Surprising fact: over 70% of sites with automated certificates avoid expired HTTPS issues entirely, saving hours of emergency fixes each year.
This article gives you clear, practical information to get that same peace of mind on your page. You’ll see how AutoSSL can use Let’s Encrypt to issue trusted DV certificates that auto‑renew every 90 days, so you stop babysitting renewals.
The cert’s common name is mostly cosmetic. What matters are SAN entries: they cover subdomains, addon domains, and aliases. Wildcard support can cut SAN counts and speed up TLS handshakes while helping you stay inside provider limits.
We’ll also outline the WHM path to switch providers, the simple install/uninstall scripts, and a safety note about a short HTTPS gap if you remove an existing certificate to force replacement. Expect issuance to take a few hours on new domains.
Key Takeaways
- You can get truly free, auto‑renewing certificates via AutoSSL and Let’s Encrypt.
- SAN entries—not the CN—define which domains are protected.
- Wildcard certs reduce SAN count and speed up handshakes.
- Switch providers in WHM → SSL/TLS → Manage AutoSSL and accept TOS.
- Installing or removing the provider uses simple root scripts; issuance may take hours.
Why use Let’s Encrypt with cPanel in 2025
Modern hosting workflows favor automated certificate issuance — and let encrypt fits that model neatly. AutoSSL requests and installs domain-validated certificates automatically, so you rarely touch renewals.
What you get: trusted DV certs, browser padlock, and automation
Certificates issued via AutoSSL are valid for 90 days and replace themselves before expiry. Visitors just see the browser padlock and a secure connection. The in‑browser trust is the same as other mainstream CAs.
How AutoSSL reduces support headaches for you and your host
“Automation cut certificate tickets dramatically—hosts spend less time on renewals and more on customer success.”
- You avoid manual CSR steps and repetitive installs.
- AutoSSL scales across accounts, saving you setup time.
- Hosts can switch the AutoSSL provider with no live‑site downtime.
Want a step‑by‑step? See how to configure and manage Let’s Encrypt in for practical instructions.
SSL, TLS, and AutoSSL basics you should know
Start with the fundamentals: a certificate proves your server’s identity and encrypts traffic so logins, forms, and payments stay private.
DV vs OV vs EV: what’s different and what browsers trust
Domain‑validated (DV) is the fastest path: you prove control of the domain and get a certificate quickly.
Organization‑validated (OV) and extended validation (EV) add company checks and take longer. Modern browsers show the same basic trust signals for all three, so DV is fine for most sites.
How AutoSSL works in WHM & on your server
AutoSSL is the feature that automates DCV, requests, installation, and renewal using the provider you configure.
- AutoSSL runs on a schedule and renews before expiry.
- The SAN list—not the CN—defines which names (domains, subdomains, addon domains, aliases) a certificate covers.
- You can trigger AutoSSL manually after adding new domains or migrating hosts.
Understanding these points helps you choose when a DV certificate is enough and when extra vetting makes sense. This information prepares you to install the automated provider in the next step.
Install the Let’s Encrypt AutoSSL provider on your server
You’ll enable the provider from the server shell, then confirm it in the WHM interface.
Run the WHM/cPanel installer script as root
Log in to your server as root via SSH and run the installer:
/scripts/install_lets_encrypt_autossl_provider
The process pulls dependencies and registers the plugin so you can manage the provider from the WHM interface. The install usually completes in a minute or two.
Uninstalling the provider if you need to roll back
If you must remove it, run:
/scripts/uninstall_lets_encrypt_autossl_provider
WHM will drop the plugin cleanly and return AutoSSL to prior options. Use this when testing or when you need to revert quickly.
Verify the Let’s Encrypt™ plugin is available in WHM
Open WHM → SSL/TLS → Manage AutoSSL and check that “Let’s Encrypt™” appears among providers.
“Once the plugin registers, you can choose the provider in the WHM interface and let AutoSSL handle issuance.”
- The let encrypt plugin connects AutoSSL to the CA so issuance and renewals run automatically.
- Remember wildcard support, SAN rules, and rate limits when planning many hostnames.
