Using AutoSSL with Cloudflare

Cloudflare's 'Always Use HTTPS' and Strict mode settings can interfere with cPanel's AutoSSL during certificate renewal. This guide explains why that happens and how to resolve it, both quickly and for the long term.

The problem

When AutoSSL tries to renew your certificate, it performs a Domain Control Validation (DCV) check over plain HTTP. If Cloudflare is set to 'Always Use HTTPS', it redirects that HTTP request to HTTPS before it reaches your server. Sectigo, who issue AutoSSL certificates, will not issue a certificate if the domain is redirecting during validation, so the renewal fails with an error similar to:

Local HTTP DCV error (domain.com): The content "301 Moved Permanently 301 Moved Permanently..." of the DCV (Domain Control Validation) file did not match the expected value.

Immediate fix: switch Cloudflare from Strict to Full mode

Strict mode requires a valid SSL certificate on your origin server at all times. If AutoSSL has failed to renew, your origin certificate may have expired, causing Cloudflare to return a 526 error to visitors.

Switching to Full mode resolves this immediately:

1. Log in to your Cloudflare account.
2. Select your domain and go to the SSL/TLS tab.
3. Under SSL/TLS encryption mode, change Strict to Full.

Full mode still encrypts the connection between Cloudflare and your origin server, but accepts a self-signed or expired certificate. Visitors still see a fully valid HTTPS connection because Cloudflare presents its own certificate to them.

Long-term solution: let AutoSSL renew properly

The immediate fix above keeps your site working, but it is worth getting AutoSSL to issue a valid certificate. That way, if you ever disable Cloudflare, your site will still have a trusted certificate in place.

Step 1: disable 'Always Use HTTPS' in Cloudflare

1. Log in to your Cloudflare account.
2. Select your domain and go to the SSL/TLS tab.
3. Click Edge Certificates.
4. Find Always Use HTTPS and turn it off.

Step 2: renew your certificate in cPanel

If AutoSSL did not renew automatically after disabling the redirect, trigger it manually:

1. Log in to cPanel.
2. Go to SSL/TLS.
3. Click Manage AutoSSL and run a renewal check.

Renewal can take several minutes. As long as Strict mode is off, your site will not show errors while you wait.

Step 3: re-enable Strict mode (recommended)

Once AutoSSL has successfully issued a new certificate, you can switch Cloudflare back to Strict mode for the strongest security. Strict mode verifies that your origin certificate is valid, which prevents man-in-the-middle attacks between Cloudflare and your server.

Some site owners prefer to leave Strict mode off to avoid future renewal issues. That is a reasonable choice, but be aware that Full mode does not verify the origin certificate.

Step 4: set up HTTPS redirects in .htaccess

If you have disabled 'Always Use HTTPS' in Cloudflare but still want visitors redirected to HTTPS, add the redirect at the server level instead. This avoids interfering with AutoSSL while still enforcing HTTPS.

1. Log in to cPanel.
2. Open File Manager and navigate to your website's root directory.
3. Open the .htaccess file for editing.
4. Add the following lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

With these steps in place, AutoSSL can renew your certificate without interference, and your visitors are still served over HTTPS.