AutoSSL in cPanel is great for free, automatic SSL certificates (via Let's Encrypt or Sectigo), but failures happen — like "Impediment" errors, rate limits, or stuck renewals. If your domain stays "Not Secure" after running AutoSSL, or you see logs like "CERTIFICATE-IS-EXTERNALLY-SIGNED" or "Potential reduced AutoSSL coverage," this guide has you covered. We'll focus on common causes and fixes for beginner users (cPanel level) and admins (WHM if needed).
Note: Some fixes require root/WHM access — contact ust if you're on our shared hosting. Always back up your site first!
Common Causes of AutoSSL Failures
- Existing/External Certificates: AutoSSL skips if a non-AutoSSL cert (e.g., paid one) is installed.
- Rate Limits: Let's Encrypt limits (e.g., 5 duplicates/week per domain) or Sectigo queues.
- DNS/Validation Issues: Wrong A/AAAA records, missing IPv6, or Cloudflare interference.
- Cron/Queue Problems: AutoSSL not running automatically or stuck in queue.
- Other: Expired certs not renewing, mixed TXT records, or cPanel version bugs.
Check logs first: In cPanel > SSL/TLS Status > Click domain > View logs for clues.
Step 1: Run AutoSSL Manually & Check Status
- Log into cPanel > Security > SSL/TLS Status.
- Select your domain(s) > Click Run AutoSSL.
- Wait 5-15 mins (or up to 24 hours for queues) > Refresh.
- If fails: Note the error message for next steps.
Tip: If "Pending Queue" — wait or contact us.
Step 2: Fix Existing Certificate Conflicts
Common errors: "Impediment," "CERTIFICATE-IS-EXTERNALLY-SIGNED," or skips renewal.
- In cPanel > SSL/TLS > Manage SSL Sites > Find domain > Uninstall or Delete the old cert.
- (Admin only) In WHM > SSL/TLS > Manage AutoSSL > Options tab > Check "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates."
- Rerun AutoSSL in cPanel.
Warning: Deleting certs temporarily makes your site insecure — rerun AutoSSL immediately!
Step 3: Resolve DNS & Validation Problems
If validation fails (e.g., "Domain control validation failed"):
- Check DNS: cPanel > Domains > Ensure A/AAAA points to your server IP.
- Add IPv6 if missing: In Zone Editor > Add AAAA record for your domain.
- Cloudflare users: Pause Cloudflare (orange cloud to gray/DNS-only) > Rerun AutoSSL > Re-enable.
- Remove bad TXT records: Zone Editor > Filter for TXT > Delete unrelated ones (e.g., old verifications).
- Wait 24 hours if rate limited (check status.letsencrypt.org for your domain).
Pro Tip: Use tools like MXToolbox or dig to verify DNS propagation.
Step 4: Fix AutoSSL Not Running Automatically (WHM Users Only)
If cron/queue issues:
- (Admin) SSH to server > Run
/usr/local/cpanel/bin/autossl_check --checkallmanually. - Check cron: WHM > Server Configuration > Configure cPanel Cron Jobs > Ensure AutoSSL entry exists.
- Update cPanel: WHM > Update Preferences > Set to "Stable" > Update now (fixes bugs).
Advanced Fixes & When to Get Help
- Rate Limit Hit: Switch providers in WHM > Manage AutoSSL > Providers > Enable Sectigo/Let's Encrypt alternative.
- CA Bundle Wrong: In Manage SSL Sites > Edit site > Clear CA Bundle > Save > Reinstall.
- Still Stuck?: Export logs > Contact host with error details.
Troubleshooting Table (Error Quick-Fixes)
| Error/Message | Likely Cause | Fix |
| Impediment / Externally Signed | Non-AutoSSL cert | Delete old cert > Enable replace option > Rerun |
| Domain Control Validation Failed | DNS misconfig | Fix A/AAAA records > Propagate > Rerun |
| Rate Limit Exceeded | Too many attempts | Wait 7 days or swtich providers. |
| Pending Queue / Not Available | Provider overloaded | Wait 24h or manual check. |
| HTTPS Redirect Interference | CDN like Cloudflare | Pause proxy > Rerun > Re-enable proxy |
| AutoSSL Not Running | Cron broken | Manual run or update cPanel |
Quick Recap (Cheat Sheet)
| Step | Action |
| 1 | cPanel > SSL/TLS Status > Run AutoSSL > Check logs |
| 2 | Delete conflicting certs > Enable replace in WHM |
| 3 | Fix DNS/IPv6/Cloudflare > Rerun |
| 4 | Manual cron or update cPanel if not auto-running |
Need Help?
- Logs?
- Take a screenshot and open a ticket: https://my.lunarracks.com/submitticket.php
- Take a screenshot and open our live chat
-
Official: cPanel AutoSSL Docs
Fixed! Your domains should now auto-secure. Stay green-locked.
