Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
Security Renewal Beginner

Automatic certificate renewal-prevent SSL expiration

Enable AutoSSL or Let's Encrypt to automatically renew certificates 30 days before expiration.

UnderHost NOC Network Operations
10 min read Updated June 2026
On this page

SSL/TLS certificates expire after 1 year (or custom period set by issuer). Automatic renewal prevents expiration errors that show "Your connection is not secure" warnings to visitors. Modern certificate authorities like Let's Encrypt provide free automatic renewal—enable it and your site stays secure 24/7 with zero manual intervention.

Shared hosting: UnderHost AutoSSL

UnderHost shared hosting includes AutoSSL for free Let's Encrypt certificates. AutoSSL automatically renews certificates 30 days before expiration.

How to enable or verify AutoSSL:

  1. Log in to cPanel
  2. Navigate to SSL/TLS → AutoSSL
  3. Verify your email address is correct (renewal notices go here)
  4. Enable "Automatic SSL" toggle (usually on by default)
  5. Confirm for each domain you want auto-renewed

What happens: 30 days before expiration, UnderHost's AutoSSL system:

  • Contacts Let's Encrypt
  • Verifies domain ownership
  • Issues new certificate
  • Installs on your domains
  • Sends confirmation email

No action needed from you—it's automatic. If verification fails, cPanel emails you with next steps.

VPS/Dedicated: Certbot for Let's Encrypt

For VPS and dedicated servers, use Certbot to manage Let's Encrypt certificates.

Install Certbot:

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx

# Or for Apache
sudo apt-get install certbot python3-certbot-apache

Request initial certificate:

sudo certbot certonly --webroot -w /var/www/yourdomain -d yourdomain.com -d www.yourdomain.com

Automatic renewal (systemd timer):

# Enable renewal timer (runs twice daily)
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

# Test renewal (doesn't actually renew, just tests)
sudo certbot renew --dry-run

Certbot automatically renews 30 days before expiration.** No manual intervention needed once set up.

Check certificate expiration status

Via command line:

# Check certificate expiration
openssl x509 -in /path/to/cert.crt -text -noout | grep -A 1 "Not After"

# Example output:
# Not After : Jun  6 12:34:56 2027 GMT (expires in 365 days)

# Or use Certbot
sudo certbot certificates

Via browser:

  1. Visit your website in HTTPS
  2. Click the lock icon in address bar
  3. Click "Certificate" or "Connection is secure"
  4. Check expiration date

Online tools: Use SSL Checker or SSL Inspector to check remotely

When automatic renewal fails

If renewal fails, you'll get an email notification. Common failure reasons:

  • DNS not resolving: ACME challenge can't verify domain ownership
  • Email not received: Check spam folder; whitelist renewal notice sender
  • Domain not pointing to server: Renewal needs to access your website
  • Firewall blocking ACME: Some firewalls block challenge verification
  • Web server down: Certificate validation requires website to respond

To fix renewal failures:

  1. Verify your domain's DNS points to UnderHost nameservers
  2. Test your website is accessible (ping, curl, browser)
  3. Check firewall isn't blocking port 80 or 443
  4. For manual renewal: sudo certbot renew --force-renewal
  5. Contact support if issues persist

If using a paid SSL certificate (Comodo, DigiCert, GlobalSign, etc.):

  • You receive renewal notices: Usually 60, 30, and 14 days before expiration
  • Manual process: Paid certs don't auto-renew; you must purchase renewal through your provider or registrar
  • Keep certs active: Most providers offer multi-year discounts for renewing early
  • UnderHost doesn't manage paid certs: You're responsible for renewal timing and reinstallation

Recommendation: Use free Let's Encrypt (auto-renewing) instead of paid certs unless you need extended validation (EV) or wildcard coverage.

Set up expiration reminders

Even with automatic renewal, set multiple reminders as a safety net:

  1. cPanel AutoSSL notifications: Verify email address is correct in cPanel
  2. Calendar reminders: Note certificate expiration date in your calendar (60 days before)
  3. SSL monitor services: Tools like SSL.com's Certificate Monitoring send alerts
  4. Check periodically: Run certbot certificates monthly to verify status

Best practices

  1. Use Let's Encrypt: Free, automatic, widely trusted—best option for most websites
  2. Enable AutoSSL: Shared hosting users: verify AutoSSL is enabled in cPanel
  3. Test renewal: VPS users: run certbot renew --dry-run to verify automation works
  4. Monitor expiration: Check certificates monthly using command line or browser
  5. Set up alerts: Calendar reminders + automated monitoring for peace of mind
  6. Keep records: Document CSR, private keys, and certificates in a safe location
  7. Plan for paid certs: If using paid certs, track renewal deadlines; don't rely on auto-renewal
Automatic renewal = peace of mind

With Let's Encrypt and automatic renewal configured, your SSL certificate will renew reliably every year without any effort on your part. Your site stays secure 24/7/365.

Related: SSL certificate errors | ACME DNS validation | Install SSL certificate

Was this article helpful?

Need security-focused hosting?

UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.

View Secure Hosting CustomerPanel

Related articles

Back to Security