Symptoms
After installing an external certificate, AutoSSL will no longer replace the certificate, even if it is set to expire. The AutoSSL log will have an entry similar to the following.
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
Description
By default, AutoSSL will not replace externally issued certificates. This prevents EV and OV certificates from being replaced. AutoSSL has a setting that allows it to replace these certificates. When you enable this option, AutoSSL will install certificates that replace users’ non-AutoSSL certificates if they are invalid or expire within three days.
Workaround
- Log into WHM as the ‘root’ user.
- Navigate to "Home / SSL/TLS / Manage AutoSSL."
- Click the "Options" tab.
- Enable the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option.
- Click the "Save" button.
Additional resources
Manage AutoSSL: Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates