SSL renewal — automatic vs manual.
Let's Encrypt certs renew automatically every 60 days. When manual intervention is needed and how to do it.
SSL certificates expire. With Let's Encrypt at Rivervo, renewal is automatic — but here's what to know in case it isn't.
The automatic process
cPanel's AutoSSL runs a daily check. If any cert is within 30 days of expiry:
- AutoSSL contacts Let's Encrypt
- Generates a new cert
- Installs it on the domain
- Old cert is replaced seamlessly — no downtime
You won't notice. Browsers see the new cert on next page load.
Verifying renewal worked
cPanel → SSL/TLS Status.
For each domain:
- Status: AutoSSL Domain Validated (good)
- Expires: date >30 days in the future (good)
If Expires shows date in the past or "Not Secure", AutoSSL failed.
Why AutoSSL might fail
Domain doesn't resolve to your server. AutoSSL needs Let's Encrypt to verify the domain by reaching http://yourdomain.com/.well-known/acme-challenge/.... If DNS points elsewhere or the domain doesn't resolve, validation fails.
Fix: point the domain at your server (see Connect existing domain) and wait for DNS to propagate.
.well-known/ is blocked or rewritten. Some .htaccess rules accidentally block this path. Common with security plugins or aggressive rewrite rules.
Check public_html/.htaccess for lines like RewriteRule ^.well-known/ and remove them. Or add an explicit allow:
RewriteEngine On
RewriteRule ^\.well-known/ - [L]Cloudflare is in front in proxied (orange cloud) mode. AutoSSL hits Cloudflare's IP, sees Cloudflare's cert, gets confused.
Fix: temporarily switch the DNS record to grey cloud (DNS only), run AutoSSL, switch back. Or use Cloudflare's Origin CA cert instead of Let's Encrypt.
Subdomain not in cPanel. AutoSSL only covers domains/subdomains registered in cPanel → Domains. If you add app.yourdomain.com via DNS only (not in cPanel), AutoSSL won't issue a cert for it.
Fix: add the subdomain in Subdomains section.
Force manual renewal
Sometimes AutoSSL needs a kick:
cPanel → SSL/TLS Status → check the box for the domain → Run AutoSSL.
Wait 60-120 seconds. Refresh the page. Cert should be renewed.
Custom (non-Let's Encrypt) certs
If you bought a cert from a CA (Sectigo, DigiCert, GoDaddy SSL):
- cPanel → SSL/TLS → Manage SSL Sites
- Pick the domain
- Paste the certificate, key, and CA bundle (provided by the CA)
- Install Certificate
These don't auto-renew. You manage renewal at the CA, get the new files, repeat the install.
Wildcard certs
Let's Encrypt supports wildcards (*.yourdomain.com) via DNS-01 challenge. This requires the domain's nameservers to be at Rivervo (or a supported provider) for automated DNS challenge.
Wildcards in AutoSSL: enabled by default if your nameservers are ours. If not, you'll need to manually request via SSH:
sudo /scripts/autossl_check --user yourcpaneluserMixed content warnings after SSL
You enabled SSL but the browser still shows "Not Secure" for some pages?
Cause: HTTP-loaded resources (images, scripts, CSS) on an HTTPS page.
Fix: in WordPress, install Really Simple SSL plugin, run it. For other apps, search the codebase for http://yourdomain.com and replace with https://.
Or force HTTPS in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]