LogoفارسیFA

Automatic SSL Certificate Replacement in cPanel & WHM

This article explains how cPanel & WHM automatically replaces weak, expiring, invalid, or revoked SSL certificates with free Let’s Encrypt certificates. It covers replacement conditions, the automated process, examples, how to disable automatic replacement, certificate management options, and troubleshooting issues such as CAA restrictions and missing FQDN hostnames.

Automatic SSL replacementLet’s Encrypt cPanelservice SSL certificates

~6 min read • Updated Feb 17, 2026

1. Overview


An SSL certificate provides encryption and authentication for websites, ensuring secure communication between a server and a user’s browser. Modern browsers often block access to websites without valid SSL certificates.


Servers with valid cPanel & WHM licenses automatically receive a free Let’s Encrypt SSL certificate for their hostname and related services.


Warning: If a cPanel Partner disables free hostname certificates in Manage2, the server will not receive automatic free certificates.


2. Automatic SSL Replacement Conditions


cPanel & WHM will automatically replace hostname or service certificates if they meet any of the following conditions:

  • Uses a weak signature algorithm.
  • Revoked by the Certificate Authority.
  • Self-signed (not trusted by browsers).
  • Invalid (e.g., hostname does not resolve to the server’s main IP).
  • Expiring soon:
    • Let’s Encrypt certificates expiring in less than 25 days.
    • Certificates from other CAs expiring in less than 3 days.

3. Automatic Replacement Process


When a certificate meets the replacement criteria, the server automatically orders a new certificate during the /usr/local/cpanel/scripts/upcp maintenance run.


Once Let’s Encrypt issues the new certificate, the system downloads and installs it.


If a certificate expires before the replacement arrives, the system temporarily installs a self-signed certificate. It will later replace it with the new Let’s Encrypt certificate.


Warning: Automatic replacement only works if your hosting provider allows it and you have not disabled it.


4. Replacement Examples


Example 1: Dovecot Service

If the Dovecot service’s Let’s Encrypt certificate expires in less than 25 days,
the system orders a new Let’s Encrypt certificate and replaces the old one
when it arrives.

Example 2: FTP Service

If the FTP service uses a CA-issued certificate (not Let’s Encrypt) and it expires
in less than 3 days, the system orders a Let’s Encrypt certificate.

If the CA certificate expires before the replacement arrives, the system installs
a temporary self-signed certificate, then replaces it with the Let’s Encrypt
certificate once available.

5. Disable Automatic Certificate Replacement


You can disable parts of the automatic replacement system by creating the following touch files:

FileEffect
/var/cpanel/ssl/disable_auto_hostname_certificate Disables automatic hostname certificate replacement.
/var/cpanel/ssl/disable_service_certificate_management Disables service certificate replacement and expiration notifications.

6. Manage Your Certificates


You can replace your free Let’s Encrypt certificate with a certificate from another CA using:

WHM » Home » SSL/TLS » Purchase and Install an SSL Certificate

You can also view and manage service certificates in:

WHM » Home » SSL/TLS » Manage Service SSL Certificates

7. Troubleshooting


7.1 CAA Records Blocking Let’s Encrypt

CAA DNS records control which Certificate Authorities may issue certificates for your domain. If Let’s Encrypt is not listed, it cannot issue replacement certificates.

Fix options:

  • Remove all CAA records (allows all CAs).
  • Add a Let’s Encrypt CAA record.

Example CAA Record:

example.com. 86400 IN CAA 0 issue "letsencrypt.org"

You can manage CAA records via:

  • WHM → DNS Zone Manager
  • cPanel → Zone Editor

7.2 Missing FQDN During Installation

During installation, cPanel attempts to secure the server immediately:

  • Installs a self-signed certificate.
  • Attempts to replace it with a Let’s Encrypt certificate.

If the hostname is not a valid, resolvable FQDN, Let’s Encrypt cannot issue a certificate.


Solution:

  • Set a proper FQDN using:
WHM » Home » Networking Setup » Change Hostname

Afterward, Let’s Encrypt will issue a certificate during the next upcp run.


If you prefer a commercial certificate, install it via:

WHM » Home » SSL/TLS » Purchase and Install an SSL Certificate

Conclusion


Automatic SSL certificate replacement ensures that your server always uses secure, trusted certificates without manual intervention. Understanding how the system replaces certificates—and how to troubleshoot issues like CAA restrictions or invalid hostnames—helps maintain a secure and reliable hosting environment.


Newly-installed servers that do not have a fully-qualified domain name (FQDN) as their hostname will automatically receive one from WebPros International, LLC. The hostname will be assigned as a subdomain under cprapid.com.


2. Why an Automatically-Issued Hostname Is Needed


An automatically-issued hostname allows Let’s Encrypt™ to issue a free SSL certificate for your server.


An SSL certificate provides encryption and authentication for secure communication between a website and a user’s browser. Many browsers block access to websites that do not have valid SSL certificates.


Immediately after installation, cPanel & WHM attempts to secure the server:

  • First, it installs a self-signed certificate.
  • Then, it requests a free Let’s Encrypt hostname certificate.

If the server does not have a resolvable FQDN hostname with a DNS record, Let’s Encrypt cannot issue a certificate. In this case, the server will only use a self-signed certificate, which causes browser security warnings when accessing WHM, cPanel, or Webmail.


To prevent this, cPanel & WHM automatically assigns a valid FQDN hostname to servers that lack one, enabling Let’s Encrypt to issue a trusted certificate.


3. Limitations


  • The automatically-issued hostname is always a subdomain of cprapid.com and points to the server’s main IP address.
  • You cannot manage or delegate this subdomain to another server.
  • To create nameserver subdomains (ns1, ns2), you must use a hostname from a domain you own. Nameservers under cprapid.com will not function fully.
  • If a hosting provider uses pre-installation or post-installation scripts to assign a hostname, they will still work—but only if the hostname is a valid FQDN that resolves to the server’s IP. Otherwise, cPanel will replace it with an automatically-issued hostname.
  • If a cPanel Partner disables free hostname certificates in Manage2, the server will only use a self-signed certificate.

Remember: A self-signed certificate will always trigger a browser security warning.


4. Replace Your Automatically-Issued Hostname


It is recommended to replace the automatically-issued hostname with a hostname based on a domain you own. This helps:

  • Strengthen your brand identity
  • Enable fully functional nameservers
  • Provide full DNS control

To change the server’s hostname, use:

WHM » Home » Networking Setup » Change Hostname

5. Hostname Certificate Replacement


When you change the server’s hostname, Let’s Encrypt will automatically issue a new SSL certificate for the updated hostname.


Note: You may choose to replace the free Let’s Encrypt certificate with a certificate from another Certificate Authority (CA) to avoid rate limits or domain restrictions.


To install a certificate from another CA, use:

WHM » Home » SSL/TLS » Purchase and Install an SSL Certificate

Conclusion


Automatically-issued hostnames ensure that newly-installed servers can immediately receive a trusted SSL certificate and avoid browser warnings. While useful for initial setup, replacing the hostname with one from your own domain provides better branding, DNS control, and long-term flexibility.


Written & researched by Dr. Shahin Siami

Next Article