SSL & AutoSSL¶
VeloServe provides full HTTPS support with per-domain SSL certificates and seamless integration with cPanel's AutoSSL feature.
TLS Architecture¶
VeloServe uses rustls (a pure-Rust TLS implementation) with SNI (Server Name Indication) to serve the correct certificate for each domain:
Client connects to port 443
→ TLS handshake includes SNI hostname (e.g., "example.com")
→ VeloServe looks up certificate for "example.com"
→ If found: use per-domain cert
→ If not found: use global fallback cert
→ Complete TLS handshake
→ Serve HTTP response
Configuration¶
Global SSL (Fallback)¶
The [ssl] section defines the default certificate used when no per-domain match is found:
On cPanel servers, this is typically the server's self-signed certificate.
Per-Domain SSL¶
Each virtual host can specify its own certificate:
[[virtualhost]]
domain = "example.com"
root = "/home/user/public_html"
ssl_certificate = "/var/cpanel/ssl/installed/certs/example_com.crt"
ssl_certificate_key = "/var/cpanel/ssl/installed/keys/example_com.key"
Listening on Port 443¶
Ensure the server config includes the SSL listener:
AutoSSL Integration¶
cPanel's AutoSSL automatically provisions free SSL certificates (typically Let's Encrypt or Sectigo) for all domains on the server.
How It Works with VeloServe¶
- AutoSSL runs on its regular schedule (or is triggered manually in WHM)
- Certificates are issued and written to
/var/cpanel/ssl/installed/certs/and/var/cpanel/ssl/installed/keys/ - cPanel fires the
SSLStorage::add_sslhook - VeloServe's hook script updates the matching
[[virtualhost]]with the new certificate paths - VeloServe reloads and begins serving the new certificate
This is fully automatic — no manual intervention required.
Verifying AutoSSL¶
Check AutoSSL status in WHM:
- Go to WHM > SSL/TLS > Manage AutoSSL
- Verify AutoSSL is enabled
- Run AutoSSL manually if needed
Or from the command line:
Certificate Paths on cPanel¶
| Type | Path Pattern |
|---|---|
| Certificates | /var/cpanel/ssl/installed/certs/<hash>.crt |
| Private Keys | /var/cpanel/ssl/installed/keys/<hash>.key |
| CA Bundles | /var/cpanel/ssl/installed/cabundles/<hash>.cabundle |
VeloServe reads the certificate and key files directly — no intermediate conversion needed.
Checking Certificate Status¶
From the WHM Plugin¶
The SSL/TLS page in the VeloServe WHM plugin shows:
- Global certificate information
- Per-domain certificate table with issuer, expiry, and status
- Warnings for certificates expiring within 30 days
From the Command Line¶
# Check a specific certificate
openssl x509 -in /var/cpanel/ssl/installed/certs/example_com.crt -noout -dates -subject -issuer
# Check what VeloServe is serving
openssl s_client -connect localhost:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates -subject
Renewing Certificates¶
Certificates provisioned by AutoSSL are renewed automatically before expiry. When a renewal occurs:
- The new certificate files replace the old ones on disk
- The
SSLStorage::add_sslhook fires - VeloServe picks up the new paths and reloads
If you need to force a renewal:
# Via WHM
# SSL/TLS > Manage AutoSSL > Run AutoSSL
# Via command line
/usr/local/cpanel/bin/autossl_check --user=username
Troubleshooting¶
HTTPS not working¶
-
Verify
listen_sslis set in your config: -
Check that certificate files exist and are readable:
-
Verify VeloServe is listening on port 443:
Certificate mismatch¶
If a browser shows the wrong certificate for a domain, check that the correct certificate is mapped in veloserve.toml:
Re-import from Apache if needed:
Next Steps¶
- cPanel Hooks — the event system that keeps SSL in sync
- Configuration: SSL/TLS — full TLS config reference
- Apache Swap — how certificates are imported from Apache