How to solve problem renewing SSL certificate when using cPanel AutoSSL and Cloudflare

Are you having problems renewing an SSL certificate using cPanel’s AutoSSL feature on a domain which is also using Cloudflare?  Read on for a solution, and an explanation for why this happens.

The Symptoms

Typically, you’ll be alerted to the fact that your SSL certificate is having problems renewing or has expired when you receive an automated email from cPanel. It looks something like this:

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:

⛔ yourdomain.com [ Last AutoSSL Run at “2018-03-25 at 10:24:15 UTC” ]
“yourdomain.com” does not resolve to any IPv4 addresses on the internet.

If your SSL certificate has expired you’ll also be seeing problems when you navigate to your website – either a nasty red lock instead of the nice green one, a scary SSL warning notice, or a Cloudflare error page.  Bad times.

The Solution

Temporarily deactivate Cloudflare then renew the certificate. You’ll find AutoSSL will renew perfectly fine once traffic is set to bypass Cloudflare and you can switch Cloudflare straight back on again once the certificate is safely renewed.

For those wanting a detailed step by step:

  1. Log in to Cloudflare
  2. Navigate to the ‘DNS’ area for the domain
  3. You’ll see some lines with orange clouds. Click on those orange clouds to bypass Cloudflare services (this is effectively turning Cloudflare off except for DNS routing)
  4. Log in to cPanel or WHM (whichever you use to manage your AutoSSL)
  5. Renew the SSL certificate – instructions here.
  6. Visit your website and confirm that everything is now back to green, safe, happy normality. Celebrate!
  7. Go back to Cloudflare and re-enable the orange clouds
  8. Voila!

SSL certificates generated using AutoSSL are valid for 90 days. So if you run AutoSSL and Cloudflare, you’re going to encounter this every 90 days. 😐  It’s really annoying… but there is not currently a better solution if you wish to use free AutoSSL + free Cloudflare. If it really bugs you then the best solution would be to purchase a premium SSL certificate which will last for up to a few years (depending what you pay).

Why Does this Happen?

AutoSSL will fail for your site if a CDN like Cloudflare is enabled because AutoSSL requires that the domain resolves to your local cPanel server for Domain Control Validation (DCV) to succeed. If you use Cloudflare, it can’t do that.

Stuff that is often suggested by hosts which usually doesn’t work:

  • Apply firewall rules to allow the DCV server to bypass Cloudflare
  • Modify .htaccess to match on the user agent and let it through.
  • Add URL rules in Cloudflare to allow anything looking for *yourdomain.com/.well-known/pki-validation/* can pass through.

I say again… in my experience the only reliable solution is to temporarily disable Cloudflare and renew the certificate. 

Hope that helps anyone who stumbles into this particularly annoying problem. 🙂

3 thoughts on “How to solve problem renewing SSL certificate when using cPanel AutoSSL and Cloudflare

  1. Debé Scott says:

    Thanks for this – worked perfectly with this annoying problem 😀

  2. justin says:

    You dont mention anything about; what if using ONLY Cloudflare free SSL? would that cause problem too? and why are you using two SSLs from two different organizations.

    1. Maeve says:

      Great questions. There are two points at which traffic needs to be encrypted. Between your origin server and Cloudflare, and between Cloudflare and the visitor. Here’s a visualisation to help explain:

      null

      Cloudflare’s SSL is represented by the green lock on the left. To encrypt the one on the right – your origin server to Cloudflare – you need an SSL cert on the origin server.

      There are various ways to get an SSL on your origin. You can generate a free one using something like AutoSSL in cPanel (the option this article focuses on), or you can buy one from Cloudflare or another certificate authority and manually install it on your server. The AutoSSL option is attractive both because it’s free and because it does not require a complex process to install.

Leave a Comment

Your email address will not be published. Required fields are marked *