How to Fix AutoSSL Errors in cPanel: A Step-by-Step Troubleshooting Guide

by

If you manage websites on a cPanel server, you have probably encountered AutoSSL at some point. AutoSSL is cPanel’s automated mechanism for provisioning and renewing free SSL certificates—typically from Let’s Encrypt or cPanel’s built-in Comodo certificate authority. It runs on a daily schedule and attempts to secure every domain and subdomain on the server. When it works, it eliminates the hassle of manual certificate renewals. When it breaks, however, the result can be a confusing wall of warnings in your cPanel interface and, worse, browser security errors for your visitors.

The most common AutoSSL failures include certificates that never provision, domains stuck in “pending validation,” mixed-content warnings after installation, or the dreaded “AutoSSL is currently unavailable” message. Each of these failures has a root cause—often related to DNS propagation, cPanel user permissions, or server-level configuration issues. In this guide, you will learn how to diagnose the most common AutoSSL errors and resolve them without needing to escalate to your hosting provider.

Understanding AutoSSL Validation Methods

Before troubleshooting, it helps to understand how AutoSSL verifies domain ownership. cPanel supports two primary validation methods, and the method your server uses determines where you should look first when something goes wrong.

HTTP-Based Validation (HTTP-01)

In this method, the certificate authority (CA) tells cPanel to place a specific token file at http://yourdomain.com/.well-known/acme-challenge/<token>. The CA then fetches that file over port 80 to confirm you control the domain. This method fails if port 80 is blocked by a firewall, if the document root is misconfigured, or if a reverse proxy or CDN intercepts the request before it reaches the server.

DNS-Based Validation (DNS-01)

With DNS validation, the CA asks for a TXT record to be added to your domain’s DNS zone. cPanel’s AutoSSL can automate this when it has DNS management access for the domain. This method is more reliable because it doesn’t depend on web server configuration, but it fails if the domain’s nameservers are external (not managed by the cPanel server), or if DNS changes haven’t propagated before the validation window closes.

Diagnosing AutoSSL Errors Step by Step

When AutoSSL fails, the first place to check is the AutoSSL log in WHM. Every failed validation attempt is recorded there with error codes that point to the specific problem.

  1. Log into WHM as root and navigate to Home » SSL/TLS » Manage AutoSSL.
  2. Check the “Logs” tab for each domain that shows an error. Look for lines containing “ERROR” or “FAILED.”
  3. Note the specific error code. Common codes include DNS problem: NXDOMAIN looking up TXT, Connection refused on port 80, and CAA record prevents issuance.
  4. Use the “Run AutoSSL for Specific Users” option to re-attempt provisioning for a single cPanel account without waiting for the daily cron job.

If you do not have WHM access (for example, if you are on a shared hosting plan), you can check the AutoSSL status in your cPanel dashboard under SSL/TLS » SSL Status. This page shows every domain on your account and whether its certificate is active, pending, or failed.

Fixing DNS-Related AutoSSL Failures

DNS issues are by far the most common cause of AutoSSL errors. If your validation log shows “DNS problem: NXDOMAIN” or “no TXT record found,” the issue is almost certainly on the DNS side.

  • Verify DNS propagation: Use a tool like dig yourdomain.com TXT or an online DNS checker to confirm your domain’s A record points to the correct server IP and that any required TXT records exist. If you recently changed nameservers, wait up to 48 hours for full propagation before expecting AutoSSL to succeed.
  • Check your nameservers: If your domain uses external nameservers (such as Cloudflare or Route53), AutoSSL cannot add DNS-01 challenge records automatically. In this case, the server must fall back to HTTP-01 validation, which means port 80 must be accessible and no proxy service should be intercepting .well-known requests.
  • Disable DNS-01 for external-DNS domains: In WHM, navigate to Home » SSL/TLS » Manage AutoSSL » Configure and disable DNS validation for domains that use external nameservers. This forces AutoSSL to use HTTP validation instead.

Resolving HTTP Validation and Firewall Blockages

If AutoSSL shows “Connection refused” or “Timeout” errors during HTTP validation, the server is not reachable on port 80 for the challenge request. This can happen even if your website loads fine over HTTPS, because the CA checks unencrypted port 80 specifically.

  • Check your firewall rules: On a cPanel server, run csf --port 80 to verify port 80 is open. If you use a cloud firewall (AWS Security Groups, DigitalOcean Cloud Firewall), confirm port 80 is allowed for inbound traffic from all IPs—not just known addresses.
  • Pause CDN proxying: If you use Cloudflare or a similar proxy service, set the DNS record for your domain to DNS Only (gray cloud) temporarily while AutoSSL runs. Proxied traffic can interfere with the CA’s ability to reach the validation endpoint.
  • Verify the .well-known directory exists: In rare cases, a misconfigured rewrite rule or web application firewall (WAF) blocks requests to /.well-known/acme-challenge/. Check your .htaccess file for any rule that blocks access to that path.

Handling CAA Record and Rate-Limit Errors

Two less common but frustrating AutoSSL errors involve Certificate Authority Authorization (CAA) DNS records and Let’s Encrypt rate limits.

CAA records tell CAs which providers are allowed to issue certificates for your domain. If a CAA record exists but does not include Let’s Encrypt or cPanel’s CA, AutoSSL will refuse to issue. To fix this, add a CAA record allowing letsencrypt.org or sectigo.com (depending on your provider). A permissive CAA record looks like:

example.com. CAA 0 issue "letsencrypt.org"

Rate limits apply when Let’s Encrypt receives too many certificate requests from the same domain in a short period. The current limit is 50 certificates per registered domain per week. If you see “too many certificates already issued” in the log, you have hit this limit. The only fix is to wait—AutoSSL will retry automatically the next day, and the rate-limit counter resets weekly.

Key Takeaways

  • Most AutoSSL errors are caused by DNS propagation delays, external nameservers, or blocked port 80—not by cPanel itself.
  • Always check the AutoSSL logs in WHM or the SSL Status page in cPanel first to identify the exact error code.
  • For domains using external DNS, disable DNS-01 validation in WHM and ensure HTTP-01 validation works on port 80.
  • Temporarily disable CDN proxying (e.g., Cloudflare’s orange cloud) during AutoSSL provisioning to avoid validation interception.
  • CAA DNS records must explicitly include your certificate authority (Let’s Encrypt or Sectigo) or AutoSSL will refuse to issue.
  • If you’ve hit a rate limit, wait 24 hours and let AutoSSL retry automatically—do not manually request certificates repeatedly.