- After verification, you usually don’t need to touch the plugin unless changing providers.
Configure AutoSSL to use Let’s Encrypt in WHM
You can switch AutoSSL to the let encrypt™ provider from WHM and control behavior per account. Open WHM, go to SSL/TLS → Manage AutoSSL, then pick Let’s Encrypt™ in the interface dropdown.
Agreeing to terms and handling registration
Accept the provider Terms of Service to enable issuance. If your CA link is broken, check Recreate my current registration to refresh registration and fix DCV problems quickly.
Options: notifications and replacement
Use the Options tab to set email alerts for admins and users. Turn on the option to allow AutoSSL to replace invalid or expiring non‑AutoSSL certificates when you migrate to automation.
Manage Users
Under Manage Users you toggle AutoSSL for individual cpanel accounts. This helps when specific users must keep premium certs or when you want a staged rollout.
| WHM Area | Setting | Effect | Notes |
|---|---|---|---|
| Manage AutoSSL | Select provider | All renewals use new provider | Immediate, no reboot |
| Options | Notifications / Replace certs | Alerts + automated replacements | Good for migrations |
| Manage Users | Enable/Disable per account | Granular control | Adjust via Feature Manager |
“Point‑and‑click changes in WHM take effect immediately and let you manage autossl at scale.”
Wildcard SSL, domain limits, and DNS challenges with Let’s Encrypt
To reduce SAN clutter, AutoSSL may add a *.example.com entry when it detects many sibling subdomains.
Why that helps: a single wildcard certificate covers many first‑level hosts and keeps your certificates lean. Leaner certs speed up TLS handshakes and lower the chance you hit SAN or provider rate limits.
DNS‑based validation for wildcards
For a wildcard, Let Encrypt requires DNS‑01 DCV. HTTP‑01 won’t work for wildcard entries, so AutoSSL must add the correct TXT record during validation.
When DNS location blocks wildcards
If your DNS is hosted off‑server or with a third party that isn’t in your WHM DNS cluster, you cannot obtain a wildcard until DNS moves to the host cluster.
- The default AutoSSL logic tries to right‑size requests so you use fewer, smarter certificates.
- Stagger large domain changes to avoid hitting rate caps.
- Wildcards don’t match deeper names (e.g., test.www.example.com), so AutoSSL still includes specific names when needed.
“Plan DNS early—alignment with your DNS hosting saves time and avoids validation surprises.”
Auto‑renewals, replacing existing certs, and immediate issuance
If you need a certificate now, remove the old one from Manage SSL Hosts and trigger AutoSSL. This forces the system to queue new requests and start validation at once.
90‑day validity and automatic renewals on schedule
Certificates issued by the provider are valid for 90 days. AutoSSL runs on a schedule and renews before expiry so you do not watch the calendar.
Replacing existing certificates and triggering AutoSSL now
To replace a non‑AutoSSL cert immediately, delete the old entry and go to WHM → Manage AutoSSL → Run AutoSSL For All Users. AutoSSL will generate ssl certificate requests, perform domain control checks, and install the new files when issued.
Heads‑up: removing a certificate can create a short window without HTTPS. Plan this for low‑traffic time to avoid disruptions.
“Monitor logs and email alerts to confirm successful issuance; most failures stem from DNS or validation reachability.”
- Give the system extra time for complex sites with many names.
- If a request fails, fix reachability or DNS and re‑run AutoSSL.
- You can switch back to cpanel ssl or another provider; renewals follow the active selection.
| Action | What AutoSSL Does | Expected Result |
|---|---|---|
| Run AutoSSL For All Users | Queue and process CA requests | New certificates installed when issued |
| Remove old cert | Clears host so new request can proceed | Short downtime possible until install completes |
| Monitor logs | Shows validation and install status | Confirm live certificate and troubleshoot failures |
| Switch provider | Next renewal uses selected provider | Seamless if DNS and validation are OK |
ssl free letsencrypt cpanel: common issues and quick fixes
When AutoSSL stalls, a few quick checks usually get the process moving again. Start with the basics: confirm the domain points to your server and that DNS has propagated.
Other certs installed: why issuance is skipped
If another certificate (valid, expired, or self‑signed) is present, the provider will skip a new request. Remove the existing cert or enable the option to allow replacement so AutoSSL can proceed.
URL rewrites blocking .well-known: the .htaccess rule you need
Many rewrite stacks stop ACME from reaching /.well-known. Add this to your .htaccess to allow challenge files:
RewriteRule ^.well-known – [L]
This rule tells Apache to bypass rewrites for validation files so the CA can read them.
Delays and timing: what to expect and when to rerun
New domain requests can take time — some hosts note up to four hours. If a request looks stuck, check logs, fix reachability issues, and rerun AutoSSL after DNS stabilizes.
Switching providers without downtime
Switching from the default provider to let encrypt or back to cpanel ssl is supported in WHM and usually seamless if you plan around a renewal. For an immediate change, remove the old cert then trigger issuance, but expect a short HTTPS gap during replacement.
“Plan provider swaps around expiry windows and keep a rollback option if validation fails.”
- User tip: confirm the page shows the new certificate and check for mixed content if the lock icon stays red.
- The plugin controls in WHM let you toggle providers without rebuilding sites.
- Keep premium certs for OV/EV needs and use let encrypt where DV is sufficient.
| Issue | Likely Cause | Quick Fix | When to Rerun |
|---|---|---|---|
| Issuance skipped | Existing certificate installed | Remove old cert or allow replacement | Immediately after removal |
| Validation failed | Rewrite blocks /.well-known | Add RewriteRule ^.well-known – [L] | Rerun after deploy |
| Long pending request | DNS propagation or host queue | Wait up to 4 hours; check logs | Rerun once DNS resolves |
Conclusion
Finish by testing a domain, watching logs, and letting AutoSSL handle renewals. A quick live check confirms a working certificate and shows if any URL or rewrite blocks need fixing.
Install the let encrypt plugin, pick the provider in WHM, and use Manage AutoSSL to enable per‑user options and notifications. That puts ssl management on autopilot while you monitor issuance.
Use SAN‑smart requests or wildcard + DNS‑01 for many hosts, recreate a broken registration if needed, and switch providers if your defaults change. Check logs, rerun AutoSSL when reachability is fixed, and enjoy automated, reliable certificates.
FAQ
What does using Let’s Encrypt with cPanel give you in 2025?
You get automated domain-validated certificates, a visible HTTPS padlock for visitors, and built-in renewal so you don’t babysit expirations. The integration handles issuance and renewal for most sites automatically, reducing manual work and support tickets.
How does AutoSSL reduce support headaches for you and your host?
AutoSSL runs on a schedule and checks domains for expiring certificates, then requests replacements when needed. That means fewer emergency renewals, fewer “certificate expired” incidents, and less back-and-forth with hosting support when standard validation succeeds.
What’s the difference between DV, OV, and EV certificates and which do browsers trust?
DV certs validate domain control and are trusted by browsers for encryption. OV adds organization checks; EV shows verified company details in some interfaces. For most sites, DV offers full browser trust and encryption; choose OV or EV only when you need validated business identity.
How does AutoSSL work in WHM and cPanel by default?
WHM runs AutoSSL tasks periodically, performs domain control validation, requests certificates from the selected provider, and installs issued certificates to accounts. cPanel users inherit those certificates automatically unless the admin disables AutoSSL per account.
How do you install the Let’s Encrypt AutoSSL provider on your server?
Run the official installer on the server as root following the provider’s documented steps. The script registers the provider with WHM so you can select it in the AutoSSL manager. After installation, confirm the provider appears in the AutoSSL options.
Can you uninstall the provider if you need to roll back?
Yes. The provider includes an uninstall method or removal steps documented by the provider. Removing it won’t delete existing certificates; however, future renewals will stop unless you switch to another AutoSSL provider like cPanel (Sectigo).
How do you verify the Let’s Encrypt™ plugin is available in WHM?
