How to Fix AutoSSL Errors in cPanel: A Complete Troubleshooting Guide

by

Understanding AutoSSL and Its Role in cPanel Security

AutoSSL is one of cPanel’s most valuable security features — it automatically issues, installs, and renews free SSL/TLS certificates for every domain on your server through Let’s Encrypt or a cPanel-authorized certificate authority. For site owners managing multiple domains, AutoSSL removes the tedious manual work of tracking expiration dates and running renewal commands. When it’s working correctly, you never have to think about it. But when AutoSSL breaks — whether due to validation failures, rate limits, or misconfigured DNS — every site on your server becomes vulnerable to browser security warnings and lost visitor trust.

Unfortunately, AutoSSL failures are surprisingly common, especially on shared hosting environments and newly configured servers. Domain validation (DV) checks fail, rate limits kick in, or the cPanel certificate authority rejects a request for reasons that aren’t immediately obvious. This guide walks through every major AutoSSL error scenario, explains what causes each one, and gives you the exact steps to resolve it so you can restore automatic SSL coverage across your entire cPanel account.

Common AutoSSL Error Types and What They Mean

Before diving into fixes, it helps to understand the three broad categories of AutoSSL errors: domain validation failures, rate-limit throttling, and certificate authority (CA) rejections. Each category requires a different troubleshooting approach, and misdiagnosing the type will cost you time.

Domain Validation (DV) Failures

Let’s Encrypt and other CAs verify domain ownership by checking that a specific file is accessible at http://yourdomain.com/.well-known/pki-validation/ or by querying the domain’s DNS TXT record. If this check fails, AutoSSL cannot issue a certificate. Common causes include an .htaccess rule blocking the validation path, a CDN proxy (like Cloudflare’s orange cloud) hiding the origin server, or the domain simply resolving to the wrong IP address.

Rate Limit Exhaustion

Let’s Encrypt imposes strict rate limits: 50 certificates per registered domain per week and 300 failed validations per account per hour. Shared servers with hundreds of domains frequently hit these limits, causing AutoSSL to log errors like “too many certificates already issued” or “rate limit exceeded.” This is especially common after a server-wide AutoSSL re-run or when migrating a large account.

Certificate Authority Rejections

Occasionally, the CA rejects a certificate request due to problems with the domain’s DNS configuration — missing CAA records, invalid DNSSEC signatures, or a domain that doesn’t actually resolve publicly. These rejections produce error messages in cPanel’s AutoSSL logs that pinpoint the specific CA’s reason code.

How to Check AutoSSL Status and Logs in cPanel

The first step in any AutoSSL fix is locating the error logs. cPanel provides a dedicated interface for this, but it’s buried deeper than most people expect.

Step 1: Access the SSL/TLS Status Page

  1. Log into your cPanel dashboard.
  2. Scroll to the Security section and click SSL/TLS Status.
  3. Wait for the status check to complete — cPanel pings each domain’s current certificate status and displays a table with columns for domain, certificate status, and issuer.

Domains with a green checkmark are covered by a valid AutoSSL certificate. Domains with a red X or warning icon indicate a failed or expired certificate.

Step 2: Review the AutoSSL Log

If a domain shows as failed, click the View Details link next to it. This opens a log window showing the exact error message from the failed AutoSSL run. Examples include:

  • AuthorizationError: DNS problem: NXDOMAIN looking up A for example.com — the domain doesn’t resolve
  • RateLimitExceeded: too many certificates already issued — rate limit hit
  • ConnectionError: Fetching http://example.com/.well-known/pki-validation/ returned 403 — blocked by access control

Copy the error message before proceeding to the fix section below. The specific wording determines which solution applies.

Step 3: Run a Manual AutoSSL Check

In the same SSL/TLS Status interface, click the button labeled Run AutoSSL to trigger an immediate check. This bypasses the default 24-hour check cycle and can confirm whether a fix has taken effect without waiting. Note that rate-limited servers may need up to an hour before a manual re-run succeeds.

Fixing Domain Validation Errors (Most Common Issue)

DV failures account for roughly 70% of all AutoSSL problems. Here’s how to systematically resolve them.

Fix 1: Check DNS Resolution

From your terminal, run:

dig +short example.com
dig +short www.example.com

Both the root domain and the www subdomain must return an A record pointing to your server’s IP address. If they don’t, update the DNS zone through your domain registrar or cPanel’s Zone Editor. AutoSSL validates both example.com and www.example.com separately.

Fix 2: Temporarily Disable CDN Proxy

If you use Cloudflare or another CDN with proxy mode (orange cloud), the Let’s Encrypt validation request hits the CDN edge, which may not forward the .well-known path properly to your origin server. Temporarily set the DNS record to DNS Only (gray cloud) and re-run AutoSSL. Once the certificate is issued, you can re-enable proxy mode.

Fix 3: Clear .htaccess Blocks

A strict .htaccess rule can unintentionally block the validation directory. Check your domain’s .htaccess file for rules like:

RewriteRule .* - [F,L]
Deny from all

Add this exception before any blocking rules:

RewriteRule ^\.well-known/ - [L]

This tells Apache to allow Let’s Encrypt’s validation requests through regardless of other security rules.

