Technical guide for Hovixa users on managing Let's Encrypt AutoSSL in cPanel. Learn how to trigger manual SSL runs and troubleshoot Domain Control Validation (DCV) errors.
Configuring Let's Encrypt AutoSSL and Resolving DCV Failures
Hovixa provides automated Domain Validated (DV) SSL certificates through Let's Encrypt. The system automatically attempts to secure every domain, subdomain, and alias added to your cPanel account. However, strict Domain Control Validation (DCV) requirements must be met for the certificate to issue successfully.
1. Manually Triggering AutoSSL
While the server runs a maintenance cron job every 24 hours to check for expiring or missing certificates, you can force a manual check immediately after adding a new domain or updating DNS.
Execution Steps:
- Log in to cpanel.hovixa.com.
- Navigate to the Security section and click SSL/TLS Status.
- (Optional) Use the search bar to filter for specific domains.
- Click the Run AutoSSL button at the top of the page.
- The process will run in the background. A success notification will appear once the polling is complete.
2. Understanding DCV (Domain Control Validation)
Before Let's Encrypt issues a certificate, the Certificate Authority (CA) must verify that you own the domain. This is done via DCV. The server typically uses one of two methods:
- HTTP-based: The CA looks for a specific text file located at
http://yourdomain.com/.well-known/acme-challenge/. - DNS-based: The CA looks for a specific
_dnsauthTXT record in your DNS zone file.
3. Common DCV Failure Causes and Resolutions
If you see a red lock icon or a "DCV Failure" message in the SSL/TLS Status page, the certificate cannot be issued. Use the table below to diagnose and fix the specific bottleneck.
| Error Type | Root Cause | Technical Resolution |
|---|---|---|
| DNS Propagation | Domain is not yet pointing to Hovixa IP. | Verify A records via dig or nslookup. Wait for DNS propagation (up to 24h). |
| 403 Forbidden | Security rules (ModSecurity) or .htaccess are blocking access to /.well-known/. |
Disable .htaccess redirects temporarily or whitelist the .well-known directory from HTTPS redirection. |
| CAA Records | A DNS CAA record exists that does not list letsencrypt.org. |
Update your CAA record in the Zone Editor to allow Let's Encrypt to issue certificates. |
| Cloudflare Proxy | Cloudflare "Orange Cloud" is active before the initial certificate is issued. | Temporarily set the DNS to "DNS Only" (Grey Cloud) until AutoSSL completes, then re-enable the proxy. |
4. Force Including/Excluding Domains
In the SSL/TLS Status interface, you can manage which subdomains are included in the certificate (e.g., excluding mail.domain.com if you use external mail):
- Select the checkbox next to the specific domain.
- Click Exclude from AutoSSL or Include during AutoSSL.
- Run AutoSSL again to reflect the changes in the new CSR (Certificate Signing Request).
Security Note: If your site continues to show "Not Secure" despite a valid certificate, check for "Mixed Content" errors in your browser console. This indicates that your HTML is still loading assets (images/scripts) over http:// instead of https://.
