cPanel provides a free SSL certificate service powered by Sectigo. The server uses this certificate by default assuming you haven’t installed one that you’ve purchased elsewhere or from another free service like Let’s Encrypt.
By default, AutoSSL renews the certificate for all the domains and sub-domains in your account every 90 days. This happens automatically, and typically you’ll get no notification when the certificates renew successfully.
However, if AutoSSL encounters an error that prevents the certificate from renewing, a notification will be sent to your email alerting you of the failure. A common symptom of this failure is if you’ve recently deployed your domain onto Cloudflare. The error you’ll get from AutoSSL will be in the lines of:
AutoSSL did not renew the certificate for “example.com”. You must take action to keep this site secure.
The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
⛔ example.com (checked on Jun 15, 2021 at 6:45:15 AM UTC)
DNS DCV: No local authority: “example.com”; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections
This error will be similar acrosss all the other sub-domains under the main domain.
How to Fix the Error and Renew the SSL Certificates
From the message we can tell clearly that the error is related to the Domain Control Validation (DCV). The DCV is responsible for validating the ownership of the domain and in this instance it fails to do so on account of encountering a redirect.
This redirect is NOT caused by a conflict with Cloudflare’s Universal SSL certificate as you may suspect. The redirect is instead caused by the Always Use HTTPS setting, which in turn causes AutoSSL to fail.
Therefore, to resolve the error you only need to temporarily turn off the Always Use HTTPS setting by going to Cloudflare’s Dashboard > SSL/TLS > Edge Certificates. After doing that, try renewing the certificates manually in cPanel and once they’re done, you can activate the setting as before.
You’ll have to keep doing this every 90 days, or when you happen to receive the error. If that’s too much to ask, you can try using Let’s Encrypt on cPanel (inquire from your host if it’s not installed.) I’m made to understand that Let’s Encrypt doesn’t encounter this error since it follows the redirect unlike the default cPanel SSL certificate.
I can actually verify this as I’ve only experienced this error from a site on cPanel. My other sites on DirectAdmin use Let’s Encrypt and don’t experience this issue despite having Cloudflare’s Always Use HTTPS activated for them.