AutoSSL and WHM: Use Web Host Manager to Automate Your SSLs

Title Image AutoSSL and WHM

If you are a Reseller, or simply hosting multiple websites on a VPS or Dedicated Server, the cPanel’s built-in AutoSSL feature lets you provide HTTPS connections on all of your sites for free. If you have multiple sites, across multiple cPanels, with multiple customers, you don’t need to waste time going into every individual cPanel and manually setting up AutoSSL — save time and do it all from within Web Host Manager (WHM).

How AutoSSL and WHM Fit Together

cPanel’s AutoSSL allows you to install domain-validated SSL certificates on domains set up in cPanel accounts. It also allows you the ability to view the log files and select the users that you can secure with AutoSSL.

The AutoSSL feature has the following limitations:

  • Certificates that cPanel, Inc. provides through AutoSSL can secure a maximum of 1,000 domains per certificate (Apache virtual host).
  • AutoSSL will only include domains and subdomains that pass a Domain Control Validation (DCV) test, which proves ownership of the domain.
  • AutoSSL does not secure wildcard domains.
  • If the corresponding www. domain does not pass a DCV test, AutoSSL will not attempt to secure that www. domain.
  • By default, AutoSSL will not attempt to replace pre-existing certificates that it did not issue.

The AutoSSL feature includes:

  • AutoSSL includes corresponding www. domains for each domain and subdomain in the certificate, and those www. domains count towards any domain or rate limits. For example, if your domain is example.com, AutoSSL will automatically include www.example.com in the certificate.
  • Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example, AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days.
  • Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.
  • AutoSSL will replace certificates with overly weak security settings (for example, RSA modulus of 512-bit or less).
  • AutoSSL uses a sort algorithm to determine the priority of domains to secure if a virtual host contains more than the provider’s limit of domain names.
  • AutoSSL is an SSL that is auto-enabled forever – as long as you have a valid domain then the AutoSSL will renew automatically.

The users used by AutoSSL are the cPanel users created within your VPS or Dedicated server account. AutoSSL will check ALL domains within the user account unless you make an exception for them within the Manage Users option of AutoSSL.

How to Add Free AutoSSL Certificates to Accounts

Here’s a quick overview of the process for adding Free AutoSSL certificates to your reseller accounts:

  • Create a Feature list that includes the AutoSSL feature.
  • Create a Package in WHM. The package includes all of the options that added to an account cPanel interface. This will include the updated feature list.
  • Modify the reseller accounts so that they include the updated package.
Main WHM screen

All of the steps below will require that you are logged in to WHM as the owner of the reseller account.

Creating a Feature List

  1. In the main WHM screen, click on the search window in the top left and type “Feature.” This will bring up the Feature Manager option.
    Go to Feature manager
     
  2. If you’re just starting there will be no feature lists to edit, so you will need to create one. If you have a feature list created and want to edit, go the drop-down menu to the right and select the list you wish to edit. Click in the New feature list name box and then click on the Add Feature List button.
    Create feature list
     
  3. The feature list identifies everything that will be shown to the user in cPanel. If you are interested in selecting what belongs to each user, then go through the list and add every feature that you wish for the user to have. Otherwise, you can select the option at the top of the page in order to select all of the features. The main thing that we’re trying to do here is select AutoSSL in the list.
    Select features
     
  4. Scroll to the bottom of the page and click SAVE in order to save your Feature list.
    Save selections
     

Creating an Account Package

Note that cPanel creation is no longer unlimited. For more information, please see cPanel Pricing Changes. You can see the pricing that now applies to cPanel licenses. To learn more about the change, please see our FAQ on cPanel Pricing.

  1. Next, you will need to jump to the Packages section of WHM. Click on the search window at the top left-hand side of the page then type, “Package.” This will bring you to the Packages section of WHM. Note that if you have NOT created a package, then you will need to create a package in this section.
    Search for packages in WHM
     
  2. Click on Add a Package, then name the package by typing in the field labeled Package Name.
    Add new package
     
  3. As a minimum, you will need to determine the allowed Disk Quota and Monthly Bandwidth allowed to the reseller account or the Package will not be created.
    Select quotas for the account

    Packages with unlimited Disk quota and bandwidth are not permitted on Shared Reseller accounts, since without root access you have a set amount of resources to offer clients on your account plan.

