Every cPanel account at iWebVault gets free Let’s Encrypt SSL via AutoSSL — automatically issued, automatically renewed, no work from you in the normal case. When things go wrong (and they occasionally do), the fixes are usually simple if you know where to look. This guide walks through how AutoSSL works, what to do when it fails, and how to install your own certificate if you’ve bought one from a commercial CA.
How AutoSSL works
AutoSSL is cPanel’s automation layer for Let’s Encrypt. It:
- Scans every domain and subdomain in your account daily.
- Issues a certificate for any domain that doesn’t have one.
- Renews any certificate expiring within 30 days.
- Validates each domain using HTTP-01 (a file dropped at
/.well-known/acme-challenge/). - Installs the certificate automatically — no action required.
Check current SSL status: cPanel → Security → SSL/TLS Status. You’ll see every domain with one of three states: green checkmark (valid SSL active), yellow warning (AutoSSL excluded or not yet issued), red X (failed to issue).
When AutoSSL fails — the four common causes
1. DNS doesn’t point to iWebVault yet
Let’s Encrypt validates by reaching http://yourdomain.com/.well-known/acme-challenge/.... If DNS still points at your old host, that URL hits the wrong server and validation fails.
Fix: wait for DNS propagation. Then in SSL/TLS Status, select the failed domain and click Run AutoSSL.
2. Cloudflare is in front and not configured correctly
If you have Cloudflare proxying your site (orange cloud on), Let’s Encrypt’s HTTP request gets caught by Cloudflare before reaching us. The standard fix:
- Temporarily disable the Cloudflare proxy (grey cloud) on your domain’s A record, let AutoSSL issue, then re-enable the proxy. OR
- Set Cloudflare SSL mode to “Full (strict)” in Cloudflare → SSL/TLS → Overview, which still allows our cert to function as the origin certificate.
3. .htaccess is blocking the validation path
Some security plugins (WordFence “lockdown” mode, custom .htaccess rules) block hidden directories — including .well-known. Look in your public_html/.htaccess for a line like:
RewriteRule ^. - [F,L]Add an exception before it:
RewriteRule ^.well-known/ - [L]4. Domain rate-limited by Let’s Encrypt
Let’s Encrypt limits any single domain to 5 failed validations per hour. If you’ve been troubleshooting and triggering AutoSSL repeatedly, you may be temporarily blocked. Wait 1 hour, then try once.
Manually triggering AutoSSL
- cPanel → SSL/TLS Status.
- Check the box next to the domain(s) you want to retry.
- Click Run AutoSSL at the top.
- Watch the page — issuance usually completes in 30–60 seconds.
If it still fails, the same screen shows the exact error. The most common: “domain failed DNS lookup”, which means DNS isn’t pointing at us yet.
Installing a third-party SSL certificate
Most customers don’t need this — Let’s Encrypt is fine for nearly everything. The legitimate reasons to buy a paid cert: EV (green-bar) certificates, wildcard certs (though Let’s Encrypt also issues wildcards now via DNS-01), or compliance requirements that mandate a specific CA.
To install:
- cPanel → Security → SSL/TLS → Manage SSL sites.
- Select the domain from the dropdown.
- Paste your certificate (the
.crtfile contents) into Certificate. - Paste your private key (
.key) into Private Key. - Paste the CA bundle (
.ca-bundleor intermediate certs) into Certificate Authority Bundle. - Click Install Certificate.
The page validates the cert/key match before installing. If it complains “key does not match certificate”, you’ve pasted the wrong key — get the matching one from wherever you bought the cert.
Once a third-party cert is installed, AutoSSL stops managing that domain (it won’t overwrite your paid cert). When the paid cert expires, you renew manually — or re-enable AutoSSL by removing the paid cert from the SSL/TLS Manager.
Forcing HTTPS sitewide
An SSL certificate being installed doesn’t automatically redirect HTTP requests to HTTPS. You have to enforce that. Three layers:
cPanel — Force HTTPS Redirect
cPanel → Domains → for each domain, toggle Force HTTPS Redirect to on. Easiest method; works for static and dynamic sites.
.htaccess
If you’d rather manage in code or the cPanel toggle isn’t available, add to public_html/.htaccess (at the top):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]WordPress — Site URL must be HTTPS
Even with redirects working, WordPress emits absolute URLs in its HTML. If those URLs are http://, you’ll get mixed-content warnings. Fix at WordPress Admin → Settings → General — update both WordPress Address and Site Address to https://yourdomain.com. Optionally install Really Simple SSL (free plugin) which handles edge cases like hardcoded HTTP in posts.
Common SSL questions
“NET::ERR_CERT_AUTHORITY_INVALID” in browser. The cert installed on the server doesn’t include the full CA chain. cPanel → SSL/TLS → Manage SSL sites → click your domain → check that all three fields (cert, key, CA bundle) are populated.
“Common name mismatch”. The cert was issued for yourdomain.com but you’re accessing as www.yourdomain.com (or vice versa). AutoSSL normally covers both; if only one is covered, run AutoSSL again with the other domain selected.
“Cert is for a different domain entirely”. You connected via your server IP or generic hostname instead of your domain. Use the domain URL in your browser — IP-based access never has a matching cert.
“Mixed content warning” / padlock with yellow triangle. Your page is HTTPS but loads HTTP assets (images, scripts, fonts). View page source, find http:// URLs, change to https:// or // (protocol-relative). Really Simple SSL plugin fixes most automatically.
“My SSL expired even with AutoSSL on.” Something blocked validation — usually DNS recently changed or Cloudflare’s proxy. Check SSL/TLS Status for the error message; fix and re-run.
What’s next
- Wildcard SSL needed? See subdomain & wildcard SSL.
- Cloudflare interactions: Cloudflare DNS vs iWebVault nameservers.
- WordPress hardening (SSL is step 1): Hardening guide.
SSL on iWebVault is “set and forget” for the overwhelming majority of customers. When it isn’t, it’s almost always DNS or Cloudflare configuration — not the certificate itself.
Was this helpful?
Thanks for your feedback!
