SSL certificates are the foundation of website security. They encrypt data between your site and visitors, display the padlock icon in browsers, and signal to Google that your site is trustworthy. For UK businesses, HTTPS isn’t optional anymore. It affects search rankings, customer trust, and even payment processing. When AutoSSL breaks in cPanel, your site loses that green padlock, visitors see scary warnings, and your SEO takes a hit.
Most AutoSSL issues in cPanel are fixable without contacting support. This guide walks through the most common error messages, what causes them, and the exact steps to resolve each one. Whether you’re seeing “DCV failed” errors, missing domains, or AutoSSL refusing to run, you’ll find the solution here.
What’s in This Post
- Why AutoSSL Matters for Your Website
- Common AutoSSL Error Messages
- Troubleshooting DCV Failed Errors
- Fixing Missing Domains in AutoSSL
- How to Manually Trigger AutoSSL
- Switching AutoSSL Providers
- When to Use Manual Let’s Encrypt Instead
- Prevention Tips for Future Issues
- Final Thoughts
Why AutoSSL Matters for Your Website
AutoSSL automates the process of securing your domains with SSL certificates. It checks your cPanel domains, requests certificates from providers like Sectigo or Let’s Encrypt, validates domain ownership, and installs the certificates automatically. This happens in the background without manual intervention.
When AutoSSL works properly, certificates renew themselves every 90 days. When it breaks, you face real problems:
- Visitors see security warnings that make your site look suspicious
- Google rankings drop because HTTPS is a confirmed ranking signal
- E-commerce breaks as browsers block checkout forms on insecure pages
- Email encryption fails for mail domains without valid certificates
UK businesses particularly need HTTPS for GDPR compliance. Processing customer data on unencrypted connections violates data protection requirements. AutoSSL handles this automatically, but only when configured correctly.
Common AutoSSL Error Messages
cPanel displays AutoSSL errors in several locations. Check SSL/TLS Status in cPanel for domain-specific issues, or AutoSSL under Security for provider-level problems. Here are the errors you’ll encounter most often:
DCV Failed Errors
“The system failed DCV (Domain Control Validation)” means the AutoSSL provider couldn’t verify you control the domain. This happens when DNS records point elsewhere, validation files can’t be created, or firewall rules block validation requests.
No Valid Contact Email
“No valid contact email address available” prevents AutoSSL from requesting certificates. The system needs a working email for the domain (admin@, hostmaster@, or webmaster@) or your cPanel account email must be valid.
AutoSSL Check Pending
“An AutoSSL check is pending for this domain” indicates a stuck validation process. The system queued a check but hasn’t completed it, blocking new requests.
Provider Unavailable
“The AutoSSL provider is not available” means cPanel can’t connect to Sectigo or Let’s Encrypt servers. Network issues, firewall rules, or provider outages cause this.
Rate Limit Exceeded
“Too many requests” or “Rate limit exceeded” hits when you’ve requested too many certificates in a short period. Let’s Encrypt limits certificates to 50 per week per registered domain.
Troubleshooting DCV Failed Errors
Domain Control Validation failure is the most common AutoSSL issue. The provider needs proof you own the domain before issuing a certificate. Follow these steps to fix it:
Check DNS Records
If your domain’s A record points to a different server, DCV fails. Log into your DNS provider (not cPanel) and verify the A record matches your cPanel server IP address. Use dig yourdomain.com or an online DNS checker to confirm.
For domains using external DNS (Cloudflare, etc.), ensure the A record points to your cPanel server IP, not a proxy or CDN address. Some AutoSSL providers can’t validate through proxies.
Verify HTTP Validation Access
AutoSSL creates a validation file in /.well-known/pki-validation/ on your site. If .htaccess rules block this directory, validation fails. Add this to your .htaccess file to allow access:
# Allow AutoSSL validation
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/
# Your existing rewrite rules here
</IfModule>
Test by accessing http://yourdomain.com/.well-known/pki-validation/ in a browser. You should get a 404, not a redirect or access denied error.
Disable ModSecurity Rules
Overly aggressive ModSecurity rules sometimes block AutoSSL validation requests. In cPanel, go to Security → ModSecurity and check the audit log during AutoSSL runs. Disable problematic rules temporarily while troubleshooting.
Check Firewall Settings
If your server has a firewall, it must allow outbound connections to the AutoSSL provider. Let’s Encrypt uses ports 80 and 443. Sectigo requires port 443 outbound. Check with your hosting provider if you’re on a VPS or dedicated server.
Fixing Missing Domains in AutoSSL
Sometimes AutoSSL skips domains entirely. You’ll see them listed in cPanel but they don’t appear in the AutoSSL queue. Several causes exist:
Domain Not Configured for SSL
Parked domains and addon domains must be configured to use SSL. In cPanel:
- Go to Domains
- Find the domain and click Manage
- Enable Share Document Root if using a subdomain
- Scroll down and ensure SSL is not disabled
Subdomain Limits
Some AutoSSL providers limit how many subdomains can be included on a single certificate. If you have more than 100 subdomains, split them across multiple certificates or switch to a different provider. Let’s Encrypt allows up to 100 domain names per certificate, including the root domain and all subdomains.
