In recent versions of cPanel/WHM, it is easier than ever to get an SSL Certificate for your domains! Since version 58, cPanel has had a feature called AutoSSL to automatically install for you Domain-Validated (DV) SSL certificates for your domains, to use in Apache, Dovecot, and Exim.1)
To find the main page for managing AutoSSL, first log into WHM. Then look for "Manage AutoSSL" in the "SSL/TLS" section. You can use the search box:
Another option is to use the icons in the main screen. First find the "SSL/TLS" button:
Then choose "Manage AutoSSL":
Then you should see a screen that looks approximately like this:
In order for a domain to get a certificate via AutoSSL, all of the following must be true:
If any of these are false, AutoSSL will not generate a certificate for that domain.
AutoSSL is usually enabled by default. If you would like to check whether it is enabled, go to the Manage AutoSSL page as shown above, and make sure one of the available providers is chosen, and not the "Disabled" option. If you have made any changes, be sure to click the "Save" button:
By default, only the "cPanel (powerd by Comodo)" provider is enabled. If you prefer to use Let's Encrypt, a plugin can be installed to give you this option. Other Certificate Authorities (CAs) might also have plugins available to integrate their services into WHM's AutoSSL.
By default, AutoSSL will already check the certificates of all accounts automatically once per day. If you prefer not to wait until the next automatic check, you can run a new check at any time from the "Manage AutoSSL" page of WHM. First, find the "Manage AutoSSL" page as shown above. Then you can either click the "Run AutoSSL For All Users" button to recheck all users, or go to the "Manage Users" tab, look for and choose the specific account you want to check, and click the "Check" button in the "Run AutoSSL Check" column of that account's row.
You can view the logs from the AutoSSL checks in the "Logs" tab. The "Refresh" button can be used to refetch the list of logs, so that you can make sure you are seeing the full list. Once you select one of the logs and click "View Log", the log will appear in the box below:
This will show you, among other things, whether the account has any domains or subdomains not covered by certificates, whether AutoSSL can attempt to generate a certificate, and the reason if it cannot.
There also is an "Options" tab. The bottom three checkboxes are for notification settings.
The top checkbox says "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." It is important to note this option defaults to not checked. So if you have a domain that already has a certificate, and you want to let its current certificate expire and get a new one with AutoSSL, you will need to either check this box or remove the old certificate before AutoSSL will generate the new one for you.
The reason that the box is not checked by default is to help prevent accidentally replacing a higher-validation-level certificate with the Domain Validated (DV) certificate generated by AutoSSL. In some cases, it might even be preferable to allow an OV (Organization Validated) or EV (Extendedly Validated) certificate to expire rather to have it replaced by one that is merely DV.