Home Announcements, Server News • cPanel AutoSSL – Automatic Free SSL for All Domains

cPanel AutoSSL – Automatic Free SSL for All Domains

 - 

AutoSSL PadlockAutoSSL is going to change how webmasters secure data transferred to and from their sites.  For the longest time SSL was an additional expense that many webmasters chose to forego as it wasn’t required for the operation of their websites.  The time when not having SSL is the norm for most sites is coming to an end.  Generally SSL has been reserved for usage by those that send or receive private information such as your name, address, email address, and phone number or even your credit card information.

Google and other search engines are already giving preferable ranking to sites with SSL.  For quite some time we’ve offered Let’s Encrypt to our customers so that everybody has access to freely accessible SSL for any site they wish.  cPanel has taken this a step further and created what they refer to as AutoSSL.  AutoSSL generates and installs a domain validated SSL certificate on all active domains on a server that are not already protected with SSL.

There are several benefits to AutoSSL:

  • Installation is automatic with no forms to fill out.
  • No more validation emails to wait for and no more links to click to approve the certificate.
  • No more certificates to copy and paste into place.
  • Coverage will not lapse because the SSL is automatically renewed and installed.
  • The SSL is completely free and the encryption is just as strong as a paid certificate.

You may or may not be familiar with the process of issuing an SSL Certificate but generally most certificates are domain validated.  This means that when you request the certificate from a Certificate Authority, or CA, they generally will validate the request by sending email to a specific email address at the domain or by verifying the existence of a very specifically named file.

AutoSSL is entirely automatic and requires no human input and, as such, uses the file method for domain validation.  AutoSSL will create files within the document root of the appropriate domain, pass those file names on to the CA, and the CA validates the SSL request by loading the file.

You might see CA Validation files and the files used for validation generally look like this:

AutoSSL does not force you to use SSL.

AutoSSL is a fantastic feature and we’re excited to make it available; however, it does not automatically mean that your site will use SSL.  Similar to how installing a fire extinguisher in your kitchen means it’s available but not that you are currently using it.  AutoSSL installs a certificate and key pair in the web server so that SSL will function properly should you desire to use it.  This results in no changes to your sites or how they currently operate without your intervention.

AutoSSL is a fantastic step forward in security for our customers for no additional cost and we are excited to enable this feature.  Should you have any generalized questions about AutoSSL you an comment on this post or reach out to support.  Should you have any questions specific to your account do please reach out to our support department.

In the event that you do not want free SSL on your site you can opt-out of AutoSSL by reaching out to support.

Author:Michael Denney

Michael has been running websites since the young age of 11 and has always loved the web. He has worked for MDDHosting since 2007 and is an experienced webmaster and server administrator.

63 responses to “cPanel AutoSSL – Automatic Free SSL for All Domains”

  • John Ortmann December 17, 2016 at 10:33 am Reply 

    Great Job and good direction.


  • Albo P Fossa December 17, 2016 at 10:53 am Reply 

    The *only* thing that has held me back from AUTOSSL is my poor skill at rewriting .htaccess. I already have my .htaccess file nicely written (through instructions found elsewhere, of course) so that my website is properly redirected or addressed as “mydomain.com” instead of “www.mydomain.com” (note “www.” dropped). I wish to retain this. I’m doofus enough not to be able to poke “https” into my .htaccess file. (N.b., my .htaccess also contains WordPress records.)


    • Michael Denney December 17, 2016 at 11:00 am Reply 

      AutoSSL installs the certificates automatically – whether or not you use them is ultimately up to you. There is no obligation for you to use SSL but it’s there if you want to :).

      That said if you’re running something like WordPress it’s usually as simple as modifying the ‘Site URL’ option in the wp-admin to reflect “https://” instead of “http://” – be aware this won’t modify any hard links coded into content.


  • Russ McCabe December 17, 2016 at 10:58 am Reply 

    Nice… MDD is the best! Thanks Michael


    • Michael Denney December 17, 2016 at 11:01 am Reply 

      Sure thing :).


      • Russ McCabe December 17, 2016 at 11:16 am Reply 

        Michael,
        I’m curious about how this affects static ips. Will we be able to drop that cost if we use AutoSSL?
        Thanks,
        Russ


        • Michael Denney December 17, 2016 at 11:23 am Reply 

          A dedicated IP address hasn’t been required for SSL for a few years now. SNI has been available for a while – since we moved from CentOS5 to CentOS6 as our core operating system.


    • Big Dan December 17, 2016 at 12:00 pm Reply 

      Install a plugin called Velvet Blues Update URLs. https://wordpress.org/plugins/velvet-blues-update-urls/ it will search all your posts, links, etc and change the old domain to the new domain.

