Installing a free Let's Encrypt SSL certificate

Every domain on Omega Digital is eligible for a free Let's Encrypt certificate via cPanel's AutoSSL. In most cases it issues automatically within minutes of DNS pointing at us. This article covers the auto flow, the manual force-issue steps when AutoSSL stalls, and the cases where a paid certificate still makes sense.

How AutoSSL works

AutoSSL runs automatically: every domain you add to cPanel triggers an HTTP challenge. Let's Encrypt requests a specific file at http://yourdomain.com/.well-known/acme-challenge/... and if it sees the expected response, it issues a 90-day certificate. AutoSSL renews 30 days before expiry, also automatically.

For the challenge to succeed, three things must be true:

• · The domain's A record points to your Omega Digital server IP
• · Port 80 on the server is reachable and not redirecting in a way that breaks the challenge path
• · The domain is listed in the Domains section of cPanel (it usually is, automatically)

Check current status

1. 01. In cPanel, open SSL/TLS Status under the Security section.
2. 02. You will see every domain and subdomain on the account with a green, yellow, or red status dot.
3. 03. Green: valid certificate, renews automatically.
4. 04. Yellow: AutoSSL is trying, not yet issued.
5. 05. Red: issuance failed. Click the domain for the specific error.

Force a new issuance

1. 01. Open cPanel → SSL/TLS Status.
2. 02. Tick the domains you want covered.
3. 03. Click Run AutoSSL.
4. 04. Wait 1-5 minutes. Refresh the page.

# Force issuance from SSH (faster feedback than the UI)
uapi --user=cpuser SSL start_autossl_check

# Tail the AutoSSL log
tail -f /var/cpanel/logs/autossl.log

What happens when validation fails

Read the exact error in SSL/TLS Status. The three we see most often:

# In .htaccess — exclude the challenge path from redirects
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Cloudflare proxy and AutoSSL

If Cloudflare is proxying (orange cloud), Let's Encrypt sees Cloudflare's IP, not ours. AutoSSL still works because the challenge passes through Cloudflare, but only if Cloudflare's SSL mode is Flexible during validation, which we don't want long-term. Two good fixes:

1. 01. Grey-cloud the proxied record just during first-time issuance, then flip orange again.
2. 02. Better: use a Cloudflare Origin certificate instead of AutoSSL (15-year validity, no HTTP validation needed).

When to use a paid certificate

Let's Encrypt is the right default. The narrow cases where paid still makes sense:

• · Extended Validation (EV) certificate with organization name in browsers. Rarely matters now since Chrome no longer shows it.
• · Warranty coverage for large e-commerce liability
• · Wildcard certificate for a very large subdomain fan-out where you want a single-cert deployment (Let's Encrypt wildcards work but require DNS challenge)
• · Device/embedded systems that don't trust Let's Encrypt's ISRG Root X1 (extremely rare in 2026)

Verify the certificate

# Show certificate details
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

# Expected:
# subject=CN = yourdomain.com
# issuer=C = US, O = Let's Encrypt, CN = R3
# notBefore=Apr  1 12:00:00 2026 GMT
# notAfter=Jun 30 12:00:00 2026 GMT

Common gotchas

• · Certificate issued but browser still shows insecure. Usually a mixed-content issue: some image or script loaded over http://. See the force-HTTPS article.
• · AutoSSL disabled per-domain. Under Domains, each domain has a per-domain toggle. Confirm it's on.
• · Rate limits. Let's Encrypt allows 50 certificates per registered domain per week. If you're bulk-provisioning subdomains, batch carefully.
• · Expired certificate on a domain with no DNS. If you moved a domain off us and left the cPanel entry, AutoSSL will fail forever. Remove the dead domain.

Still stuck?

Email [email protected] with the exact error from SSL/TLS Status.