Articles

What to Do When AutoSSL (Let’s Encrypt) Fails.

Pamir Editor
Pamir Editor
August 27, 2025

When AutoSSL or Let’s Encrypt renewals fail, sites can lose HTTPS and visitors see “Not secure.” Last week many hosts saw certificate renewals failing — here’s a clear, step-by-step guide to diagnose and fix AutoSSL failures (cPanel/WHM) and get your certificates reissued fast.

AutoSSL (the cPanel feature that automatically installs/renews free SSL certs from providers like Let’s Encrypt) sometimes fails. When it does, domains may show expired/untrusted certificates and visitors get security warnings. Failures last week came from two main causes: temporary Let’s Encrypt service issues (API/downtime) and validation/host configuration problems (DNS or existing non-AutoSSL certs blocking replacement).

Some Real user examples

  • Several forum threads and Reddit posts noted AutoSSL renewals failing with ACME / DCV errors after attempts to renew — some traceable to Let’s Encrypt temporary outages.
  • cPanel admins reported AutoSSL failing because domains didn’t resolve back to the server IP (DNS/DCV mismatch) or because non-AutoSSL certificates already existed and blocked replacement.

Common causes and triggers

  1. Let’s Encrypt / ACME provider outages or API slowness. If the CA is unreachable your AutoSSL orders will stall or fail.
  2. DNS/DCV problems: AutoSSL must verify domain (HTTP or DNS). If domain doesn’t resolve to the server IP, DCV fails.
  3. Existing non-AutoSSL certificates (third-party certs or manually installed certs) that AutoSSL refuses to overwrite unless configured to allow replacement.
  4. Outdated cPanel/cron problems: old cPanel versions or broken AutoSSL cron jobs can prevent automatic renewals.

Step-by-step beginner fixes

Follow these in order — simple checks first, then deeper fixes.

1) Quick check: Is Let’s Encrypt down?

  • Visit Let’s Encrypt status or check forums/Reddit for outages. If the CA is down, wait (and alert users). Example report last week shows temporary outage incidents.

2) Confirm domain DNS points to your server

From any shell (or use an online DNS checker):

dig +short example.com
# should return the public IP bound to the hosting server

If dig returns nothing or an IP not bound to your server, fix DNS with the domain registrar/DNS host. AutoSSL will fail if DCV can’t reach your server.

3) Recreate Let’s Encrypt registration (WHM)

If cPanel’s Let’s Encrypt registration is expired/corrupted:

  • WHM → Manage AutoSSL → Providers → Choose Let’s Encrypt → check Agree to Terms and Recreate my current registration → Save. Then run AutoSSL for affected accounts. (Official cPanel guidance.)

4) Allow AutoSSL to overwrite existing (non-AutoSSL) certs

If AutoSSL refuses to replace third-party certs:

  • WHM → Manage AutoSSLOptions tab → Enable Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates → Save. Then run AutoSSL.

5) Run AutoSSL manually & check logs

Run AutoSSL for an account (WHM) or via CLI:

# run AutoSSL for all users
/usr/local/cpanel/bin/autossl_check --all

# check AutoSSL logs
tail -n 200 /var/cpanel/logs/autossl_run_httpd_*.log

Review logs for specific ACME/DCV failures (they’ll indicate DNS, port, or ACME errors).

6) Delete conflicting certificate, then re-run AutoSSL (if necessary)

If a non-AutoSSL cert blocks replacement:

  • WHM → Manage AutoSSL → Manage Users → select domain → Delete existing cert for that domain → Run AutoSSL for that domain. (This forces fresh issuance.)

7) Check ports and firewall

Make sure HTTP (80) and HTTPS (443) reach your server (AutoSSL/DCV often uses HTTP/80). From a remote machine:

curl -I http://example.com/.well-known/acme-challenge/test
# or use online port checkers

If blocked by firewall or CDN, configure appropriately or use DNS validation if supported by your provider.

8) If Let’s Encrypt API is slow/unreliable — retry later or use alternate provider

If the CA is having issues, either retry after a short wait or (if urgent) switch AutoSSL provider (e.g., Sectigo if available) temporarily in WHM. Note: switching providers has consequences; only do with understanding.

Preventive tips & best practices

  • Monitor CA status (Let’s Encrypt status page or provider alerts). If provider has outage, you’ll know it’s not your setup.
  • Keep cPanel/WHM updated so AutoSSL cron jobs and ACME client code are current.
  • Ensure DNS is stable (use low TTL during migrations, confirm A records). AutoSSL needs correct DNS at renewal time.
  • Allow AutoSSL to replace expiring non-AutoSSL certs if you rely on AutoSSL for renewal — configure in WHM options.
  • Run occasional manual autossl_check to catch problems before they become visible to visitors.

When to contact your host (or Pamir Web Host)

If you’ve run the steps above and AutoSSL still fails repeatedly, or you prefer we handle it, contact your hosting support. At Pamir Web Host we can:

  • Diagnose DCV logs and AutoSSL failures
  • Recreate provider registrations safely
  • Temporarily switch providers or reissue certificates
  • Monitor renewals and alert before expiry

👉 Contact Pamir Web Host support for hands-on help and managed SSL maintenance.