EV certificates are the most expensive due to the extensive time and resources required for their issuance. OV certificates are less costly, while DV certificates are frequently available at no charge, exemplified by providers like Let's Encrypt. For further insights and assistance in choosing the right SSL certificate for your needs, we encourage you to review our previous blog post: "Which SSL is right for me?"
Utilizing cPanel's Let’s Encrypt Plugin for Free SSL Certificates
Let’s Encrypt stands out as a prominent Certificate Authority specifically focused on providing free Domain-Validated (DV) SSL certificates. It pioneered the concept of free SSL and was among the first to develop robust infrastructure and software to fully automate the entire request and installation process. This innovation democratized website security, making SSL encryption accessible to a wider audience.
Today, numerous CAs offer free DV certificates, including cPanel’s partner Sectigo, which serves as the default SSL provider within cPanel’s AutoSSL feature. However, if you prefer to use Let’s Encrypt, switching providers is a straightforward process.
To enable Let’s Encrypt within AutoSSL, your initial step is to install the cPanel Let’s Encrypt plugin. To do this, log in to your server as the root user via SSH and execute the following command:
/scripts/install_lets_encrypt_autossl_providerThis script efficiently installs the plugin along with any necessary dependencies. Should you decide to revert, the plugin can be easily removed by running the uninstall script as root:
/scripts/uninstall_lets_encrypt_autossl_providerConfiguring the Let’s Encrypt Plugin in cPanel
Once the plugin is installed, the next step involves activating the Let’s Encrypt AutoSSL provider within WHM. Open your WHM interface and navigate to the Manage AutoSSL page, which can be found under the SSL/TLS section in the sidebar menu. This central location allows you to oversee and configure your server's SSL settings.
On the Manage AutoSSL page, select Let’s Encrypt from the list of available AutoSSL Providers. This action designates Let's Encrypt as your preferred CA for automatic SSL certificate issuance.
Before proceeding with Let’s Encrypt, you will be prompted to agree to the provider’s terms of service. You will also notice an option to “Recreate my current registration with Let’s Encrypt.” This option is typically only required if your existing Let's Encrypt registration has expired or become corrupted; therefore, there is no need to select it during an initial setup.
After reviewing and accepting the terms, click Save. cPanel will then switch to using Let’s Encrypt as its AutoSSL provider. Consequently, the next time AutoSSL automatically replaces an expiring certificate, it will procure a new one from Let’s Encrypt instead of the previous default provider.
Should you wish to immediately replace your server’s existing certificates with new ones from Let’s Encrypt, you can manually remove the old certificates. Navigate to Manage SSL Hosts, also found under SSL/TLS in the sidebar menu. It is crucial to be aware that temporarily removing certificates will render their associated websites unavailable via a secure HTTPS URL until new certificates are successfully installed and active.
Once the old certificates are removed, return to the Manage AutoSSL interface and click Run AutoSSL For All Users. cPanel will then proceed to regenerate the removed certificates, this time acquiring replacements from the newly configured Let’s Encrypt provider, quickly restoring HTTPS functionality to your sites.
Managing Certificates with the Let’s Encrypt Plugin
AutoSSL represents a significant advancement over previous SSL management systems, primarily because of its largely automatic operation. The inherent complexities involved in interacting with Certificate Authorities, deploying validation tokens, and installing certificates are now seamlessly handled without requiring direct user intervention. This automation streamlines the entire process, making SSL management remarkably efficient for web hosts and their clients alike.
However, there are still several cPanel Let’s Encrypt plugin configurations that you might want to review and adjust to suit your specific needs. These settings are conveniently located under the Options tab within the Manage AutoSSL interface. Here, you can customize user and administrator notifications for various AutoSSL events, including critical alerts for request failures and other potential issues, ensuring you stay informed about your certificate status.
Towards the bottom of the _Options_ page, you will find the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option. This setting is particularly noteworthy.
Enabling this option grants AutoSSL permission to replace certificates that it did not originally issue or manage. This feature can be extremely useful for users transitioning from certificates sourced from a different Certificate Authority. However, it is vital to exercise caution: enabling this will cause AutoSSL to replace any expiring Organization-Validated (OV) or Extended-Validated (EV) certificates with a basic Domain-Validated (DV) certificate. This might not align with the security and trust requirements of your users who specifically chose higher-validation certificates.
Finally, under the Manage Users tab, you have the flexibility to precisely configure which cPanel users will benefit from AutoSSL’s automated certificate management. This granular control allows you to tailor SSL provision to individual accounts.
Here, you can easily enable or disable AutoSSL for specific cPanel users, or reset their settings to the default configuration defined in the Feature List Settings. By default, AutoSSL is active for all users. This default behavior can be modified globally within the Feature Manager, which you can locate under the Packages section in the WHM sidebar menu, allowing for broader policy adjustments.
Exploring Premium SSL Certificate Options in cPanel
While AutoSSL provides an exceptionally low-maintenance system for delivering domain-validated certificates to your users, it is important to recognize that domain validation may not be suitable for all types of websites. Owners of business websites, complex web applications, and e-commerce stores often require higher levels of assurance and prefer Organization-Validated (OV) or Extended-Validated (EV) certificates to enhance trust and compliance.
Sectigo, one of the world’s largest and most highly respected Certificate Authorities, offers a comprehensive portfolio of OV and EV SSL certificates. This includes advanced options such as multi-domain and wildcard SSL certificates, which are all designed for straightforward installation and management directly through cPanel’s intuitive SSL/TLS interface.
Before the introduction of AutoSSL in cPanel, the complexities of SSL certificate installation and the often unexpected expiry of certificates were among the most frequent and frustrating challenges for both web hosts and their clients. Today, every cPanel user benefits from the ease and reliability of automated DV certificates, whether provided by Sectigo or Let's Encrypt, significantly simplifying website security.
As always, we value your feedback and comments. Please do not hesitate to reach out to us with any questions or suggestions; we are here to provide the best possible support. You can connect with our community and support team on Discord, the cPanel forums, and Reddit.
