Installing and managing SSL certificates in cPanel & WHM has become remarkably straightforward, largely thanks to advancements like AutoSSL and integrated solutions such as the cPanel Let’s Encrypt™ plugin. This automation streamlines certificate requests and installations, saving web hosting providers valuable time and significantly reducing the common support queries associated with SSL certificate management.
While AutoSSL provides a reliable default certificate provider chosen for its robust performance, ease of use, and generous domain and rate limits, cPanel also offers the flexibility to switch providers. In this comprehensive guide, we will walk you through the process of configuring AutoSSL to utilize Let’s Encrypt™, a prominent certificate authority that offers free SSL certificates, each valid for a period of 90 days. Leveraging Let's Encrypt allows for enhanced security without additional cost, making it an excellent choice for many websites.
Understanding SSL Certificates and Their Importance
SSL (Secure Sockets Layer) certificates are essential digital files that contain crucial information for verifying a server’s identity and encrypting data before it traverses the internet. Their primary function is to secure HTTPS (Hypertext Transfer Protocol Secure) connections, which are an encrypted and authenticated extension of the standard HTTP protocol. This ensures that data exchanged between a user’s browser and a website’s server remains confidential and protected from eavesdropping and tampering.
When you observe a padlock icon in your browser’s address bar, it signifies that the domain is protected by an SSL certificate that the browser trusts. Furthermore, it indicates that all communication between your device and the server is securely encrypted. But how does a browser determine the trustworthiness of a certificate?
While anyone can technically generate their own SSL certificate using tools like OpenSSL or cPanel’s SSL management interface, these self-signed certificates are typically not trusted by browsers. This is where Certificate Authorities (CAs) play a critical role. A CA is a trusted entity that verifies a person’s or company’s legitimate control over a specific domain. Once verified, the CA digitally signs the certificate. When a browser encounters a CA-signed certificate, it recognizes the signature and establishes trust with the connected server, confirming its authenticity and security.
Although all SSL certificates serve the same fundamental purpose, they differ significantly in cost and the level of validation required. The amount of effort a CA invests in investigating and verifying an organization directly impacts the certificate’s cost:
- Domain-Validation (DV): This is the simplest and most common type of validation. The applicant merely needs to demonstrate control over the domain, often by uploading a specific file to the server or adding a unique DNS record. These certificates are typically issued very quickly and are often free.
- Organization-Validation (OV): For OV certificates, the applicant must not only prove domain ownership but also confirm they are a legally registered business. This involves a more rigorous vetting process by the CA.
- Extended-Validation (EV): EV certificates represent the highest level of trust and security. Applicants must own the domain, be a legally registered business, and undergo an extensive investigation and authentication process by the CA. This includes verifying the applicant’s physical address and legal standing.
As anticipated, EV certificates are the most expensive due to the extensive time and resources required for their issuance. OV certificates are moderately priced, while DV certificates are frequently offered at no cost. For further insights, we encourage you to review our previous blog post, "Which SSL is right for me?" to help you choose the ideal SSL solution for your needs.
Installing the cPanel Let’s Encrypt Plugin for Free SSL Certificates
Let’s Encrypt stands out as a pioneering certificate authority, specializing in providing free Domain-Validated (DV) SSL certificates. It played a pivotal role in developing the infrastructure and software necessary to automate the complex process of requesting and installing SSL certificates, making secure websites accessible to everyone.
Today, numerous CAs offer free DV certificates, including cPanel partner Sectigo, which serves as the default SSL provider within cPanel’s AutoSSL feature. However, if you prefer to utilize Let’s Encrypt, the transition is quite simple. The first step to integrating Let’s Encrypt with AutoSSL is to install its dedicated cPanel plugin.
To install the plugin, log in to your server as the root user via SSH and execute the following command:
/scripts/install_lets_encrypt_autossl_providerThis script will automatically install the Let’s Encrypt plugin along with any necessary dependencies. Should you decide to revert or remove the plugin, you can do so by running the uninstall script as root:
/scripts/uninstall_lets_encrypt_autossl_providerConfiguring Let’s Encrypt AutoSSL in WHM
Once the plugin is installed, the next step is to activate the Let’s Encrypt AutoSSL provider within WHM (WebHost Manager). Open WHM and navigate to the Manage AutoSSL page, which can be found under the SSL/TLS section in the sidebar menu.
