Install Let’s Encrypt SSL for WHM Services & Server Hostname

This guide explains how to secure WHM services and the server hostname using Let’s Encrypt via cPanel AutoSSL. It covers prerequisites, correct issuance steps, validation checks, and common failure scenarios without relying on unsafe manual actions.

Prerequisites (must be verified first)

Before issuing any certificates, confirm the following conditions. Most AutoSSL failures trace back to one of these items.

1. Fully qualified hostname with working DNS

Your server hostname must be a Fully Qualified Domain Name (FQDN), for example:

server.example.com

Verify the hostname configuration:

hostname
hostname -f

The output must match the intended FQDN.

Confirm public DNS resolution from the server:

dig +short $(hostname -f)

This must return the server’s primary public IPv4 address.

2. Reverse DNS (PTR record)

The server IP should have a PTR record that matches the hostname.

A PTR mismatch does not always block certificate issuance, but it frequently causes:

  • Mail trust warnings
  • Service reputation issues
  • TLS validation complaints from remote systems

PTR records are set by your hosting provider or upstream network.

3. Firewall and outbound access

Let’s Encrypt validation requires outbound HTTP and HTTPS access.

Ensure:

  • Outbound TCP 80 and 443 are allowed
  • No egress filtering blocks ACME requests

Inbound port 80 is not required for service certificates, but outbound access is mandatory.

4. cPanel version check

From the command line:

/usr/local/cpanel/cpanel --version
  • cPanel v110 and newer include Let’s Encrypt by default
  • Older versions require provider installation (see below)

Step 1: Install the Let’s Encrypt provider (cPanel versions below v110 only)

Skip this section entirely if you are running cPanel v110 or newer. Installing packages manually on modern systems is unnecessary and discouraged.

For supported systems, install the provider using the official script:

/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

If reinstalling due to corruption:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider
/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

Ubuntu systems must be officially supported by cPanel for AutoSSL to function correctly.

Step 2: Enable Let’s Encrypt as the AutoSSL provider

  1. Log in to WHM as the root user
  2. Navigate to Home » SSL/TLS » Manage AutoSSL
  3. Select Let’s Encrypt™ as the provider
  4. Review and accept the Terms of Service
  5. Leave “Recreate my current registration” unchecked unless explicitly instructed
  6. Click Save

AutoSSL is now active and will manage issuance and renewal.

Step 3: Trigger certificate issuance for the hostname and services

To explicitly request certificates for WHM and system services, run:

/usr/local/cpanel/bin/autossl_check --user=root

This:

  • Requests a Let’s Encrypt certificate for the server hostname
  • Assigns it to WHM, cPanel, Webmail, Exim, Dovecot, and FTP
  • Updates service certificate links automatically

After completion, verify service assignments:

/usr/local/cpanel/bin/checkallsslcerts --verbose

Step 4: Verify certificate installation

Option A: Command-line verification

/usr/local/cpanel/bin/checkallsslcerts --verbose

Look for messages confirming:

  • Valid certificate
  • Issuer: Let’s Encrypt
  • Expiry approximately 90 days in the future

Option B: WHM interface check

Navigate to Home » SSL/TLS » Manage Service SSL Certificates.

Each service should display:

  • Issuer: Let’s Encrypt
  • Hostname: server FQDN
  • Expiry: around 90 days (not one year)

Option C: Browser check

Open:

https://your-hostname:2087

Inspect the certificate details in your browser.

Step 5: Confirm automatic renewal is active

AutoSSL cron job

cat /etc/cron.d/autossl

Expected entry:

0 2 * * * root /usr/local/cpanel/bin/autossl_check --all

This job is managed by cPanel and must not be edited manually.

Ensure AutoSSL is not disabled

Check for disable flags:

ls -la /var/cpanel/ssl/disable_auto_hostname_certificate
ls -la /var/cpanel/ssl/disable_service_certificate_management

If these files exist, remove them:

rm -f /var/cpanel/ssl/disable_auto_hostname_certificate
rm -f /var/cpanel/ssl/disable_service_certificate_management

Troubleshooting common issues

Certificate does not issue or renew

Checks to perform:

hostname -f
dig +short $(hostname -f)

Force an AutoSSL run for root services:

/usr/local/cpanel/bin/autossl_check --user=root --force

Review logs:

ls -lt /var/cpanel/logs/autossl/ | head
tail -f /var/cpanel/logs/autossl/*.log

Let’s Encrypt rate-limit errors appear in these logs.

Services still present an old certificate

Restarting services will briefly interrupt active connections. Perform this during a maintenance window on production servers.

Restart affected services:

/scripts/restartsrv_cpsrvd
/scripts/restartsrv_exim
/scripts/restartsrv_dovecot
/scripts/restartsrv_ftpserver

Clear service SSL cache and reassign:

rm -f /var/cpanel/ssl/service_tokens/*
/usr/local/cpanel/bin/checkallsslcerts

Hostname changed and SSL warnings appear

  1. Update the hostname in WHM » Networking Setup » Change Hostname
  2. Update DNS and PTR records to match

  3. In Manage Service SSL Certificates, reset each service to:

    • Use the hostname’s SSL certificate
  4. Force AutoSSL:
/usr/local/cpanel/bin/autossl_check --user=root --force

AutoSSL runs but certificates are not renewed

AutoSSL renews certificates as expiry approaches, typically within the final 30 days.

Check expiry:

openssl x509 -in /var/cpanel/ssl/cpanel/cpanel.crt -noout -dates

Confirm the provider is still active in Manage AutoSSL and re-save settings if needed.

Let’s Encrypt provider missing

Check cPanel version:

/usr/local/cpanel/cpanel --version

For older versions, reinstall the provider:

/usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider
/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

Firewall blocking validation

Check firewall rules:

iptables -L -n | grep -E ":(80|443)"
firewall-cmd --list-ports | grep -E "(80|443)"

Outbound HTTP and HTTPS must be permitted.

Quick reference commands

# Check all service certificates
/usr/local/cpanel/bin/checkallsslcerts --verbose

# Force AutoSSL for all users
/usr/local/cpanel/bin/autossl_check --all --force

# Force AutoSSL for root services only
/usr/local/cpanel/bin/autossl_check --user=root --force

# View recent AutoSSL logs
ls -lt /var/cpanel/logs/autossl/ | head

# Check expiry dates of installed certificates
find /var/cpanel/ssl -maxdepth 3 -name "*.crt" -type f -exec openssl x509 -in {} -noout -dates \;

Further notes

  • Let’s Encrypt certificates are valid for 90 days. A one-year expiry indicates a self-signed or commercial certificate.
  • Service certificates follow the server hostname. Changing the hostname always requires re-issuance.
  • Manual certificate selection should not be used when AutoSSL is active.
  • Once correctly configured, renewal requires no ongoing administration.

For unresolved issues, provide cPanel support with logs from /var/cpanel/logs/autossl/ and /usr/local/cpanel/logs/error_log.

raramuridesign consulting - web strategy, development, design