Release Notes

v0.13.6 - June 07, 2018


  • FIX: Renewal will no longer treat “unknown” domains as a fatal error (resulting in “Failed to group domains” emails)
    • This would happen when a user deleted a subdomain, alias domain etc, but did not re-issue their SSL certificate without these domains
    • Previously, these unknown domains would prevent renewal for any managed certificates on an account from succeeding and would email the user with an error. This was an intentional design, to ensure that the user’s original intent was being fulfilled.
    • Based on user feedback, we are changing this to ignore domains that no longer exist in any virtual host, and proceed with renewal without those domains.
    • For example,
      • If a user issued a certificate for example.org and example.com, which are the Primary Domain and an Alias Domain, respectively.
      • The user deletes the example.com Alias Domain from cPanel.
      • Previously: FleetSSL cPanel would fail to renew the certificate because the wanted domain was missing.
      • Now: FleetSSL cPanel will renew the domain without example.com, now and in future.
    • This does not affect domains that fail validation, only domains that are missing from the cPanel account entirely.
  • FIX: Fix panic that occurs a user manually modifies their NVData in an unexpected way.
  • MISC: CLI can now bypass x.509 verification errors when invoked as FLEETSSL_INSECURE_RPC=y /usr/local/bin/le-cp ...

v0.13.5 - May 12, 2018


  • FIX: AutoSSL will now try to avoid consuming the full ACME Registrations per IP Address rate limit.
    • This is so end-users are still able to issue certificates when AutoSSL is very busy.
    • This is tuned to 70% of the current rate limit.
    • This can be tuned via autossl_acme_registrations_limit

v0.13.4 - April 4, 2018


  • FEATURE: The plugin now supports wildcard-only virtual hosts.
    • For example, when creating a subdomain in cPanel for *.example.org, which causes *.example.org to be served from a different virtual host/document root to the base example.org domain.
    • Using cPanel in this way is mostly applicable if you need dynamic subdomain matching.

v0.13.3 - March 26, 2018


  • FIX: A regression was discovered where certificates with wildcard names would try to renew every renewal cycle.
    • This was due to a failure to identify that e.g. *.example.org covers a.example.org when evaluatign whether a certificate needed to be renewed or not.
    • Customers with wildcard certificates may have received a renewal failure email with the error: Error finalizing order :: too many certificates already issued for exact set of domains
    • The only remediation required is to update the plugin.

v0.13.2 - March 21, 2018


  • FIX: A bug was found and fixed relating to DNS zone edits for the wildcard functionality.
    • It would manifest itself as a failure on the first attempt, and success on the second attempt.
    • No existing certificates will be adversely affected.
  • IMPROVEMENT: DNS validation will now attempt to verify that the updated DNS records are propagated before attempting to use them.
    • Previously, WHM admins would need to tune the DNS Challenge Delay (see 0.13.0 release notes).
    • That tuning is still possible, but the plugin will also spend upto 3 * challenge_delay waiting for the record to be actively served by the nameserver. By default, this is 3 * 5 seconds = 15 seconds.
    • This is done via a non-caching iterative DNS query descending from the root nameservers.

v0.13.1 - March 20, 2018


  • FIX: Due to an upcoming change in Boulder, the plugin now removes any names from certificate requests that are already covered by a wildcard name.
    • e.g. If ordering [fleetssl.com www.fleetssl.com *.fleetssl.com], www.fleetssl.com will be automatically stripped.
    • This will not adversely affect any certificates that have already been issued.

v0.13.0 - March 19, 2018


  • FEAUTURE: Wildcard certificates can now be issued.
    • See the Wildcard documentation for more details.
    • It is only available when using DNS-based validation (which is a decision left to the end-user)
    • You may need to tune the DNS Challenge Delay if your hosting environment has large DNS clusters or a high zone count.
  • FEATURE: DNS-based validation is now available and is no longer a feature preview.
    • This is an alternative to the default, HTTP-based validation method
    • Both HTTP and DNS methods are available on all new and upgraded installations, but can be controlled by the WHM administrator.
    • The HTTP method remains the default option for new certificate issuances and the recommended option for most users
    • The HTTP method remains the only option for certificates issued via the AutoSSL feature
    • End-users may choose which validation method to use on a per-certificate basis
  • IMPROVEMENT: The AutoSSL feature has been significantly extended:
    • It will now try to include cPanel proxy subdomains e.g. webmail., cpanel., webdisk. This can be disabled by the autossl_skip_proxy_subdomains configuration flag
    • AutoSSL will stop retrying domains that fail continuously for an extended period.
    • AutoSSL will try to issue certificates for virtual hosts without a valid or imminently expiring certificate (48h). Previously, it would refuse to run on any account that had any third-party certificates.
    • AutoSSL remains disabled by default.
  • IMPROVEMENT: Renewals that fail repeatedly are now subject to a number of inhibitions.
    • Only 1 email every 2 days, at most, will be sent per certificate
    • Failing renewals now follow a linear back-off after a threshold.
      • After 10 consecutive renewal failures (~5 days), a delay of max(1 week, (12 hours * max(0, Fail_Count - 10))) is applied at each attempt. This is reset after a successful renewal.
      • This is designed to deprioritize abandoned accounts/domains and save server and CA/rate limit resources.
    • It is always possible to immediately re-issue the certificate from the user interface.
  • MISC: The ACME client implementation has been completely rewritten for ACME v2
    • This should be fully compatible with all existing accounts and certificates and there should be no perceptible difference to end-users.
    • The library is available under an open source licence at https://github.com/eggsampler/acme
  • FIX: BoltDB (embedded database used for non-critical state) has been upgraded and now automatically deals with corruption.
  • MISC: Self-test now tests that BoltDB is functional.
  • MISC: Added a le-cp fetch-licence <order ID> <auth code> convenience command.
  • MISC: Added a le-cp send-logs convenience command.
  • MISC: Upgraded to Go 1.10.

v0.12.3 - February 20, 2018


  • FIX: The WHM user interface had broken in cPanel 70+ due to cPanel removing some 3rdparty stylesheets and scripts. They are now bundled with the plugin.

v0.12.2 - January 20, 2018


  • FIX: cPanel maximum API response size has been raised from 5MB to 20MB to account for servers with a large number of virtual hosts.
  • FIX: A cleanup process has been added to the plugin. Prior to renew and issuance via UI, the plugin will attempt to safely and gradually (over time) remove expired, unused Let’s Encrypt certificates, in order limit growth of cPanel user data.

v0.12.1 - December 19, 2017


  • FIX: A regression in 0.12.0 which broke proxy subdomains on the cPanel LTS version (cPanel 62).

Please note that we still intend to discontinue support for the cPanel LTS version, instead requiring STABLE or newer. See the 0.12.0 release notes for more information.


v0.12.0 - November 24, 2017


  • FIX: Previously, the option to include proxy subdomains was only available when an existing certificate already existed. Now it is always available.
    • However, cPanel may not always choose to use every proxy subdomain (such as when they are on a subdomain virtual host).
  • FEATURE PREVIEW: The dns-01 challenge is now available, but disabled by default
    • This means that SSL validation can be performed automatically via TXT DNS records rather than relying on the http-01/webroot challenge
    • This is only available if cPanel is controlling the DNS for the zone. Domains with external DNS cannot take advantage of the dns-01 challenge.
    • Admins may enable either or both of the challenges (http-01, dns-01). If more than one is enabled, then the user is prompted to choose one on a per-certificate basis. Existing certificates will be assumed to use the http-01 challenge.
    • To enable the dns-01 challenge, visit WHM->Let’s Encrypt SSL->Configuration and set “Challenge Methods” to http-01,dns-01 as required.
    • We are introducing this feature at this time in order to prepare for wildcard certificates, which will be coming in January or February 2018.
    • This is a BETA-quality feature and we will appreciate any testing/feedback/bugs.
  • KNOWN ISSUES
    • IPv6 in cPanel 68: Due to a regression in cPanel 68, IPv6 is broken for the service certificate and proxy subdomain renewals. Please refer to this published article for a workaround
    • The dns-01 challenge incurs a 5 second sleep after every DNS record change, this is to allow BIND to reload the zone before Let’s Encrypt tries to validate it. This will be fixed before the feature is out of beta.
  • DISCONTINUED LTS SUPPORT: We will be abandoning the cPanel LTS version in the near future. We will be moving to supporting only the STABLE version or newer.
    • The reason for this is that we have found that the churn of features and bugs in cPanel makes it too difficult for us to reasonably produce a single plugin that works well on both LTS and current versions.

v0.11.1 - November 16, 2017


  • Renewals will now occur by default 32 days prior to certificate expiry
    • The reason for this change is to stay ahead of the upcoming expiration notices at 30 days, introduced in cPanel 68
    • The interval duration can be set via the renewal_countdown_days config key (must be above 0 and below 60)
  • Licensing is no longer a fatal error
    • This means that you will no longer receive a “letsencrypt-cpanel is down” email message if the cause is an invalid licence
    • The cPanel user interface is disabled if the plugin is not correctly licensed
    • All renewals disabled if the plugin is not correctly licensed
    • A warning will be displayed in the WHM user interface if the plugin is not correctly licensed

v0.11.0 - November 15, 2017


  • CRITICAL: Fixes bug in underlying library relating to changes to Let’s Encrypt ACME/Boulder directory. This is a mandatory upgrade.

v0.10.5 - November 01, 2017


This is a bugfix release.

  • FIX: Bug with uninstaller and cPanel service monitor
  • FIX: Reload RPC server automatically if cPanel service certificate is replaced.
  • MISC: Add le-cp config rpc-force-reload

v0.10.4 - October 03, 2017


  • FEATURE: Try both /usr/local/apache/htdocs and /var/www/html for hostcert validation, if they exist, in addition to any configured path.
  • FIX: Plugin will restore Let’s Encrypt cabundle which may be deleted incorrectly by cPanel in some environments (cPanel case 8829413).
  • FIX: Fix error spam issue with API tokens on cPanel servers too old to support API-token-based authentication.
  • FIX: Avoids graceful Apache restarts on servers that aren’t using deferred_restarts.
  • FIX: Handle fetch_ssl_vhost API being changed in upcoming cPanel version 68.

These release notes also include the changes that occured in 0.10.3, which was released a month ago:

  • FIX: Try to use API token before resorting to access hash
  • MISC: ACME poll timeout increased to 90s to give better error information when nameservers not supporting CAA are timing out.

v0.10.2 - July 24, 2017


  • FEATURE: Support for cPanel 66 Api Tokens
  • FIX: Fix downloading an invalid licence to replace expired trial versions

v0.10.0 - July 15, 2017


  • FEATURE: Proxy subdomains/cPanel subdomains
    • e.g. cpanel., webmail. etc subdomains for customer domains
    • Forward DNS records are required in place for all proxy subdomains. This will typically only affect domains that have their DNS hosted externally to cPanel’s nameservers.
    • These can be enabled on a per-domain basis when issuing a certificate in the Let’s Encrypt cPanel interface
    • We apologize for the delay in getting this feature out, but there were some technical hurdles to get over first
  • MISC: For servers licensed under Individual licences, the plugin will attempt to download a valid licence automatically
    • This happens when the service starts up and additionally during licence checks
    • The forward DNS record for the server hostname must exist and be correct for this to work
  • MISC: Licence check now runs every 6 hours, down from 24 hours

v0.9.6 - July 10, 2017


  • FIX: Fixed a problem where trial licences were not behaving properly.