Fix 4: Verify the Document Root

Make sure the domain’s document root in cPanel is correct. Go to DomainsDomains and check the Document Root column. If it points to the wrong directory, the .well-known directory created by AutoSSL won’t be accessible from the web. This is a common issue with addon domains and subdomains that were reconfigured after initial setup.

Resolving AutoSSL Rate Limit Problems

Rate limiting is the second most common cause of AutoSSL failures. When you see errors about “too many certificates” or “rate limit exceeded,” here’s what to do.

Wait and Retry

The simplest fix is also the most frustrating: wait. Let’s Encrypt’s rate limits reset on a rolling basis. For the “failed validation” limit, wait one full hour and then run AutoSSL again. For the “50 certificates per domain per week” limit, you’ll need to check whether your server is requesting certificates for many subdomains unnecessarily.

Consolidate with Wildcard Certificates

If you manage a domain with many subdomains (e.g., blog.example.com, shop.example.com, mail.example.com), each subdomain counts toward the 50-certificate weekly limit per base domain. Switching to a wildcard certificate (*.example.com) covers all subdomains under a single certificate, dramatically reducing your rate-limit consumption.

To use wildcard certificates with AutoSSL:

  1. Go to SSL/TLS Status in cPanel.
  2. Click Manage AutoSSL.
  3. Under Certificate Type, select Wildcard for the domains that need broad subdomain coverage.
  4. Note that wildcard validation requires DNS-based (not HTTP-based) verification, so you’ll need to add a TXT record to your DNS zone.

Use a Different Certificate Authority

cPanel allows you to switch between Let’s Encrypt (default) and other providers. If rate limits are chronic, you can configure AutoSSL to use Sectigo or another CA that has higher or no rate limits. In WHM, navigate to Home → SSL/TLS → Manage AutoSSL and change the default provider. This is a server-wide setting that applies to all accounts.

Dealing with Certificate Authority Rejections

When the CA explicitly rejects a certificate request, the error log usually includes a specific reason. Here are the most common rejection scenarios and their fixes.

CAA Record Issues

CAA (Certificate Authority Authorization) DNS records specify which CAs are allowed to issue certificates for your domain. If your DNS has a CAA record that doesn’t include Let’s Encrypt, the CA will reject the request. Check with:

dig +short CAA example.com

A missing or overly restrictive CAA record blocks all AutoSSL issuances. Add a CAA record that allows letsencrypt.org using cPanel’s Zone Editor:

  • Type: CAA
  • Name: example.com
  • Value: 0 issue "letsencrypt.org"

    • DNSSEC Validation Failures

    If your domain has DNSSEC enabled, the CA must be able to validate the DNSSEC chain for your domain. A misconfigured DNSSEC signature causes the validation resolver to return a SERVFAIL, which the CA interprets as a failed ownership check. Verify DNSSEC status with:

    dig +short example.com A +dnssec

    If the output includes the ad (authenticated data) flag, DNSSEC is working. If not, check with your DNS provider that the DS records at the registrar level match the current DNSKEY signatures.

    Preventive Measures to Keep AutoSSL Running Smoothly

    Once you’ve resolved the immediate issue, these practices will reduce the likelihood of future AutoSSL failures.

    • Monitor certificate expiry proactively — Use the SSL/TLS Status page weekly rather than waiting for browser warnings. The built-in cPanel interface shows expiry dates for every domain.
    • Keep DNS clean and current — Stale A records pointing to old IPs are the single biggest cause of AutoSSL failures. Remove unused subdomains and update DNS promptly after server migrations.
    • Set up cron-based monitoring — Use the whmapi tool from the command line to check AutoSSL status on a schedule: whmapi1 check_autossl — and pipe results to a log file for review.
    • Avoid excessive subdomains — Each subdomain consumes a certificate slot. Consolidate where possible, or use a single wildcard certificate for unbounded subdomain needs.
    • Test the .well-known path — Periodically visit http://yourdomain.com/.well-known/pki-validation/ in a browser to confirm it returns a 200 OK (or at least not a 403). A blocked path means AutoSSL will fail for every domain sharing that document root.

    Key Takeaways

    • AutoSSL automatically issues and renews free SSL certificates through Let’s Encrypt or another CA, but common failures include domain validation errors, rate limits, and CA rejections.
    • Domain validation failures are the most frequent issue — check DNS resolution, CDN proxy settings, .htaccess rules, and document root paths first.
    • Rate limiting from Let’s Encrypt can be mitigated by waiting, consolidating subdomains under wildcard certificates, or switching to a different certificate authority.
    • CAA DNS records and DNSSEC misconfigurations are the primary causes of outright CA rejections and need to be verified at the DNS level.
    • Regular monitoring through cPanel’s SSL/TLS Status page or cron-based whmapi checks helps catch issues before they cause browser security warnings.
    • Keeping DNS clean, removing unused domains, and testing the .well-known validation path periodically prevents most recurring AutoSSL problems.