    On VPS and Dedicated Hosting accounts, it is possible for you to set both Disk Quota and Bandwidth to unlimited. Keep in mind, though, that this does not actually provide unlimited Disk Quota or Bandwidth to the account. It simply means that cPanel will not restrict this account’s use of either resource. “Unlimited” accounts can still use up all available resources on the server, right up until the point that the server itself runs out and starts experiencing technical issues.

    You need to watch out for overselling, or you may end up with multiple customers promised unlimited bandwidth or disk space hitting the limitations of your server. Keeping ahead of overselling, and adjusting your server to compensate before you run into any trouble, is a fundamental systems administrator skill; see the official cPanel documentation of overselling for more information and always work to communicate with your clients.
  4. Once you have selected the resources allowed for the package you will need to configure the Settings. Among these settings is the option for selecting the Feature list (which includes AutoSSL). Scroll down until you you see the Settings.
    configure settings
     
  5. Click on the drop-down menu for Feature list. Select the Feature list that you created earlier.
    Select created/edited feature list
     
  6. Click on ADD at the bottom of the page in order to save your settings.
    Click on the Add button
     

How to Modify the Account Listed in WHM

Now that you have created the feature list and added it to a package that can be assigned to the account, your next step is to add the package to the account where you want a free SSL to be applied (through AutoSSL).

Note that the addition of free AutoSSL certificates to reseller accounts (the accounts created by the reseller) are added automatically. In order to control the accounts that receive free AutoSSLs, the accounts in WHM would need to have the package updated to include the AutoSSL feature as per the steps above and below.

  1. In WHM, go to the Account section. To search for it in the search option of WHM (in the top left corner), type “list.” This will bring you to the Account Information section. Click on List Accounts.
    Go to List Accounts in WHM
     
  2. Find the domain that you wish to work with and click on the “+” sign to the left of the account.
    Find domain to edit
     
  3. Click on Modify Account.
    select to modify the account
     
  4. Scroll down and find the Resource Limits section. You will see the package currently assigned to the account at the top of that section. Click on Change in order to select a different package.
    Find the section to change assigned package
     
  5. The next screen will be titled Upgrade/Downgrade an Account. In the Available Packages section, click on the package you wish to use. If you hover it, then you will see a summary of the options that were configured in that package.
    select package to use
     
  6. If you are satisfied with your selection, then click on the button labeled Upgrade/Downgrade.
    Click on Upgrade/Downgrade to apply change
     
  7. You will then see a screen showing the changes that are applied to the account. Click on List Accounts in order to return to the list of accounts.
    Confirmation screen for applied changes
     

How to Verify a Free Certificate in cPanel

Once you have applied the package to the domain you will need to wait for the server to automatically apply the free AutoSSL to the account. It may take up to 24 hours but normally will take much less time. You can verify that a certificate has been applied by looking in the cPanel of the affected account.

  1. Log in to cPanel.
  2. Scroll to the Security section and click on the SSL/TLS icon.
    Go to the Security section to select SSL/TLS
  3. Under Certificates (CRT) click on the link labeled Generate, view, upload, or delete SSL certificates.
    Click on Certificates (CRT)
     

You will see a table listing the certificates applied to the domains listed in WHM. The Free AutoSSL certificate issuer is cPanel and the domains typically include the www and non-www versions of the domain as well as the mail server URL. AutoSSL certificates will automatically be updated, so the expiration date will be typically set 3 months out.

Certificate list

Run AutoSSL for All Users

Before you begin, you will need to be logged into the Web Host Manager as a root user. The button labeled Run AutoSSL for All Users runs the module based on the options selected in the tabs below.
Warning before using AutoSSL to replace all SSL certificates

NOTE: If you want the AutoSSL option to replace invalid or expiring non-AutoSSL certificates, then click on the Options tab and click on Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. Make sure to read the warning. If you don’t know if you should replace your EV/OV or DV certificate, then do not select this option until you have spoken with a knowledgeable Web developer, administrator, or support person.