Status Update

Improvements always coming! Here’s what we are working on:

  • Soon: Support for proxy subdomains (cpanel., webmail., webdav. etc)
  • Medium term: Option for validation via DNS than webroot/http-01 (experimental)
  • Medium term: Support for IETF ACME v2 protocol
  • Jan 2018: Support for free wildcard certificates.

v0.9.5 - April 13, 2017


  • FIX: AutoSSL: Fixed preflight bug which mistakenly identified account as having pre-existing certificates
  • FIX: Service Certificates: Fix bug where service cert was being installed to apple mail push in cPanel 64 and failing

v0.9.4 - April 01, 2017


  • FIX: 0.9.2 introduced a nil panic for deployments where plugin AutoSSL was enabled.
  • FIX: 0.9.3 did not properly address the above bug and has been pulled

v0.9.2 - March 30, 2017


  • FIX: Compatibility fixes for cPanel bugs that currently exist in the CURRENT/Release Candidate tier.
    • Please note, if you are on a buggy 64 release, then the Let’s Encrypt feature will be available for all users regardless of their status in feature manager. This is unavoidable due to the nature of the bug.
  • FIX: Plugin will not try to install certs for Apple APN service in cPanel 64
  • FEATURE: Mail can now be relayed via an external server rather than the system MTA

v0.9.0 - March 01, 2017


  • FEATURE: Reporting
  • FEATURE: There is now a ‘Configuration’ section in the WHM Let’s Encrypt SSL.
    • This is only a subset of the total configuration options available, but it should be most of the useful ones
    • CLI: Added config list, config set --key k --value v. Refer to CLI docs
  • FEATURE: Add config option autossl_skip_patterns, which is an array of regex patterns that the plugin should test against when processing AutoSSL.
  • FEATURE: Add config options disable_success_mail, disable_mail which globally disable renewal success emails, and all renewal emails globally
    • These are also available in the WHM interface
  • UI: Automatically select already-selected domains when issuing a certificate for a virtual host with an existing plugin certificate (i.e. to prevent RSI when there are many alias or subdomains)
  • FIX: le-cp ssl issue will now always include the main domain of the virtual host, regardless of arguments.
    • This fixes the ‘/.well-known’ nil virtualhost permissions error
  • FIX: le-cp will now print useful info when run rather than assuming it is running as CGI
  • FIX: le-cp self-test should now be more useful for licensing issues
  • FIX: More changes to try improve installer reliability in some environments
  • UI: WHM interface is now ‘tabbed’
  • MISC: Now built with Go 1.8 (previously 1.6.4)

v0.8.1 - February 07, 2017


  • FIX: Renewal error relating to ‘mkdir permissions’ fixed (only affecting certificates from old versions that did not include the main virtualhost domain)
  • FIX: Stop BoltDB writing to disk every 5 seconds
  • FIX: Emails now come from ‘Let’s Encrypt SSL’ again instead of ‘FleetSSL’

v0.8.0 - February 02, 2017


  • FIX: Renewal was significantly reworked to handle cases where the type of a virtualhost (addon, alias, etc) for a domain changed between renewals(thanks Joseph).
  • FEATURE: HTML Email support
  • FEATURE: Added config flags to set day of week & time of day to begin processing renewals.
  • FEATURE: Post renewal hook
    • Run a command/script when certificates are renewed
    • Please see Configuration for more details.
  • FIX: Fixed a race condition in the installer which sometimes caused the background service to not install properly.
  • FIX: Restart Apache every hour during renewals.
  • FIX: AutoSSL now properly uses deferred restarts.
  • UI: Only auto-select www. and mail. subdomains of primary domain, instead of all domains, when issuing a new certificate.
  • UI: Misc UI changes, including links to rate limits on issue page and service status widget on main page.
  • MISC: Rebranding to FleetSSL where applicable.

v0.7.9 - January 09, 2017


  • FIX: Implemented fix for “unknown error” during installation or renewals

v0.7.8 - December 08, 2016


  • FEATURE: Deferred apache restarts for certificate renewals (beta)
    • Currently behind a feature flag
    • See Configuration to enable it.
  • FEATURE: Now compatible with redirected alias domains.
  • FEATURE: le-cp ssl renew now has an optional --force flag
  • FIX: Sometimes installer would fail on cPanel 60+
  • UI: Added descriptions to user settings page
  • MISC: Updating all logging to use consistent structured logging
  • FEATURE: Plugin checks writability and availability of /.well-known/acme-challenge/ prior to issuing attempts
    • Pushed back to 0.8.x.

v0.7.7 - October 29, 2016


This is a minor bugfix release. The next major upcoming release will introduce deferred webserver restarts when doing renewals/AutoSSL to reduce the overall server load on servers with a lot of accounts.

  • FIX: Ensure that AutoSSL always enables SNI (redundant after cPanel v60)
  • UI: Plugin will now show up in cPanel when user searches for ‘SSL’
  • MISC: Add hasSuffix, contains functions to template functions
  • MISC: Add rpc ‘ping’ to self-test

v0.7.6 - October 03, 2016


  • FIX: Compatible with cPanel v59/v60 api changes

v0.7.4 - August 20, 2016


  • FIX: Simplified certificate issuing process for end users
  • FIX: autossl [enable/disable] would only take effect after the second invocation
  • FIX: Remove extended sleeps between accounts during AutoSSL/Renewal
  • FIX: Make it harder to accidentally have two certificates for the same virtualhost
  • FIX: Fixed regression where plugin wasn’t removed properly from chkservd on uninstallation
  • MISC: Add config flag to control renewal/AutoSSL delay between accounts (for managing server load)

v0.7.2 - August 09, 2016


  • FIX: Version 0.7.0 introduced checking for user quotas, which caused a regression where issuing and renewal would fail if the server did not have the quotas package available and quotas were disabled. This addresses that regression.

v0.7.1 - August 09, 2016


This is a bugfix patch to 0.7.0.

  • FIX: New hostcerts were incorrectly using ECDSA
  • FIX: WHMCS Hook didn’t handle the case where domain registration was delayed
  • MISC: Add le-cp hostcert reset CLI command

v0.7.0 - August 07, 2016


  • FEATURE: ‘AutoSSL’ - automatic certificates for all domains
  • FEATURE: CLI API interface
  • FEATURE: WHMCS Hook
  • FEATURE: GRPC API
  • FEATURE: Ability for admin to configure parameters for private keys:
    • RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384
    • Uses ECDSA by default for Let’s Encrypt account key (significantly faster)
    • Reduces default RSA private key size for certificates to 2048 from 4096
  • FEATURE: self-test command to make sure environment is OK
  • FIX: Fix $LANG{} cosmetic error that occurs on some minority of servers
  • FIX: httpoxy vulnerability (not viable to exploit in this instance)
  • FIX: Detect when hostname has changed for service certificates
  • FIX: Plugin does not try to alter accounts with no disk quota remaining
  • FIX: Fix annoying cosmetic WHM Service Manager bug
  • MISC: Add some styling to WHM interface

v0.0.5 (December 06, 2015) through v0.6.5 (July 15, 2016)


v0.6.5 - July 15, 2016

v0.6.4 - July 03, 2016

  • FIX: 2FA support was not working when JSON-API was protected in WHM Security Policies

v0.6.3 - June 30, 2016

  • FIX: Accounts with a large number of LE certificates configured were failing to renew properly

v0.6.2 - June 18, 2016

  • FIX: Rewrite x3 installer to future proof for cPanel 56+ and prevent issues with older themes

v0.6.1 - June 18, 2016

  • FIX: Change access method for WHM plugin to use access hash and restrict to root

v0.6.0 - June 16, 2016

  • FEATURE: Provisional support for WHM servers with 2FA enabled (no config required)
  • FEATURE: Theming support for custom (non X3/Paper Lantern) themes
  • FEATURE: Basic read-only WHM interface so you can see what certs have been issued (work-in-progress)
  • FEATURE: ‘Settings’ page for users so they can disable renewal emails via the UI
  • FEATURE: ‘Select All’ button on UI for issuing certs
  • FIX: Renewals for suspended accounts and accounts that no longer have the letsencrypt feature will no longer be processed
  • FIX: Less confusing Feature Manager descriptions
  • MISC: ListenAddr is no longer a config option

