Free SSL for All Clients: AutoSSL Setup in cPanel

Why SSL Is Non-Negotiable in 2026

SSL (Secure Sockets Layer) certificates encrypt data transmitted between a website and its visitors, protecting sensitive information like login credentials, credit card details, and personal data from interception. In 2026, SSL is no longer optional – it' s a baseline requirement for any professional website. Here's why:

First, Google' s HTTPS ranking factor has only grown stronger. Since 2014, Google has used HTTPS as a positive ranking signal, and in 2026, websites without SSL are actively penalized in search results. A 2025 study by Backlinko found that 98% of page 1 Google results use HTTPS, up from 65% in 2019.

Second, all major browsers (Chrome, Firefox, Edge, Safari) now display prominent "Not Secure" warnings for HTTP websites. These warnings scare away visitors – 75% of users will leave a site immediately if they see a security warning, according to a 2026 HubSpot survey. For e-commerce sites, this directly translates to lost sales.

Third, PCI DSS (Payment Card Industry Data Security Standard) compliance requires SSL for any website that processes credit card payments. Failing to meet PCI compliance can result in fines up to $100, 000 per month and loss of payment processing privileges.

Finally, user trust is everything. The padlock icon in the browser address bar signals to visitors that your site is safe to use. Without it, even loyal customers may hesitate to share their information.

"AutoSSL has eliminated 100% of our SSL-related support tickets. Our reseller clients no longer worry about expired certificates, and we save 10+ hours per month on manual SSL management." – Gabe Martinez, Founder of GabeHost

What Is cPanel AutoSSL?

cPanel AutoSSL is a built-in feature of cPanel/WHM (Web Host Manager) that automatically provisions, installs, and renews free SSL certificates for all domains hosted on your server. It integrates with Let's Encrypt (a free, automated certificate authority) to provide Domain Validated (DV) SSL certificates at no cost to you or your clients.

Unlike manual SSL installation, which requires purchasing certificates, generating CSRs (Certificate Signing Requests), validating domain ownership, and manually installing the certificate, AutoSSL handles every step automatically. Once enabled, it runs daily to check for expiring certificates and renew them 30 days before they expire – no human intervention required.

AutoSSL covers all domains and subdomains associated with a cPanel account, including addon domains, parked domains, and subdomains. For resellers, this means you can enable AutoSSL once in WHM and provide free SSL to every client account automatically.

How AutoSSL Works (Let' s Encrypt Integration)

AutoSSL relies on the Automatic Certificate Management Environment (ACME) protocol to communicate with Let's Encrypt. Here' s the step-by-step process:

1. Domain Discovery:AutoSSL scans all cPanel accounts on your server to identify domains and subdomains that need SSL certificates.
2. Validation Request:For each domain, AutoSSL sends a request to Let's Encrypt to validate domain ownership. Let' s Encrypt provides a validation token that must be placed on the domain's server.
3. Domain Validation: AutoSSL automatically places the validation token in the domain' s public HTML directory (or updates DNS records if DNS-based validation is configured). Let's Encrypt then checks for the token to confirm ownership.
4. Certificate Issuance: Once validation is successful, Let' s Encrypt issues a free 90-day SSL certificate.
5. Automatic Installation:AutoSSL installs the certificate on the domain and configures the server to use it.
6. Auto-Renewal:AutoSSL runs daily and renews certificates 30 days before expiration, ensuring there's never a lapse in coverage.

By default, AutoSSL uses HTTP-based validation, which works for most domains. For wildcard certificates (which cover all subdomains, e.g., *.example.com), you' ll need to configure DNS-based validation by adding a CAA (Certificate Authority Authorization) record to your domain's DNS settings.

Step-by-Step: Enable AutoSSL in WHM for All Reseller Accounts

Enabling AutoSSL for all your reseller clients takes less than 5 minutes in WHM. Follow these steps:

1. Log into WHM as Root

Access your WHM dashboard by navigating to https://your-server-ip:2087 or https://your-hostname.com/whm. Log in with your root credentials.

2. Navigate to AutoSSL Management

In the WHM search bar, type "Manage AutoSSL" and select the option under the "SSL/TLS" section.

3. Select AutoSSL Provider

By default, cPanel uses Let' s Encrypt as the AutoSSL provider. Ensure the "Let's Encrypt" tab is selected. If you want to use a different provider (like cPanel's own certificate authority), you can select it here, but Let' s Encrypt is the most widely used free option.