      OLD url: http://domain.com
      NEW url: https://domain.com

      Hope it helps


      • Norma Schroder December 17, 2016 at 9:49 pm Reply 

        Hey, Dan, many thanks for the pointer to that plugin. We manage about fifteen sites using WordPress — we will make heavy use of this one.

        Best,
        Norma


  • Kosta December 17, 2016 at 10:59 am Reply 

    This is good news. Thanks for this feature Michael.


  • Pamela Brooks December 17, 2016 at 11:01 am Reply 

    Thank you Michael.


  • Victoria Bampton December 17, 2016 at 11:01 am Reply 

    Good move. If we’re already on Let’s Encrypt, do we need to change anything?


    • Michael Denney December 17, 2016 at 11:02 am Reply 

      They’re extremely similar. We considered using Let’s Encrypt for AutoSSL but decided to stick with Comodo so that you have the choice. AutoSSL will only install on domains that are not already secured with a certificate so if you’re already using Let’s Encrypt you need not do anything :).


  • Jeff Tucker December 17, 2016 at 11:01 am Reply 

    Glad to see this!

    I’m assuming that this is not the same as an Extended Validation Cert, without which you get only a gray padlock in Edge and Safari, not the full green padlock (Chrome, Firefox, and Opera don’t appear to make any distinction).

    SSL appears to be working just fine on my domains, but I’m not seeing the three validation files in the document root, either in cPanel’s File Manager or in FileZilla. Are they hidden?


    • Michael Denney December 17, 2016 at 11:04 am Reply 

      The validation files may or may not show up in your account/stay. I simply wanted to outline that they could exist as we’ve had a few people go “SOMEBODY HACKED ME AND ADDED TEXT FILES!!!!!”

      Extended Validation does require extended validation where as these are domain validated certificates. If you already have an EV Certificate it will not be overwritten or modified by this. If you want an EV Certificate you do have to order one and go through the validation process.


      • Jeff Tucker December 17, 2016 at 11:23 am Reply 

        OK, I think I understand. So the validation files are there only long enough for validation to occur, right? I know that if I saw them sitting in my public_html, for example, I would delete them – “Hey, I didn’t upload these!” 😉

        Instead, I appear to have a new SSL directory, with certs and keys subdirectories.


  • Ryan Schulz December 17, 2016 at 11:06 am Reply 

    I understand the push to SSL, but forcing webmasters that don’t want to MIGRATE to opt-out is pretty poor form. Especially given the considerations with code, SEO, etc. Not cool.


    • Michael Denney December 17, 2016 at 11:10 am Reply 

      Nobody is being forced into anything. If you don’t want to use SSL – don’t :).

      Simply installing the certificate file in the server does nothing but make it possible to use it if you wish.


  • Tamir December 17, 2016 at 11:21 am Reply 

    MDD is the best!


  • David Henderson December 17, 2016 at 11:25 am Reply 

    Michael,

    That’s SOOOO easy to update in WordPress.

    Thank you for running the best web hosting outfit.

    David


  • SAMANTHA TANNER December 17, 2016 at 11:39 am Reply 

    Thanks Michael! Even though I haven’t had time to really work on my wordpress site, I’m still very please with MDDhosting. I’ve told many people and I highly recommend it.
    Hope you have a great Christmas.


  • Rich Trefz December 17, 2016 at 11:59 am Reply 

    I tried just putting https:// in front of my site’s URL in the browser. And get this …

    Attackers might be trying to steal your information from http://www.MYWEBSITE.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
    Automatically report details of possible security incidents to Google. Privacy policy
    Back to safetyHIDE ADVANCED
    This server could not prove that it is http://www.MYWEBSITE.com; its security certificate is from http://www.abilityday.org. This may be caused by a misconfiguration or an attacker intercepting your connection. Learn more.

    Proceed to http://www.MYWEBSITE.com (unsafe)


    • Michael Denney December 17, 2016 at 12:30 pm Reply 

      In a few cases this isn’t working properly and we have an open support request with cPanel for them to investigate. They’re actually looking into it now and once we know the cause we will resolve it.


    • Michael Denney December 17, 2016 at 4:03 pm Reply 

      It is taking some time to get some certificates issued. You’ll want to make sure you test your site over https:// before making any changes. If it’s still not working for you at this point please open a ticket so I can take a closer look.


      • Rich Trefz December 17, 2016 at 4:44 pm Reply 

        https is working now – thanks! This is great.


