How to solve problem renewing SSL certificate when using cPanel AutoSSL and Cloudflare

Are you having problems renewing an SSL certificate using cPanel’s AutoSSL feature on a domain which is also using Cloudflare?  Read on for a solution, and an explanation for why this happens.

The Symptoms

Typically, you’ll be alerted to the fact that your SSL certificate is having problems renewing or has expired when you receive an automated email from cPanel. It looks something like this:

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:

⛔ yourdomain.com [ Last AutoSSL Run at “2018-03-25 at 10:24:15 UTC” ]
“yourdomain.com” does not resolve to any IPv4 addresses on the internet.

If your SSL certificate has expired you’ll also be seeing problems when you navigate to your website – either a nasty red lock instead of the nice green one, a scary SSL warning notice, or a Cloudflare error page.  Bad times.

The Solution

Temporarily deactivate Cloudflare then renew the certificate. You’ll find AutoSSL will renew perfectly fine once traffic is set to bypass Cloudflare and you can switch Cloudflare straight back on again once the certificate is safely renewed.

For those wanting a detailed step by step:

  1. Log in to Cloudflare
  2. Navigate to the ‘DNS’ area for the domain
  3. You’ll see some lines with orange clouds. Click on those orange clouds to bypass Cloudflare services (this is effectively turning Cloudflare off except for DNS routing)
  4. Log in to cPanel or WHM (whichever you use to manage your AutoSSL)
  5. Renew the SSL certificate – instructions here.
  6. Visit your website and confirm that everything is now back to green, safe, happy normality. Celebrate!
  7. Go back to Cloudflare and re-enable the orange clouds
  8. Voila!

SSL certificates generated using AutoSSL are valid for 90 days. So if you run AutoSSL and Cloudflare, you’re going to encounter this every 90 days. 😐  It’s really annoying… but there is not currently a better solution if you wish to use free AutoSSL + free Cloudflare. If it really bugs you then the best solution would be to purchase a premium SSL certificate which will last for 1, 3, 5 or more years (depending what you pay).

Why Does this Happen?

AutoSSL will fail for your site if a CDN like Cloudflare is enabled because AutoSSL requires that the domain resolves to your local cPanel server for Domain Control Validation (DCV) to succeed. If you use Cloudflare, it can’t do that.

Stuff that is often suggested by hosts which usually doesn’t work:

  • Apply firewall rules to allow the DCV server to bypass Cloudflare
  • Modify .htaccess to match on the user agent and let it through.
  • Add URL rules in Cloudflare to allow anything looking for *yourdomain.com/.well-known/pki-validation/* can pass through.

I say again… in my experience the only reliable solution is to temporarily disable Cloudflare and renew the certificate. 

Hope that helps anyone who stumbles into this particularly annoying problem. 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *