Articles & Snippets

Why cPanel AutoSSL Says "User-Excluded Domains"? How to Fix It?

Posted by negraru on Fri, 5 Jun 2026

If you manage a cPanel/WHM server and you've seen this message after adding a new domain, here's what's happening and how to resolve it permanently.

cPanel / WHM SSL / TLS

The error you're seeing

User-excluded domains: COMPLETELY_EXCLUDED: All domains are excluded from AutoSSL

You're not alone. This is a frustrating bug that appears after certain cPanel updates, and the fix is not obvious because the exclusion isn't stored where you'd expect it.

What the Error Actually Means

When AutoSSL reports COMPLETELY_EXCLUDED, it means the domain has been flagged as explicitly excluded from automatic SSL issuance. cPanel won't attempt to get a Let's Encrypt certificate for it, even if Let's Encrypt is your configured provider and the domain resolves correctly.

The confusing part: this can happen to a brand new domain you just added, before you've ever touched any SSL settings.

Why It Happens

After certain cPanel updates, the AutoSSL exclusion list doesn't get cleared when new domains are added. Instead, new subdomains and addon domains get written into the exclusion list automatically — possibly a bug in how cPanel handles the domain registration event.

The exclusion data is not stored in the obvious places (not in /var/cpanel/userdata/USERNAME/ as a flat file), so the usual advice you'll find online doesn't work.

Where the Exclusions Are Actually Stored

In cPanel 130+, AutoSSL exclusions are stored as JSON files here:

/var/cpanel/ssl/autossl/excludes/

Each cPanel account has its own file:

/var/cpanel/ssl/autossl/excludes/username.json

The contents look like this:

{
  "excluded_domains": [
    "example.com",
    "www.example.com",
    "mail.example.com"
  ]
}

Any domain listed here will be skipped by AutoSSL entirely.

How to Fix It

Step 1 — Check which accounts have exclusions

find /var/cpanel/ssl/autossl/excludes/ -name "*.json" 2>/dev/null

Step 2 — Inspect a specific account's exclusions

cat /var/cpanel/ssl/autossl/excludes/username.json

Replace username with the actual cPanel account name.

Step 3 — Remove the exclusion for a specific domain

Open the file in vi and remove the offending domain entries from the excluded_domains array:

vi /var/cpanel/ssl/autossl/excludes/username.json

Step 4 — Or wipe all exclusions entirely

If you don't want any domains excluded from AutoSSL across your entire server, back up and delete all exclusion files:

# Back up first
cp -r /var/cpanel/ssl/autossl/excludes/ /root/autossl_excludes_backup/

# Delete all exclusion files
rm /var/cpanel/ssl/autossl/excludes/*.json

Step 5 — Run AutoSSL

For a single account:

/usr/local/cpanel/bin/autossl_check --user=username

For all accounts on the server:

/usr/local/cpanel/bin/autossl_check --all

Other Reasons AutoSSL May Fail

Once the exclusion is cleared, AutoSSL might still report issues for some domains. These are separate problems with different fixes:

If an addon domain's DNS points to an external IP (e.g. Cloudflare, another host), AutoSSL's HTTP DCV (Domain Control Validation) will fail because Let's Encrypt can't reach the challenge file on your server. These domains should either be removed from cPanel or kept excluded intentionally.

If your site has a redirect or deny rule that catches /.well-known/, Let's Encrypt will get a 403 and fail validation. Check your .htaccess for rules like:

RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Add an exception above it:

RewriteRule ^\.well-known/ - [L]

If AutoSSL has made too many failed attempts, Let's Encrypt will temporarily block further requests (typically for 1 hour). The error will tell you exactly when you can retry. Wait it out, fix the underlying issue, then run AutoSSL again.

Preventing This in the Future

After clearing exclusions, check your WHM AutoSSL settings at WHM → SSL/TLS → Manage AutoSSL:

Confirm Let's Encrypt is the active provider
Enable "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" — this gets reset after some updates and is the most common reason self-signed certs don't get replaced automatically

It's also worth running a full --all check periodically to catch any accounts that silently accumulated exclusions.

Summary

Symptom	Root Cause	Fix
`COMPLETELY_EXCLUDED` on new domain	Domain written to exclusion JSON	Delete entry from `/var/cpanel/ssl/autossl/excludes/username.json`
Self-signed cert not replaced	"Replace non-AutoSSL certs" setting reset	Re-enable in WHM → Manage AutoSSL
DCV fails, wrong IP	Domain DNS points elsewhere	Remove addon domain or keep excluded
403 on ACME challenge	`.htaccess` blocking `/.well-known/`	Add `RewriteRule ^\.well-known/ - [L]` exception
Rate limit error	Too many failed attempts	Wait 1 hour, fix root cause, retry

The fix itself takes about two minutes once you know where to look. Hopefully this saves you the hour of digging through outdated documentation that sent you looking in all the wrong places.

cPanel / WHM SSL / TLS Let's Encrypt