4. Enable AutoSSL for All Reseller Accounts

Scroll down to the "Users" section. You'll see a list of all cPanel users on your server. To enable AutoSSL for all reseller accounts:

• Click the "Select All" checkbox at the top of the user list.
• Click the "Enable" button next to "AutoSSL" for the selected users.
• Alternatively, you can enable AutoSSL for specific reseller accounts by checking only the boxes next to reseller usernames.

5. Run AutoSSL for All Users (Optional)

AutoSSL runs automatically once per day, but you can trigger an immediate run by clicking the "Run AutoSSL For All Users" button at the top of the page. This will provision certificates for all enabled accounts immediately.

6. Verify AutoSSL Status

After running AutoSSL, check the "Logs" tab to confirm that certificates were issued successfully. You can also check the "SSL Status" page in any client' s cPanel dashboard to verify that their domains have active SSL certificates.

AutoSSL vs Manual SSL Installation

Manual SSL installation was the standard before AutoSSL, but it's time-consuming and error-prone. Here' s how the two methods compare:

• Cost: AutoSSL is free (via Let's Encrypt). Manual SSL requires purchasing certificates from a CA, which can cost $10–$200+ per year per domain.
• Time: AutoSSL takes 5 minutes to enable for all accounts. Manual installation takes 30+ minutes per domain, plus ongoing time for renewals.
• Renewal: AutoSSL renews certificates automatically every 90 days. Manual certificates must be renewed manually every 1–2 years, with reminders easy to miss.
• Coverage: AutoSSL covers all domains and subdomains in a cPanel account automatically. Manual installation requires separate certificates for each domain/subdomain.
• Error Rate: AutoSSL has a <1% failure rate for valid domains. Manual installation has a ~15% error rate due to misconfigured CSRs, validation failures, or installation mistakes.

For resellers, AutoSSL is the only scalable option. Manually managing SSL certificates for 50+ client accounts would require hours of work every month – AutoSSL eliminates this entirely.

SSL Certificate Comparison Table

Not all SSL certificates are created equal. Here' s how Let's Encrypt (via AutoSSL), manual Let' s Encrypt, and paid SSL certificates compare:

Note: Paid SSL certificates include warranties that cover damages if the certificate fails, which is required for some enterprise clients. For most small business websites, AutoSSL' s free DV certificates are more than sufficient.

Forcing HTTPS with .htaccess Rules

AutoSSL installs the certificate, but you still need to redirect all HTTP traffic to HTTPS to ensure visitors always use the secure version of the site. This is done via .htaccess rules in the domain's root directory.

Add the following code to your domain' s .htaccess file (usually located at /public_html/.htaccess):

RewriteEngine On # Redirect HTTP to HTTPS RewriteCond % {
                    HTTPS
                }

                off RewriteRule ^(.*)$ https: //%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

                # Optional: Force HTTPS for specific domains # RewriteCond % {
                    HTTP_HOST
                }

                ^example\.com$ [OR] # RewriteCond % {
                    HTTP_HOST
                }

                ^www\.example\.com$ # RewriteRule ^(.*)$ https: //www.example.com/$1 [L,R=301]

The 301 redirect is a permanent redirect, which tells search engines to update their indexes to the HTTPS version of your site. This preserves your SEO rankings when switching from HTTP to HTTPS.

If you have multiple domains in a single cPanel account, the first rule will redirect all of them to HTTPS automatically. The optional rules below it allow you to force a specific domain format (e.g., www vs non-www) for specific domains.

Fixing Mixed Content Errors

Mixed content occurs when an HTTPS website loads resources (images, scripts, CSS, iframes) over HTTP. Browsers block mixed content by default, leading to broken pages and security warnings. Even with AutoSSL enabled, mixed content can break your site's security.

