Automatic SSL Certificate Replacement
Last modified: 2025 August 1
Overview
An SSL certificate is a digital certificate that provides encryption and authentication for websites, ensuring secure communication between a website and a user’s browser. Some browsers block users from accessing websites without SSL certificates.
Servers with valid cPanel & WHM licenses can receive a free SSL certificate for their hostname and any services on it.
If a cPanel Partner disables the free hostname certificate service for their customers in Manage2’s Update Company Information interface (Manage2 » Dashboard » Company » Update Company Information), the server will not use free hostname certificates.
Automatic SSL replacement conditions
Free SSL certificates will automatically replace any hostname or service certificates that meet any of the following conditions:
- Maintains a weak signature algorithm.
- Revoked.
- Self-signed. Self-signed certificates are not as secure as certificates that Certificate Authorities (CAs) provide. Because there is no third-party verification, any server could claim to have a self-signed certificate.
- Invalid (For example, your server’s hostname must resolve in DNS and point to the server’s main IP address).
- Will expire soon, based on the following criteria:
- Let’s Encrypt™ certificates that expire in less than 25 days.
- Certificates issued by any other provider that expire in less than 3 days.
Automatic replacement process
When an SSL certificate meets the replacement conditions, the server orders a replacement when the /usr/local/cpanel/scripts/upcp
script runs. Then, when Let’s Encrypt sends the replacement certificate, the system downloads and installs it.
If a certificate expires before Let’s Encrypt sends a replacement, the system will install a self-signed certificate as a placeholder. The system will replace its self-signed certificate with the new Let’s Encrypt certificate.
The automatic certificate replacement process only happens if your hosting provider allows it and you have not disabled it.
Replacement examples
The following examples show how the automatic certificate replacement process works:
- If the Dovecot service’s Let’s Encrypt certificate expires in less than 25 days, the system will order a new Let’s Encrypt certificate to replace the old one. When the new Let’s Encrypt certificate arrives, the system will replace the expiring certificate.
- If the FTP service’s certificate is provided by a CA other than Let’s Encrypt and it expires in less than 3 days, the system will order a Let’s Encrypt certificate to replace it. If Let’s Encrypt cannot send a certificate in time and the CA-provided certificate expires, the system will install a self-signed certificate until Let’s Encrypt sends the new certificate. Then, the system will replace the self-signed certificate.
Disable automatic certificate replacement
You can disable different parts of the automatic certificate replacement process by creating the following touch files:
File | Effect |
---|---|
/var/cpanel/ssl/disable_auto_hostname_certificate |
The system will not automatically replace hostname certificates. |
/var/cpanel/ssl/disable_service_certificate_management |
The system will not replace service certificates. The system will also disable notifications about service certificate expiration. |
Manage your certificates
You can replace your free Let’s Encrypt certificate with a certificate from another CA in WHM’s Purchase and Install an SSL Certificate interface (WHM » Home » SSL/TLS » Purchase and Install an SSL Certificate). You may want to replace your free Let’s Encrypt certificate with a certificate from another CA to avoid rate and domain limits.
You can see and manage your services’ certificates in WHM’s Manage Service SSL Certificates interface.
Troubleshooting
Some configuration issues can prevent your server from automatically replacing certificates.
CAA records exclude Let’s Encrypt certificates
To receive an automatic replacement certificate, you must allow Let’s Encrypt to issue certificates for your domain. Certificate Authority Authentication (CAA) records are DNS records that authorize CAs to issue certificates for your domain. If your domain’s CAA records do not include Let’s Encrypt, it cannot issue an automatic replacement certificate for your domain.
To fix this, perform one of the following actions:
- Remove your domain’s CAA records. If there are no CAA records for a domain, all CAs are allowed to issue certificates for it.
- Add a CAA record for Let’s Encrypt.
A CAA record for Let’s Encrypt would resemble the following example, where example.com
represents the domain name: example.com. 86400 IN CAA 0 issue "letsencrypt.org"
.
You can manage CAA records through WHM’s DNS Zone Manager interface (WHM » Home » DNS Functions » DNS Zone Manager) or through cPanel’s Zone Editor interface (cPanel » Home » Domains » Zone Editor).
Did not install cPanel & WHM with a FQDN
When you install cPanel & WHM, it attempts to secure your server with an SSL certificate immediately. First, it installs a self-signed hostname certificate. Then, it replaces the self-signed certificate with a free Let’s Encrypt certificate.
However, if you did not set a resolvable Fully Qualified Domain Name (FQDN) as your domain name or get an automatically-issued hostname, Let’s Encrypt will not be able to send you a free certificate. This means that your server will only have a self-signed certificate.
Self-signed certificates are not as secure as other certificates, because self-signed certificates do not use third-party verification system. This means that any server could claim to be your server.
Because your server only has a self-signed certificate, users may see a security warning when they log in to the cPanel, WHM, or Webmail interfaces.
To secure your server and prevent these warnings, we strongly recommend that you use WHM’s Change Hostname interface (WHM » Home » Networking Setup » Change Hostname) to change the hostname to a FQDN. Then, Let’s Encrypt can issue a free hostname certificate when the /usr/local/cpanel/scripts/upcp
maintenance runs.
If you instead want to use a certificate from another CA, you can update the self-signed certificate with a certificate that you purchase from WHM’s Purchase and Install an SSL Certificate interface (WHM » Home » SSL/TLS » Purchase and Install an SSL Certificate).