Log into WHM and navigate to SSL/TLS → Manage AutoSSL. If the provider is listed in the “Providers” dropdown, it’s installed. You can also check logs and the installer output on the server for confirmation.
How do you configure WHM to use Let’s Encrypt as the AutoSSL provider?
In WHM go to SSL/TLS → Manage AutoSSL, pick the provider from the list, accept the provider terms, and save. Configure options like email notifications and whether to replace non‑AutoSSL certificates via the Options tab.
What does “Recreate my current registration” mean and when should you agree?
That option re‑registers your server account with the provider, useful when you switch providers or change contact info. Use it if you have registration errors or if your previous registration is invalid and you want a clean start.
What settings are available in the Options tab for AutoSSL?
You can enable notifications, choose whether to replace existing certificates not issued by AutoSSL, and set email addresses for reporting. These controls determine how aggressive AutoSSL is when replacing third‑party certificates.
How do you enable or disable AutoSSL per cPanel user?
In WHM use Manage AutoSSL → Manage Users to toggle AutoSSL for specific accounts. Turning it off leaves the account as-is, so you may need to manage certificate renewals manually for that user.
When does AutoSSL include wildcard domains like *.example.com?
Wildcard issuance requires DNS‑based validation and explicit provider support. If you configure DNS challenges and the provider supports wildcards, AutoSSL can request a single certificate covering the base domain and all subdomains.
What DCV method is required for wildcard certificates?
Wildcard certificates require DNS‑based domain control validation (adding a TXT record). HTTP validation via .well-known won’t work for wildcards, so you need DNS access or an API integration with your DNS provider.
What provider rate limits and DNS caveats should you know?
Providers impose rate limits on certificate issuance and duplicate names per week. Third‑party DNS providers might delay TXT propagation, causing validation failures. Plan requests and use DNS APIs when possible to avoid hitting limits or timeouts.
How long do these certificates last and how are renewals handled?
Certificates generally last 90 days. AutoSSL runs on a schedule and renews certificates before expiry, so you typically won’t need to act. You can also trigger AutoSSL manually from WHM if you need an immediate issuance.
Can AutoSSL replace existing third‑party certificates automatically?
Yes, if you enable the “replace non‑AutoSSL certificates” option. When enabled, AutoSSL will install its certificates over third‑party ones on the next run. You can disable that behavior to retain existing certs.
Why does issuance get skipped when other certificates are installed?
WHM may detect a valid third‑party certificate and skip AutoSSL to avoid overwriting it. Check the AutoSSL options if you want replacement behavior, and inspect logs to see which cert prevented issuance.
How do URL rewrites block .well-known validation and what’s the .htaccess fix?
Rewrite rules can redirect or deny access to the .well-known/acme-challenge path, breaking HTTP validation. Add a rule to exclude that path from rewrites (allowing direct access), so the provider can fetch the challenge file.
What should you expect for issuance timing and when to rerun AutoSSL?
Issuance can take seconds to minutes if validation succeeds. If validation fails due to DNS propagation or blocked .well-known requests, wait for changes to take effect then rerun AutoSSL. Check logs for the exact failure reason.
How do you switch providers (for example, back to cPanel’s default provider) without downtime?
Install and configure the new provider in WHM, then run an initial AutoSSL pass. Since certificates overlap in function, you can switch providers and allow the new one to request replacements during its next run or trigger manual issuance to avoid gaps.
What quick fixes help when AutoSSL keeps failing?
Check DNS records and propagation, ensure .well-known is reachable (no blocking rewrites or firewalls), verify the provider is selected in WHM, and inspect AutoSSL logs for error details. Fix the root cause and rerun AutoSSL.
Are there limits to how many domains you can protect per certificate?
Providers set maximum names per certificate and rate limits on issuance. If you have many domains, you may need to split them across multiple certificates or schedule requests to avoid hitting provider limits.
How do you handle third‑party DNS providers that don’t offer an API for DNS validation?
Use manual DNS validation by creating the required TXT records yourself, or switch to a DNS provider that supports API updates to automate DNS challenges and make wildcard issuance reliable.