On the Manage AutoSSL page, select Let’s Encrypt from the list of AutoSSL Providers.
Before proceeding, you will be prompted to agree to Let’s Encrypt’s terms of service. You may also notice an option to “Recreate my current registration with Let’s Encrypt.” This option is generally only required if your existing Let’s Encrypt registration has expired or become corrupted, so it is typically not necessary to select it during initial setup.
After agreeing to the terms, click Save. cPanel will then switch its AutoSSL provider to Let’s Encrypt. Moving forward, any certificate renewals or new certificate installations performed by AutoSSL will utilize Let’s Encrypt instead of the previous default provider.
If you wish to immediately replace your server’s existing certificates with new ones from Let’s Encrypt, you can manually remove the old certificates. Navigate to Manage SSL Hosts under SSL/TLS in the sidebar menu and proceed to delete the certificates. Be aware that during the brief period after removal and before replacement, the associated websites will not be accessible via a secure HTTPS URL.
Once the old certificates are removed, return to the Manage AutoSSL page and click Run AutoSSL For All Users. cPanel will then regenerate the removed certificates, sourcing new replacements from the newly configured Let’s Encrypt provider, ensuring your sites are quickly secured again.
Managing Let’s Encrypt Certificates and AutoSSL Settings
AutoSSL represents a significant leap forward in SSL management systems due to its largely automatic operation. The complexities traditionally associated with Certificate Authorities, deploying validation tokens, and installing certificates are now handled seamlessly without the need for manual user intervention. This automation greatly simplifies the process of maintaining secure websites.
However, there are still several cPanel Let’s Encrypt plugin configurations and AutoSSL settings you may wish to adjust. These options are accessible under the Options tab within the Manage AutoSSL interface. Here, you can configure crucial user and administrator notifications for various AutoSSL events, including certificate request failures, renewal issues, and other important alerts, ensuring you stay informed about your server’s SSL status.
Towards the bottom of the Options page, you will find the “Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates” setting.
This option grants AutoSSL permission to replace certificates that were not originally issued or managed by AutoSSL itself. It is particularly useful for transitioning users who may have sourced their certificates from a different CA. However, it’s important to note that if enabled, AutoSSL will replace any expiring Organization-Validation (OV) or Extended-Validation (EV) certificates with a Domain-Validation (DV) certificate. This might not align with the security requirements or preferences of your users, so consider this implication carefully.
Finally, under the Manage Users tab, you have granular control over which cPanel users benefit from AutoSSL.
From this section, you can enable or disable AutoSSL for individual cPanel users or reset their settings to the default configuration defined in the Feature List Settings. By default, AutoSSL is enabled for all users, but this global setting can be modified within the Feature Manager, accessible under Packages in the WHM sidebar menu, allowing you to tailor SSL provision across your server.
Exploring Premium SSL Certificate Options
While AutoSSL provides an incredibly low-maintenance system for supplying domain-validated certificates to your users, DV certificates may not be suitable for all types of websites. Owners of business websites, complex web applications, and e-commerce stores often require or prefer the enhanced trust and verification offered by Organization-Validation (OV) and Extended-Validation (EV) certificates.
Sectigo, one of the world’s largest and most highly respected Certificate Authorities, offers a comprehensive portfolio of OV and EV SSL certificates. This includes advanced options like multi-domain and wildcard SSL certificates, all of which are designed for straightforward installation and management through cPanel’s intuitive SSL/TLS interface. Choosing a premium SSL certificate provides an additional layer of assurance and credibility for your online presence.
Before the introduction of AutoSSL in cPanel, the manual installation of SSL certificates and the unexpected expiry of certificates were among the most frequent and frustrating issues for web hosts and their clients. Today, every cPanel user enjoys the benefits of hassle-free DV certificates, whether provided by Sectigo or Let’s Encrypt. This automation has dramatically improved website security and administrative efficiency.
As always, we value your feedback and comments. Please do not hesitate to reach out if you have any questions or require assistance. You can find us readily available on Discord, the official cPanel forums, and Reddit. We are dedicated to providing support in the most effective ways possible.
