Expired AutoSSL certs piling up


New Member
I noticed a large number of ssl certs in my home dir/ssl/certs. I logged into cPanel and looked at SSL/TLS, and it seems the various domains on my VPS have a number of expired certs shown along with the current certs (all of them were autossl-generated). The list is getting pretty long. I can go in and delete them from time to time, but Is AutoSSL supposed to delete expired certs on its own? I didn't see anything in WHM options about SSL cleanup, I just figured it would be automatic.
Hey there.

AutoSSL should be renewing any eligible certificate. If you have expired certificates listed in Manage SSL/TLS; then there is a problem with those domains and AutoSSL is not able to renew them accordingly.

AutoSSL should be deleting its expired certificate when replacing with a valid.

Eligibility for AutoSSL is a simple rule -- all domains must resolve to the servers IP address to pass Domain Control Validation(DCV).

If they are not passing this check; then they are either

A) Not Resolving to your servers IP (CloudFlare, Sucuri, etc)
B) Not passing DCV checks.

Now; self-signed certificates do get generated with every domain -- which is what you may be seeing; as even self-signed expire.

You should open a Support Ticket so we can take a closer look; just to be sure.

Thank you for replying.

AutoSSL is renewing the certs just fine. Eligibility and renewal aren't the issue (SSL is working).

I see a mix of self-signed and cPanel generated certs; the old ones are just not being removed.

Thank you for the confirmation that AutoSSL should be deleting the old certs; I will focus on that.
AutoSSL will only remove it's own issued certs. Any self-signed certs or certs you've created will not be touched by AutoSSL, expired or not.
So honestly, this was a new VPS a year ago, nothing but AutoSSL generated certs from cPanel (they said "cPanel, Inc." under "Issuer"). I didn't install any certs from anywhere else. I've deleted all the expired ones manually (there were about 10 of them including a few self-signed) and if it doesn't remove the outdated ones at the next renewal I'll open a ticket.