  1. Make sure you are logged in to WHM as the ‘root‘ user and click on Manage AutoSSL in the left side menu.
  2. Select the Certificate Provider (typically, the default certificate provider is Sectigo or Comodo, so you can skip this step).
    Verify the certificate provider
     
  3. If necessary, click on the tab labeled Manage Users in order to disable AutoSSL for specific users. Make to click on Save button at the bottom of the screen if you have selected a user.
    Manage Users for AutoSSL
     
  4. Once you are sure of the users that you want to use AutoSSL with, click on the blue button labeled Run AutoSSL For All Users.
    Run SSL for all users
     
  5. NGINX users only! If you are using NGINX you will need to rebuild the NGINX configuration after running AutoSSL buy running the following commands via SSH as root.
    ngxconf -u $user -rd
    service nginx restart
    service httpd restart

Run AutoSSL for Specific Users

  1. Make sure you are logged in to WHM as the ‘root‘ user and click on Manage AutoSSL in the left side menu.
  2. Select the Certificate Provider (typically, the default certificate provider is Comodo, so you can skip this step).
    Verify the certificate provider
     
  3. Click on the tab labeled Manage Users in order to select or disable AutoSSL for specific users. Make to click on Save button at the bottom of the screen if you make any changes. You can disable AutoSSL for all the users that you do not wish to use AutoSSL.
    Manage Users for AutoSSL
     
  4. Click on the blue button labeled Check “user” in order to apply an SSL from AutoSSL. Note that when you check it, it checks ALL of the domains for that particular user.
    Select Users
     
  5. NGINX users only! If you are using NGINX you will need to rebuild the NGINX configuration after running AutoSSL buy running the following commands via SSH as root.
    ngxconf -u $user -rd
    service nginx restart
    service httpd restart

View and Interpret the AutoSSL Log

If you are troubleshooting AutoSSL, the AutoSSL log is a good place to start. It keeps a record of changes to your SSL certificates and any errors or warnings that occur.

  1. Log into your Web Host Manager as the ‘root’ user.
  2. Type ‘autossl‘ in the search field.
  3. Click the Manage AutoSSL link under the SSL/TLS section.
  4. Open the Logs tab.
  5. You will then see a list of logs by date and time. Choose the one you want to view then click the View Log button.
  6. Scroll down to view the contents of the AutoSSL log.

Allow AutoSSL to Replace Invalid/Expiring Certificates

Note: You should not follow this guide if you are using Extended Validation (EV) SSL certificates.

  1. Log into your Web Host Manager as the ‘root’ user.
  2. In the search box type “autossl” without the quotation marks. Searching for AutoSSL
  3. Click the Manage AutoSSL link under the SSL/TLS section. Where to go in WHM to Manage AutoSSL
  4. You will then be on the “Manage AutoSSL” page, click the Options link. Options to Manage AutoSSL
  5. Scroll down and check the box to Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

    Box to check to allow certificate replacement.
  6. Click the Save button. You are finished when you see a “Success!” message on the top right of the page.

Change WHM AutoSSL Notifications

Did you start getting email notifications after allowing AutoSSL to replace Invalid/Expiring Certificates? These messages let you know AutoSSL information such as when an SSL renews, expires, or even fails. But, you can easily adjust the settings for when these are sent and who they are sent to. In this tutorial, we will show you how to change Autossl Notifications in your Web Host Manager WHM.

  1. Log into your Web Host Manager as the ‘root’ user.
  2. In the search box type “autossl” without the quotation marks.
  3. Click the Manage AutoSSL link under the SSL/TLS section.
  4. You will then be on the “Manage AutoSSL” page. Click on the Options link.
  5. You will see the User Notifications and Administrator Notifications sections. Choose from the available settings. Save Button
  6. After selecting your notification settings click the Save button. You are finished when you see a “Success!” message on the top right of the page.

For more details on AutoSSL management within WHM, be sure to check the Complete Guide to cPanel’s Free AutoSSL. If you notice that SSL are not being renewed, check out our guide that includes the Fix for AutoSSL Not Running on a VPS. For tips on WHM in general, please refer to our Web Host Manager education page.

Add value to your web design business by becoming a reseller. Offer web hosting, email, and domain registration to your services with our Reseller Hosting plans!
RH
Ronnie H Content Writer I

Ronnie is a technical writer and content specialist at InMotion Hosting.

More Articles by Ronnie

Comments

It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!