CloudPanel SSL Beginner

SSL in CloudPanel: Let's Encrypt and custom certs

Issue free Let's Encrypt SSL certificates per site in CloudPanel, force HTTPS, and troubleshoot issuance failures. Also covers installing custom paid SSL certificates.

UnderHost NOC Network Operations

6 min read Updated June 2026

On this page

Before issuing SSL
Issue a Let's Encrypt certificate
Force HTTPS
Certificate renewal
Custom SSL certificate
Troubleshoot SSL failures

CloudPanel integrates Let's Encrypt for free, automatic SSL certificates per site. Once issued, certificates auto-renew before expiry. The only requirement is that the domain must already be pointing at the server when you request the certificate.

Before issuing SSL

Let's Encrypt validates domain ownership by making an HTTP request to your domain. This means:

The domain's A record must point to your CloudPanel server's IP address
DNS changes must have propagated (usually a few minutes to a few hours)
Port 80 must not be blocked by the server firewall (CloudPanel's default firewall allows port 80)

Verify DNS is pointing correctly with the UnderHost DNS Check tool before requesting the certificate.

Issue a Let's Encrypt certificate

Open the SSL settings

Log in to CloudPanel, click Sites, then click the site you want to secure. Go to the SSL/TLS tab.
Select Let's Encrypt

Under SSL Provider, choose Let's Encrypt.
Save and install

Click Save & Install Certificate. CloudPanel contacts Let's Encrypt, completes the HTTP-01 validation, and installs the certificate. The process takes 10–30 seconds.

After successful issuance, the site's status in the panel shows the certificate expiry date. CloudPanel automatically renews the certificate before expiry.

Force HTTPS

In CloudPanel, you can force HTTPS from the SSL/TLS settings:

In the site's SSL/TLS tab, enable Force HTTPS (or "HTTPS Redirect")
Save the settings

This adds a redirect rule to the Nginx vHost that sends all HTTP traffic to HTTPS. Visitors who access http://yourdomain.com are automatically redirected to https://yourdomain.com.

For WordPress sites, also update the site URL to HTTPS in WordPress admin → Settings → General.

Certificate renewal

Let's Encrypt certificates are valid for 90 days. CloudPanel uses acme.sh internally to handle automatic renewal. You do not need to manually renew certificates.

If a certificate expires (rare-usually due to DNS changes or server issues), re-issue it manually using the same steps above.

Custom SSL certificate

If you have a purchased SSL certificate, install it in CloudPanel:

In the site's SSL/TLS tab, select Custom Certificate
Paste your certificate (.crt file contents) into the Certificate field
Paste your private key into the Private Key field
Paste the CA bundle / intermediate certificates into the Certificate Chain field if provided
Click Save & Install Certificate

Troubleshoot SSL failures

SSL issuance fails with a domain validation error

The domain is not pointing to this server. Confirm the A record resolves to your CloudPanel server's public IP using the DNS Check tool. Wait for DNS propagation and try again. Also confirm port 80 is open in CloudPanel's firewall-Let's Encrypt validation uses HTTP on port 80.

Let's Encrypt rate limit error

Let's Encrypt limits failed issuance attempts to 5 per hour per domain. If you have repeatedly tried to issue a certificate that keeps failing, you may hit this limit. Resolve the DNS issue first, then wait an hour before retrying.

SSL is issued but the browser still shows "Not Secure"

The certificate is active but the page has mixed content-resources (images, scripts) are still loading over HTTP. See Fixing mixed content warnings.

Cloudflare is enabled-SSL validation failing

If Cloudflare is proxying the domain (orange cloud), the HTTP-01 challenge may fail. Temporarily set Cloudflare DNS to "DNS only" (grey cloud) for the domain while issuing the certificate, then re-enable the proxy after SSL is issued. Alternatively, use a DNS-01 challenge via a manual certificate request.

Was this article helpful?