v0.5.8 - May 07, 2016

  • FIX: Trap/Abort error on some kernels/architectures
  • FIX: Process/PID handling on reboots on sysv systems

v0.5.7 - April 25, 2016

  • FEATURE: allow extra names on service certificate (see service certificate docs)
  • FIX: X1->X3 intermediate transition could fail in rare circumstances
  • FIX: validation filename may have broken validation in rare circumstances
  • FIX: mail SNI status being lost between renewals

v0.5.0 - April 3, 2016

  • FEATURE: New issuing interface with better support for alias domains
  • FEATURE: Multiple language localisation files
  • FEATURE: Localised renewal emails
  • FEATURE: Global renewal mail disable
  • FEATURE: Service certificate renewal sends email to root@hostname
  • FIX: Improved detection for whether the feature is enabled in WHM
  • FIX: Improved status detection of installed certificates
  • FIX: Improved removal of certificates
  • MISC: Check install mail sni by default

v0.4.7 - March 10, 2016

  • FIX: edge case with new forks not handling let’s encrypt response properly

v0.4.5 - March 09, 2016

This is a bugfix build in anticipation of a major release, with better alias/parked domain UX.

  • FEATURE: 32-bit releases now available
  • FEATURE: service certificates out of beta
  • FIX: daemon renewal now forks as user rather than using privileged API
  • FIX: template string unparsed when using x3
  • FIX: more reliable service restarts

v0.4.1 - February 15, 2016

Featuring, the most-often requested feature ever: Service Certificates.

  • FEATURE: Added support for Let’s Encrypt certificates for the WHM host domain
    • This is the first release of this feature, consider it in beta.
  • FEATURE: Added cron mode for users who don’t have root but want Let’s Encrypt
    • This is a technical preview
  • FEATURE: Multi-locale translation support
  • FIX: Renewal process now supports document roots containing symlinks (thanks Mike H).
  • FIX: Improved installation scripts and error handling
  • FIX: for status not showing installed when primary domain isn’t first in certificate
  • MISC: Automatic fetching of trial licence during install, when possible.

v0.3.2-3 - January 31, 2016

!!! Emergency Update !!! For more information, click here.

  • Packaging fix for upgrades

v0.3.2-2 - January 31, 2016

  • Fix for previous FQDN fix

v0.3.2-1 - January 30, 2016

This is a bugfix release in anticipation of a major release in the next two weeks.

  • Installer more reliable now
  • Fix: when WHM hostname is not a FQDN but has a valid certificate

For Developers,

  • Makefile now forces a static binary for compilation
  • Added reproducible builds via docker

v0.3.0 - December 23, 2015

(Install only available via yum repository now)

  • Now works on x3 theme. We strongly recommend the switch to Paper Lantern.
  • Customisable template and translation files
  • Parked domains support
  • Improved subdomain support (www. etc)
  • View and reinstall actions for existing certificates
  • Mail SNI!
  • Yum repository (automated installation possible now)

v0.1.2 - December 17, 2015

Permanent link to download

  • Renewal processing is now rate limited in order to prevent cpsrvd from getting overwhelmed.
  • Installer will now proceed if an existing licence is already installed

v0.1.1 - December 15, 2015

Permanent link to download

Fix bug in cgi on user accounts with large numbers of domains

v0.1.0 - December 07, 2015

Permanent link to download

Now supports issuing certificates with www. prefixes with subjectAltName.

Parked domains are disabled temporarily due to awkward API behavior

v0.0.5 - December 06, 2015

This is the initial release of the Let’s Encrypt for cPanel plugin.

Permanent link to download

Known issues:

  • Not issuing www. certificate at same time as root prefix.