Fix cPanel AutoSSL Failure for Site on Cloudflare

cPanel provides a free SSL certificate service powered by Sectigo. The server uses this certificate by default assuming you haven’t installed one that you’ve purchased elsewhere or from another free service like Let’s Encrypt.

By default, AutoSSL renews the certificate for all the domains and sub-domains in your account every 90 days. This happens automatically, and typically you’ll get no notification when the certificates renew successfully.

However, if AutoSSL encounters an error that prevents the certificate from renewing, a notification will be sent to your email alerting you of the failure. A common symptom of this failure is if you’ve recently deployed your domain onto Cloudflare. The error you’ll get from AutoSSL will be in the lines of:

AutoSSL did not renew the certificate for “example.com”. You must take action to keep this site secure.
The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
⛔ example.com (checked on Jun 15, 2021 at 6:45:15 AM UTC)
DNS DCV: No local authority: “example.com”; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections

This error will be similar acrosss all the other sub-domains under the main domain.

Advertisements

How to Fix the Error and Renew the SSL Certificates

From the message we can tell clearly that the error is related to the Domain Control Validation (DCV). The DCV is responsible for validating the ownership of the domain and in this instance it fails to do so on account of encountering a redirect.

Screenshot showing cPanel AutoSSL certificate expiry error

This redirect is NOT caused by a conflict with Cloudflare’s Universal SSL certificate as you may suspect. The redirect is instead caused by the Always Use HTTPS setting, which in turn causes AutoSSL to fail.

Therefore, to resolve the error you only need to temporarily turn off the Always Use HTTPS setting by going to Cloudflare’s Dashboard > SSL/TLS > Edge Certificates. After doing that, try renewing the certificates manually in cPanel and once they’re done, you can activate the setting as before.

Screenshot showing cPanel SSL TLS Status
SSL Certificate Renewed Successfully by AutoSSL

You’ll have to keep doing this every 90 days, or when you happen to receive the error. If that’s too much to ask, you can try using Let’s Encrypt on cPanel (inquire from your host if it’s not installed.) I’m made to understand that Let’s Encrypt doesn’t encounter this error since it follows the redirect unlike the default cPanel SSL certificate.

I can actually verify this as I’ve only experienced this error from a site on cPanel. My other sites on DirectAdmin use Let’s Encrypt and don’t experience this issue despite having Cloudflare’s Always Use HTTPS activated for them.


Author

Kelvin Muriuki is a web content developer that's passionate about keeping the internet a useful place. He is the founder and editor of Journey Bytes, a tech blog and web design agency. Feel free to connect with him regarding the content appearing on this page or on web and content development.

Leave a Reply

Feel free to share your comments or questions with me. I may not be able to respond immediately so please check later once I've approved your comment.

Your email address will not be published. Required fields are marked *