Every ipxcore cPanel hosting plan includes free SSL certificates via AutoSSL, powered by Sectigo. AutoSSL automatically provisions, installs, and renews SSL certificates for every domain on your account — no manual renewal, no annual fees, no Let's Encrypt rate-limit headaches. This article explains how it works and how to verify it's running.
Is AutoSSL already running?
Yes — AutoSSL is enabled by default on every ipxcore cPanel account. Within a few minutes of adding a domain, it scans, validates ownership via HTTP, and installs a certificate covering your apex domain (yourdomain.com), the www subdomain, and any subdomains you've added.
Verify a domain is covered
- Log in to cPanel.
- Open SSL/TLS Status under "Security".
- You'll see every domain on your account with a status:
- Green checkmark = covered by AutoSSL, certificate active
- Red X = not covered (see "Common reasons" below)
Click View Certificate next to any domain to see expiration date, issuer (Sectigo), and the full SAN list.
Common reasons AutoSSL skips a domain
- Domain doesn't resolve to your ipxcore IP yet. AutoSSL validates ownership by serving a token from your account at
http://yourdomain.com/.well-known/pki-validation/. If the domain still resolves to your old host, validation fails. Fix: update DNS / nameservers and wait 30 minutes. See our article on nameservers. - Cloudflare proxy is enabled. When Cloudflare orange-cloud is on, the validation request hits Cloudflare, not your ipxcore server. Fix: temporarily set the record to grey-cloud (DNS only), wait for AutoSSL to issue, then turn proxying back on if you want.
- .htaccess redirect blocking the validation path. If you redirect all HTTP traffic to HTTPS via
.htaccess, exclude/.well-known/from the redirect:RewriteEngine On RewriteCond %{REQUEST_URI} !^/.well-known/ RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] - Domain is parked or suspended. AutoSSL skips domains that aren't actively serving content.
Force a re-check
If you've fixed the underlying issue (DNS, Cloudflare, .htaccess) and want AutoSSL to retry immediately rather than wait for the next scheduled run:
- Open SSL/TLS Status in cPanel.
- Tick the boxes next to the affected domains.
- Click Run AutoSSL at the top.
The check usually completes in under 30 seconds. Refresh the page to see the updated status.
Renewals
AutoSSL certificates are valid for 90 days and automatically renew at the 60-day mark. You don't need to do anything. If a renewal fails, cPanel emails you (and ipxcore's monitoring also alerts us, so we can investigate before you even notice).
When you might want a paid SSL instead
AutoSSL covers 99% of use cases. The exceptions:
- Extended Validation (EV) certificates — display the company name in the URL bar in older browsers. Mostly relevant for finance/healthcare. Modern browsers no longer differentiate visually.
- Wildcard certificates — needed if you serve dynamic third-level subdomains (
customer1.yourdomain.com,customer2.yourdomain.com, etc.). AutoSSL covers explicitly-defined subdomains but not unlimited wildcards. Open a ticket if you need a wildcard. - Multi-year certificates — no longer issued by any CA (max validity is 398 days industry-wide), so this is moot.
