Problem: Cloudflare's proxy conflicts with the cPanel Sectigo and Let's Encrypt AutoSSL certificates.
Details: cPanel tries to visit https://www.yourdomain.com/.well-known/pki-validation/* but can't because of Cloudflare Rules (https/www) or redirects. cPanel can't verify that the IP address is correct either because Cloudflare masks (proxies) the origin's IP address.
Solution: There are a few ways to fix this:
- Buy and install a "real" certificate.
- Every ~90 days, you'll have to disable the Cloudflare proxy for a few minutes before visiting cPanel to force Let's Encrypt/Sectigo to renew the SSL certificate in the AutoSSL area of cPanel. Re-enable the Cloudflare proxy when you're done.
- Add a new Cloudflare Rule above other rules to bypass automatic HTTPS rewrites. Put "http://*.yourdomainname.com/.well-known/pki-validation/*" in the URL field, select "Automatic HTTPS Rewrites," and disable the slider button. Save and Deploy.
- Create and install a Cloudflare 15-year origin certificate. Visit SSL/TLS > Origin Server to create and install the certificate on cPanel like a "real" certificate.