dacevedo
By:
dacevedo

Install SSL certificate manually on serverpilot

February 6, 2015 15.7k views

Hi, do guys know if is possible to install a SSL certificate on serverpilot but no by the panel? I mean, i have the free plan so that option is not available. Can i do it by my self?

7 comments
  • Same question...

  • @ThatPoorKid You could find a solution? I've been reading blogs but i am sort of a noob on this..

  • Following normal commandline procedures to install SSL into Apache2, you should not have any problems. There's plenty of online tutorials, even video tutorials, showing how to do that.

  • I have successfully installed ssl. but when I opened wordpress site, firefox showing "Insecure contents. ssl some unencrypted elements on this website have been blocked" wordpress is totally messed... any idea on this error?
    thanks

  • Hi @beenaoc this not a problem from the SSL certificate, this means your WordPress is calling assets without the https url path. I had the same issue. You can manually check your site for such urls and make the changes or install some plugin that force the WordPress to do so. Sorry if my english isn't perfect but i am willing to help.

    For example: you insert one image with this path http://yoursite.com/image.jpg instead of https://yoursite.com/image.jpg. this apply for all, including js, CSS, etc.

  • I have select coach plan to deploy ssl. After that I downgrade to free plan and supprise SSL stil work. I can't understand.

  • Yes caoquyenis, but what happens when the cert expires?

14 Answers

Answering here in case others are searching for a solution:

ServerPilot uses Nginx as the public facing web server and proxies the requests to Apache. So, we have to add our SSL configuration to Nginx.

Steps:

Login to the server using SSH

Create a directory to hold the certificate and key files.

cd /home
mkdir -p certs/domain_name

Copy the certificate (.crt) and private (.key) files to this directory. Replace domain_name with your domain name.

Add custom SSL configuration here:

cd /etc/nginx-sp/vhosts.d
nano APP_NAME.ssl.conf

Replace APPNAME with your actual app name (website). Put this inside the file APPNAME.ssl.conf:

###############################################################################
# Install SSL Certificate
###############################################################################

server {
    listen       443 ssl;
    listen       [::]:443 ssl;
    server_name
        www.DOMAIN.com
        DOMAIN.com
      ;

    ssl_certificate /home/certs/domain_name/certificate_file.crt;
    ssl_certificate_key /home/certs/domain_name/privatekey_file.key;

    root   /srv/users/serverpilot/apps/APP_NAME/public;

    access_log  /srv/users/serverpilot/log/APP_NAME/APP_NAME_nginx.access.log  main;
    error_log  /srv/users/serverpilot/log/APP_NAME/APP_NAME_nginx.error.log;

    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

    include /etc/nginx-sp/vhosts.d/APP_NAME.d/*.nonssl_conf;
    include /etc/nginx-sp/vhosts.d/APP_NAME.d/*.conf;
}

As usual, replace APPNAME, domainname, certificatefile and privatekeyfile with your own values.

Restart Nginx

service nginx-sp restart

That's it. The SSL certificate is installed.

edited by asb
  • Hey thanks for the tip
    Have you missed "ssl on;" ?

  • @autorun Ah yes, thanks for pointing it out. I'm not sure how to update my original answer.

    ssl on;
    ssl_certificate /home/certs/domain_name/certificate_file.crt;
    ssl_certificate_key /home/certs/domain_name/privatekey_file.key;
    
  • Should logs be in a different place than the normal HTTP old ones?
    maybe, ```
    accesslog /srv/users/serverpilot/log/APPNAME/APPNAMEnginx.ssl.access.log main

    
    Everything works but I can't see any https log...
    
  • You can also enable SSL, by adding a ssl.conf file to /etc/nginx-sp/vhosts.d/{yourappname}.d

    And include just the listen and SSL parts there. Don't wrap it in server blocks.

    Works fine and you're less prone to ServerPilot accidentally throwing away your SSL config.

NikhilSharma thanks heaps!!

Here's the final .ssl.conf file with the changes incorporated from the comments above.

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name
www.DOMAIN.com
DOMAIN.com
;

ssl on;

ssl_certificate /home/certs/domain_name/certificate_file.crt;
ssl_certificate_key /home/certs/domain_name/privatekey_file.key;

root   /srv/users/serverpilot/apps/APP_NAME/public;

access_log  /srv/users/serverpilot/log/APP_NAME/APP_NAME_nginx.access.log  main;
error_log  /srv/users/serverpilot/log/APP_NAME/APP_NAME_nginx.error.log;

proxy_set_header    Host              $host;
proxy_set_header    X-Real-IP         $remote_addr;
proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-SSL on;
proxy_set_header    X-Forwarded-Proto $scheme;

include /etc/nginx-sp/vhosts.d/APP_NAME.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/APP_NAME.d/*.conf;
}

Make sure you replace APPNAME, domainname, certificatefile and privatekeyfile with your own values.

If your paths are incorrect you will either get an error when your restart Nginx or a 403 error when you visit your website.


Restart Nginx

service nginx-sp restart
  • I use cloudflare and I can't do the certificate work. Any idea How I can setup cloudflare or my server?

    Thank you very much!

  • Thanks that was amazing and very sweet. Up and running on SSL within 10 minutes or so.

  • I have setup SSL on the second app following your instructions as above, but when I visit the site, it’s reading the SSL certificate of the 1st app, so I visitors are getting a warning.

    Any idea where I might have gone wrong? I have checked all the pathways and they seem right. Frustrating.

    Thanks,
    Ravinder

I recently wrote a detailed tutorial for it.. The actual SSL installation and configuration on ServerPilot will take less than 10 minutes. You can check it out over here:

https://www.blogmehow.com/how-to-manually-install-ssl-on-serverpilot-free-plan-1331/

Let me know if it helps...

  • THIS WAS THE ONLY THING THAT HELPED ME! FINALLY! THANK YOU THANK YOU THANK YOU!

    I love serverpilot, but REFUSE to pay $120/yr per server for what should be a simple text config. SP really needs to toss this config into their FREE account. WTF?

Awesome dude, thank you very much for taking the time to help little noobs like me, lifesaver! hahaha @NikhilSharma

Thanks a lot!
Do you also know how to manage CA certs?

e.g. with comodo I have these CA certs:
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt

  • OK figured it out:
    All individual crt-files above have to be combined into one (bundled) crt-file.
    Then simply replace the file name above "certificate_file.crt" with your bundle.crt-file (or whatever you named the file).
    Test it here to see if they all certs chained up nicely: https://www.sslshopper.com/ssl-checker.html

@NikhilSharma hi again! I have a little question more, if you have time =)...

In the case is a Wildcard SSL is the same steps above but for each subdomain?

Thanks again.

  • That is correct. Just make sure that the domain in the certificate itself is set to *.yourdomain.com.

Should I replace :
www.DOMAIN.com
DOMAIN.com
as well ?

Thanks

In case it helps anyone, I had to add the following at the end of the proxy section to get it to work:

proxy_set_header    X-Forwarded-SSL on;
proxy_set_header    X-Forwarded-Proto $scheme;

Hi all

From the moment I have this APP(replaced).ssl.conf file, I get an ERRCONNECTIONREFUSED error. This is in app.conf:

server {
    listen       80;
    listen       [::]:80;
    server_name
        xxxxx.be
        www.xxxxx.be
      ;

    root   /srv/users/serverpilot/apps/sla/public;

    access_log  /srv/users/serverpilot/log/sla/sla_nginx.access.log  main;
    error_log  /srv/users/serverpilot/log/sla/sla_nginx.error.log;

    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

    include /etc/nginx-sp/vhosts.d/sla.d/*.nonssl_conf;
    include /etc/nginx-sp/vhosts.d/sla.d/*.conf;
}

This is in app.ssl.conf:

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name
www.xxxxx.be
xxxxx.be
;

ssl on;

ssl_certificate /root/certs/xxxxx.be/ssl-bundle.crt;
ssl_certificate_key /root/certs/xxxxx.be/ssl.key;

root   /srv/users/serverpilot/apps/sla/public;

access_log  /srv/users/serverpilot/log/sla/sla_nginx.access.log  main;
error_log  /srv/users/serverpilot/log/sla/sla_nginx.error.log;

proxy_set_header    Host              $host;
proxy_set_header    X-Real-IP         $remote_addr;
proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-SSL on;
proxy_set_header    X-Forwarded-Proto $scheme;

include /etc/nginx-sp/vhosts.d/sla.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/sla.d/*.conf;
}

Any ideas?

  • Also getting 403 forbidden :(

    Was app.ssl.conf there for you by default? My file was missing so I just created one although I'm not sure if that was the right thing to do.

    EDIT: Ok so I figured out what was wrong. The quickest thing to do is to copy your app.conf file into a new text file instead of having to fill out all the paths again, then make sure your file looks like my code below:

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        server_name
            yourdomain.com
            www.yourdomain.com
          ;
    
        ssl on;
    
        ssl_certificate /root/certs/yourdomain_com/ssl-bundle.crt;
        ssl_certificate_key /root/certs/yourapp/yourdomain.com.key;
    
        root   /srv/users/serverpilot/apps/yourapp/public;
    
        access_log  /srv/users/serverpilot/log/yourapp/yourdomain_nginx.access.log  main;
        error_log  /srv/users/serverpilot/log/yourapp/yourdomain_nginx.error.log;
    
        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-SSL on;
    
        include /etc/nginx-sp/vhosts.d/yourapp.d/*.nonssl_conf;
        include /etc/nginx-sp/vhosts.d/yourapp.d/*.conf;
    }
    
    

    Rename the file to yourapp.ssl.conf and save in the same directory as yourapp.conf

    I'm a complete noob and there may be a better way to do this so take my answer with a grain of salt.

    • That's what I did but it throws an error.

      • Remove

        proxy_set_header    X-Forwarded-Proto $scheme;
        
        

        Does anyone know how to force https via this config? Have been trying a few different solutions but can't get anything to work and I want to avoid using .htaccess if possible.

    • I can't save it. I get [ Error writing pushnotify.ssl.conf: Permission denied ]. How to fix this? Thanks

I wanted to chime in on this topic, because this really saved my ass today!
I had an SSL Wildcard installed (that expired) and needed to install a new SSL, but was installing separate SSL's on the FQDN and a subdomain and each would get there own SSL.
So, everything, information wise was already in place in the .conf files, except I used the built-in ServerPilot method last time and the difference in what I did to get it to work was just where the SSL.crt and SSL.key were located.

It was trying to look for the SSL crt/key in etc/ssl...
I used the following and it worked like a charm:

ssl_certificate_key      /../srv/users/APP_NAME/certs/DOMAIN_NAME/ssl.key;
ssl_certificate          /../srv/users/APP_NAME/certs/DOMAIN_NAME/ssl.crt;

Thanks for the amazeballs tutorial, everything works again and I don't have to deal with the awful ServerPilot support team, which decided it's probably fine to not respond to tickets on the weekend.... what could go wrong?

:D

Got one site up with SSL on my droplet after following these directions. Thanks so much! Lifesaver!! However, does anyone know to host a 2nd SSL cert on the same droplet (IP) for a second website? I found this on how to add multiple SSL certs, but I am not sure how much has already been done from the tutorial above plus it's over 4 years old, so not sure if anything has changed or there is an easier way. I am quite a noob to this. Thanks for your help in advance.

by Etel Sverdlov
Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.
Have another answer? Share your knowledge.