Are you having problems renewing an SSL certificate using cPanels AutoSSL feature on a domain which is also using Cloudflare? Read on for a solution, and an explanation for why this happens.
The Symptoms

Typically, youll be alerted to the fact that your SSL certificate is having problems renewing or has expired when you receive an automated email from cPanel. It looks something like this:

The cPanel AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
⛔ yourdomain.com [ Last AutoSSL Run at 2018-03-25 at 10:24:15 UTC ]
yourdomain.com does not resolve to any IPv4 addresses on the internet.
If your SSL certificate has expired youll also be seeing problems when you navigate to your website either a nasty red lock instead of the nice green one, a scary SSL warning notice, or a Cloudflare error page. Bad times.
The Solution

Temporarily deactivate Cloudflare then renew the certificate. Youll find AutoSSL will renew perfectly fine once traffic is set to bypass Cloudflare and you can switch Cloudflare straight back on again once the certificate is safely renewed.
For those wanting a detailed step by step:

  1. Log in to Cloudflare
  2. Navigate to the DNS area for the domain
  3. Youll see some lines with orange clouds. Click on those orange clouds to bypass Cloudflare services (this is effectively turning Cloudflare off except for DNS routing)
  4. Log in to cPanel or WHM (whichever you use to manage your AutoSSL)
  5. Renew the SSL certificate instructions here.
  6. Visit your website and confirm that everything is now back to green, safe, happy normality. Celebrate!
  7. Go back to Cloudflare and re-enable the orange clouds
  8. Voila!

SSL certificates generated using AutoSSL are valid for 90 days. So if you run AutoSSL and Cloudflare, youre going to encounter this every 90 days. 😐 Its really annoying but there is not currently a better solution if you wish to use free AutoSSL + free Cloudflare. If it really bugs you then the best solution would be to purchase a premium SSL certificate which will last for up to a few years (depending what you pay).
Why Does this Happen?

AutoSSL will fail for your site if a CDN like Cloudflare is enabled because AutoSSL requires that the domain resolves to your local cPanel server for Domain Control Validation (DCV) to succeed. If you use Cloudflare, it cant do that.
Stuff that is often suggested by hosts which usually doesnt work:


  • Apply firewall rules to allow the DCV server to bypass Cloudflare
  • Modify .htaccess to match on the user agent and let it through.
  • Add URL rules in Cloudflare to allow anything looking for *yourdomain.com/.well-known/pki-validation/* can pass through.

I say again in my experience the only reliable solution is to temporarily disable Cloudflare and renew the certificate.