Common causes of mixed content:

• Hardcoded HTTP URLs in HTML (e.g., )
• HTTP URLs in CSS or JavaScript files
• Third-party scripts or widgets loaded over HTTP

How to fix mixed content:

1. Use relative URLs: Replace absolute HTTP URLs with relative URLs (e.g., /images/image.jpg instead of http://example.com/images/image.jpg).
2. Update hardcoded URLs: Search your site's code for "http://" and replace it with "https://" (ensure the resource is available over HTTPS first).
3. Use upgrade-insecure-requests: Add the following Content-Security-Policy header to your .htaccess file to automatically upgrade HTTP requests to HTTPS:

    Header always set Content-Security-Policy "upgrade-insecure-requests"
                   

4. Check third-party resources: If a third-party widget doesn't support HTTPS, find an alternative that does.

You can check for mixed content errors using Chrome DevTools (Console tab) or online tools like Why No Padlock.

Troubleshooting Common AutoSSL Issues

AutoSSL is reliable, but issues can occur. Here are the most common problems and their fixes:

1. Domain Validation Fails

Cause: Let' s Encrypt can't verify domain ownership. This is usually due to DNS not pointing to your server, firewall rules blocking Let' s Encrypt's IPs, or incorrect file permissions.

Fix:

• Verify that the domain' s A record points to your server's IP address using a tool like DNSChecker.
• Ensure your server' s firewall allows traffic from Let's Encrypt' s validation IPs (see Let's Encrypt' s IP list for the latest ranges).
• Check that the domain's public_html directory has 755 permissions (run chmod 755 /home/user/public_html via SSH).

2. Certificate Not Installed

Cause: AutoSSL issued the certificate but failed to install it.

Fix: Check the AutoSSL logs in WHM (SSL/TLS → Manage AutoSSL → Logs tab) for error messages. Common issues include expired domain registration or suspended cPanel accounts.

3. Auto-Renewal Fails

Cause: Domain DNS changed, firewall blocked Let' s Encrypt, or the AutoSSL provider was disabled.

Fix: Re-run AutoSSL manually for the affected account, verify DNS settings, and ensure the AutoSSL provider is still enabled in WHM.

4. Wildcard Certificate Not Issuing

Cause: AutoSSL uses HTTP validation by default, which doesn't support wildcard certificates.

Fix: Configure DNS-based validation by adding a CAA record to your domain' s DNS: example.com. CAA 0 issue "letsencrypt.org" . Then enable DNS validation in WHM's AutoSSL settings.

SSL Monitoring & Auto-Renewal

AutoSSL handles auto-renewal, but it' s still important to monitor SSL status to catch issues early. Here's how:

• WHM SSL Status: Navigate to SSL/TLS → SSL Status in WHM to see the expiration date of all certificates on your server.
• AutoSSL Logs: Check the AutoSSL logs daily for failed renewal attempts (WHM → SSL/TLS → Manage AutoSSL → Logs).
• Client cPanel Alerts: cPanel sends automatic email alerts to clients when their SSL certificate is about to expire (even with AutoSSL, these alerts are harmless but can be disabled in cPanel settings).
• Third-Party Monitoring: Use free tools like SSL Labs' SSL Test or UptimeRobot to monitor SSL expiration and configuration for client sites.

AutoSSL renews certificates 30 days before expiration, so there's a wide window to fix any issues that arise during renewal.

Selling "Free SSL Included" to Your Clients

Free SSL via AutoSSL is a powerful selling point for your reseller hosting packages. Most clients don' t understand the technical details of SSL, but they know they need it – and they don't want to pay extra for it.

Here' s how to position free SSL in your marketing:

• Highlight cost savings: "Every plan includes free auto-renewing SSL certificates (a $50+/year value) at no extra cost."
• Emphasize convenience: "No manual renewals, no expiration headaches – your SSL certificate is always up to date automatically."
• Build trust: "All sites hosted with us get the padlock icon in browsers, boosting visitor trust and SEO rankings."
• Include in all packages: Even your cheapest reseller plan should include free SSL – it's a baseline expectation in 2026.

At GabeHost, we include free AutoSSL for every reseller client, and it' s one of the top reasons agencies choose our platform. It's a win-win: your clients get better security, and you save time on support.

Conclusion

AutoSSL is a game-changer for reseller hosting providers. It eliminates the time-consuming work of managing SSL certificates, provides better security for your clients, and gives you a competitive edge in the market.

By following the steps in this guide, you can enable AutoSSL for all your reseller accounts in minutes, force HTTPS with .htaccess rules, and troubleshoot any issues that arise. Combined with GabeHost' s NVMe storage, free WHMCS, and 24/7 support, you have everything you need to build a profitable hosting business.