      • Kevin Whited December 17, 2016 at 11:16 pm Reply 

        FYI, still having the problem with my domains on P1 (other than the one you guys fixed manually). Not a big deal, just thought you’d like to know…

        This will be a really nice addition.


        • Michael Denney December 18, 2016 at 9:44 am Reply 

          You’ll need to update your outstanding ticket. While I’m happy to help here – it’s hard to be specific in a public venue when discussing your account.


  • Greg December 17, 2016 at 1:19 pm Reply 

    Does this conflict with folks using CloudFlare in any way? I know SSL’s did in the past.


    • Michael Denney December 17, 2016 at 1:50 pm Reply 

      It only installs the certificates in our server – it has no impact on CloudFlare. That said if you are using CloudFlare and want to use this SSL – you’ll need to change a couple of settings at CloudFlare [to enable SSL].


  • Mark Lamprey December 17, 2016 at 2:11 pm Reply 

    Hi Michael,
    A few questions:
    1. How do I turn it on?
    2. Will this change the web address to HTTPS:// ?
    3. Can I use it for a single page on a website, say where a form is to be submitted?
    4. Does this slow down the page loading?
    Thanks.


    • Michael Denney December 17, 2016 at 4:02 pm Reply 

      1. It’s on already.
      2. No – you have to make that change.
      3. It’s by-domain and would apply to all domains – so yes – you can use it for any form you like.
      4. I suppose it could in theory by a few milliseconds.


  • Marshalleq December 17, 2016 at 4:11 pm Reply 

    I have an existing PAID SSL cert, which I got before let’s encrypt was available. I’ve been sent a reminder yesterday to pay again and I see little point. I assume I’ll have to contact support to get this transitioned?

    Thanks.


    • Michael Denney December 17, 2016 at 4:14 pm Reply 

      You can simply install Let’s Encrypt to replace your paid certificate – it will behave exactly the same. That said if you really want to use AutoSSL instead of Let’s Encrypt – yes you’d need to reach out to support to avoid a short period without SSL.

      It’s worth noting that most paid certificates come with some sort of insurance against the certificate being compromised. It is my understanding that the free certificates do not include any such insurance.


  • Michael Denney December 17, 2016 at 6:26 pm Reply 

    This blog is using SSL by cPanel AutoSSL as well :).

    http://www.screen-shot.net/2016-12-17_17-26-28.png


  • Shawnt Bazikian December 17, 2016 at 8:31 pm Reply 

    How come AutoSSL is not available for CloudLinux Servers doesnt seem to be an option. Is this only for Centos?


    • Michael Denney December 17, 2016 at 8:42 pm Reply 

      We run CloudLinux and we’re running AutoSSL without an issue so I’m unsure where your question comes from. If you’re having issues do please open a support ticket so we can take a look :).


  • Nerdimports December 18, 2016 at 5:12 am Reply 

    If AutoSSL is enabled by default, then I should be able to go into WordPress and start changing the site address from http to https with no other action? I just ask because in the past when I have tried to change this, if it doesn’t work then I am unable to access the admin panel again because of the changes.


    • Michael Denney December 18, 2016 at 9:45 am Reply 

      You’ll want to try loading the site with “https://” via your browser before making any changes. If you get an SSL error – then it would be ill advised to make the change in your wp-admin and I’d suggest opening a ticket.


  • Dennis Roliff December 18, 2016 at 9:41 am Reply 

    I’m a little confused on how this works. I can see that when I physically type in https://mydomain.com into a browser that it works and shows the little green lock. How do I make it so that when a random person searches and types in mydomain.com that it automatically comes up as https://mydomain.com ? Is there something I need to change in the index.html file? Thanks.


    • Michael Denney December 18, 2016 at 9:56 am Reply 

      You can do it via mod_rewrite in the .htaccess if you desire. It’s just one of the few ways to do it depending on your content.


      • Jeff Tucker December 18, 2016 at 5:01 pm Reply 

        Even easier to do it from within cPanel, on the Domains/Redirects page. For a simple site, choose the domain (like example.com), redirect to https://example.com (your domain, of course), redirect both with and without www, and choose the wildcard redirect. No messy .htaccess syntax to worry about.


  • Greg Nicholson December 19, 2016 at 11:38 am Reply 

    [[ Redacted ]]


  • Greg Nicholson December 19, 2016 at 1:23 pm Reply 

    What’s interesting is that I have multiple site I host from my main site. Some of them still open without problems, such as designcubedart.com or web1006.d3clientsite.com, but designcubedphotography.com and web.1004.d3clientsite.com do not.

    Any suggestions?


    • Michael Denney December 19, 2016 at 1:24 pm Reply 

      Yes, please respond to the support ticket I opened with you.


  • Dave Murphy December 19, 2016 at 5:13 pm Reply 

    Changed in WordPress settings to https://
    Installed Velvet Blues plugin and changed all links etc.
    Google Chrome still shows a little ‘info’ icon in address bar which shows that site is not secure because of ‘Non Secure Origins’ as the original http:// site
    What else can be done to get it working???
    Delighted that it has been added, by the way!


    • Michael Denney December 19, 2016 at 5:20 pm Reply 

      You’ll need to follow the advice already given by Big Dan in a comment here on this post.

      In short – it’s a content issue and not a server issue. You’re loading some of your files via a hard-coded “http://”


    • Dave Murphy December 19, 2016 at 5:24 pm Reply 

      Seems to be working now after closing and reopening browser.


  • Thomas December 20, 2016 at 2:50 am Reply 

    Could somebody write simple steps how to do that in WordPress? If it’s that easy to do in WordPress, could someone post anything?
    Would appreciate a lot.


    • Michael Denney December 20, 2016 at 11:58 am Reply 

      The simple steps are to update the “Site URL” to use HTTPS in the wp-admin.

      The reason it’s not really that simple is because of themes, plugins, widgets, and hard-coded content. Simply updating the Site URL is all that’s needed on some sites – while others it’s quite a bit more complicated to get it changed over. There really is no simple answer unless you’re running a vanilla installation of WordPress.


    • Morgan December 31, 2016 at 10:59 pm Reply 

      Michael, MANY thanks for this perk (also a relief to know what those strange text files were)! Thomas, I think these are the steps for a WordPress site. It has worked fine so far on a couple of sites I don’t care about, but you may want to wait for Michael to give the thumbs up before proceeding.

      1). Log in to your Dashboard and go to Settings/General
      2). Add an s after http to your website URL in the WordPress Address (URL) and Site Address (URL) boxes
      3). Click the Save Changes button at the bottom of the Settings page
      4). Go to Plugins/Add New
      5). In the Search Plugin box, type velvet, then hit enter
      6). Velvet Blues Update URLs will come up up near the top of the list
      7). Click on the plugin name
      8). In the window that pops up, click the Install Now button
      9). Th window will close and show you the Add Plugins page again. Click the Activate button next to Velvet Blues Update URLs
      9). We’re almost done! Go to Tools/Update URLs
      10). Under Step 1, put your old http:// URL in the first box and your new https:// URL in the second box
      11). Under Step 2, check all of the checkboxes except the last one (IMPORTANT – do NOT check Update ALL GUIDs)
      12). Click the Update URLs Now button
      13). A little box will come up telling you how many changes were made
      14). Return to Plugins/Installed Plugins and deactivate Velvet Blues Update URLs. Once it is deactivated, you can delete it.
      15). This is optional, but you may want to go the plugin’s page on WordPress.org and either leave them a nice review or donate a dollar or two (or both), since they just saved you from having to search all over your website for links that needed to be updated.

      https://wordpress.org/plugins/velvet-blues-update-urls/


  • Mike Mahendran December 20, 2016 at 1:40 pm Reply 

    Can I use Comodo SSL logo on the bottom of the protected web page (web form)?


    • Michael Denney December 20, 2016 at 2:16 pm Reply 

      Honestly I do not believe that any sort of site seal is available when using AutoSSL or Let’s Encrypt. More than likely to use a site seal that’s not simply an image – you’ll need to actually purchase a certificate.


  • Jeff Soulen December 20, 2016 at 8:53 pm Reply 

    Thank you so much Michael, this is awesome. I really wanted to convert my site to SSL for the search engine advantage, but found Let’s Encrypt very cumbersome for a little guy with little time to run a little website. This couldn’t be easier – followed the instructions above to modify the WP site URL, copied and pasted the text from your KB article into my .htaccess file and bingo, I’ve got a beautiful green lock on every one of my pages. Thanks for such great hosting and support!


  • Nick Konstantoglou December 22, 2016 at 3:54 pm Reply 

    If I already have Let’s Encrypt, are there any benefits to switching to AutoSSL?


  • Luie Zappacosta June 2, 2017 at 7:06 pm Reply 

    what if I have a regular ssl certificate for my domain and its a shared cert… and I have auto ssl turned on that domain too? Will that cause any interferences?


    • Michael Denney August 21, 2017 at 8:26 pm Reply 

      AutoSSL will not replace an active/valid SSL Certificate.


Leave a Reply

Your email address will not be published. Required fields are marked*

*

*