If you manage a large number of subdomains (blog.yourdomain.com, shop.yourdomain.com, mail.yourdomain.com, etc.), consider grouping them logically. Create separate certificates for different services rather than cramming everything into one certificate. This approach also makes troubleshooting easier because you can isolate which domains are causing validation failures.
Invalid Domain Names
Domains with special characters, underscores, or invalid TLDs won’t get AutoSSL certificates. Rename them or request a manual certificate instead.
Excluded Domains
Check AutoSSL → Manage Users in WHM (if you have WHM access) or ask your host. Domains can be explicitly excluded from AutoSSL processing.
How to Manually Trigger AutoSSL
AutoSSL runs automatically every night, but you can force an immediate check:
In cPanel
- Log into cPanel
- Navigate to Security → SSL/TLS Status
- Select the domains you want to process (tick the checkboxes)
- Click Run AutoSSL
The system queues your request and processes it within a few minutes. Refresh the page to see results.
Via SSH (for WHM Users)
If you have SSH access and WHM, trigger AutoSSL for a specific user:
/usr/local/cpanel/bin/autossl_check --user=username
Or for all users on the server:
/usr/local/cpanel/bin/autossl_check --all
Watch the output for errors. This method provides more detailed logging than the cPanel interface.
Switching AutoSSL Providers
cPanel supports multiple AutoSSL providers. If one fails consistently, try another. The two main options are:
Sectigo (formerly Comodo)
Sectigo is cPanel’s default AutoSSL provider. It issues certificates quickly and handles domain validation well, but requires a valid cPanel license. Some shared hosting providers disable Sectigo to reduce costs.
Let’s Encrypt
Let’s Encrypt is free, widely trusted, and works on all cPanel servers. It has stricter rate limits (50 certificates per domain per week) but better compatibility with Cloudflare and other CDNs.
How to Switch Providers
If you have WHM access:
- Log into WHM
- Navigate to SSL/TLS → Manage AutoSSL
- Select your preferred provider from the dropdown
- Click Save
If you don’t have WHM access, contact your hosting provider and ask them to switch providers for your account.
When to Use Manual Let’s Encrypt Instead
AutoSSL isn’t always the best solution. Some situations require manual SSL certificate management:
Wildcard Certificates
AutoSSL doesn’t support wildcard certificates (*.yourdomain.com). If you have many subdomains, a manual wildcard certificate from Let’s Encrypt covers all of them. Use Certbot or the SSL/TLS → SSL Storage Manager in cPanel.
Complex DNS Setups
If your DNS is split across multiple providers, or you use external mail servers with custom MX records, AutoSSL validation can fail. Manual certificate requests using DNS validation (TXT records) work more reliably.
Third-Party SSL Certificates
For commercial certificates from providers like DigiCert or GlobalSign, you’ll install them manually through SSL/TLS → Manage SSL Sites. AutoSSL won’t interfere with manually installed certificates.
Rate Limit Issues
If you’ve hit Let’s Encrypt rate limits, requesting a single manual certificate for your main domain and www subdomain gets you covered while you wait for the limit to reset.
Prevention Tips for Future Issues
Once AutoSSL works, keep it working with these preventive measures:
Monitor SSL Expiry Dates
Set up monitoring for SSL certificate expiry. Tools like SSL Labs or UptimeRobot can alert you before certificates expire. If AutoSSL fails silently, you’ll know before visitors do.
Keep cPanel Updated
cPanel regularly fixes AutoSSL bugs and improves compatibility with SSL providers. Ask your hosting provider to keep your server updated, or enable automatic updates if you manage your own server. Check Server Information in WHM to see your current version. Major cPanel updates often include security patches, performance improvements, and better AutoSSL reliability.
If you’re on shared hosting, your provider manages updates. VPS and dedicated server customers should review cPanel release notes and test updates on staging environments before applying them to production servers. While updates generally improve stability, testing prevents unexpected issues with custom configurations.
Avoid DNS Changes During AutoSSL Runs
AutoSSL runs at night (typically 00:00 server time). Don’t change DNS records or migrate sites during this window. DNS propagation delays can cause validation failures if records change mid-check.
Maintain Valid Contact Emails
Keep your cPanel account email address current. AutoSSL uses this for validation when domain-specific emails (admin@, hostmaster@) don’t exist. Update it in Preferences → Contact Information.
Use Standard .htaccess Rules
If you customize .htaccess files, test that /.well-known/ paths remain accessible. Many WordPress security plugins block this directory by default. Whitelist it in your security rules.
Document Custom Configurations
If you’ve made special configurations (ModSecurity exceptions, firewall rules, DNS customizations), document them. When troubleshooting AutoSSL later, you’ll remember what you changed and why.
Final Thoughts
AutoSSL eliminates the manual work of managing SSL certificates, but it’s not bulletproof. Understanding the common failure points means you can diagnose and fix issues quickly. Most problems trace back to DNS configuration, validation access, or provider connectivity.
Start with the basics: verify DNS points to your cPanel server, check that HTTP validation paths are accessible, and ensure your contact email is valid. If AutoSSL still fails, switching providers or using manual Let’s Encrypt certificates provides reliable alternatives.
For UK businesses, SSL covers security, compliance, customer trust, and search rankings. Keeping AutoSSL running smoothly protects all four. When you encounter errors, work through the troubleshooting steps systematically. Most fixes are straightforward once you understand the cause.