StartSSL on VestaCP admin panel

September 23, 2014 24k views
allen
By:
allen

I'm new to Vesta / VPS. I understand how to add StartSSL to my domains (through the vesta panel) but how do I add it to my VestaCP install? I'm currently using Debian 7 x64.

For example if i go to the IP https://xx.xx.xx.xx:8083 it shows a self signed cert with a google chrome warning page.

How do I use StartSSL for the vesta side so when my clients log in to vesta they do not see the warning page?

I am using the free StartSSL.

Log In to Comment
6 Answers
kodiak December 8, 2014

You'll need to manually edit the Nginx config file for the Vesta admin server (the control panel is run from a second instance of Nginx running on port 8083).

  1. if you don't already have one, I recommend first adding a site to your admin account that matches the hostname of your server (i.e. myservername.mydomain.com). Not only will this give you a standard homepage for normal traffic to your server's hostname (that you can later redirect to port 8083 so that you don't have to remember if), but it also lets you use Vesta's GUI to configure your certificate.
  2. Create the CSR and private key for your cert as you normally would and use the CSR to generate a cert with StartSSL.
  3. When you receive your cert from StartSSL, paste it and the StartSSL intermediate certs into the domain settings as you normally would.
  4. Test your site at https://myservername.mydomain.com (without the 8083 on the end) and make sure everything works.
  5. As root, create a directory where you'll place the certificate. I use /etc/ssl.local, but the location isn't important:

sudo mkdir /etc/ssl.local

  1. Inside this directory, use your favorite text editor (vi, nano, etc.) to create two files:

nano myservername.mydomain.com.key
nano myservername.mydomain.com.crt

  1. Paste the contents of the Vesta certificate fields into the files as follows:
    a. Copy the "SSL Key" contnets into the .key file
    b. Copy the "SSL Certificate" contents, followed by the "SSL Certificate Authority/Intermediate" contents into the .crt file

  2. As a safety precaution, set the permissions so that only root can see these files:

chmod 711 /etc/ssl.local
chmod 600 /etc/ssl.local/*

  1. Edit the /usr/local/vesta/nginx/conf/nginx.conf file. Find the lines that start "sslcertificate" and "sslcertificate_key" (around line 90) and edit them as follows:

ssl_certificate /etc/ssl.local/myservername.mydomain.com.crt
ssl_certificate_key /etc/local/myservername.mydomain.com.key

  1. Restart the Vesta services and open the admin console in your browser.

service vesta restart

  1. Click on the lock icon to inspect the certificate and you should see your StartSSL cert. If not, try refreshing cache.
Reply
  • AlexanderNL January 26, 2016

    Great! Thank you!

  • richardbejamin November 18, 2017

    Great answer! Thank you!

    To make this even simpler, when editing the nginx.conf file, you can set the paths to match the location where the certificate and key is generated. For me the locations I used for the nginx config file were:

    /home/admin/conf/web/mydomain.crt
    /home/admin/conf/web/mydomain.key

    In this way, you never have to manually update your certificates.

wiak September 24, 2014

you might want to try
https://forum.vestacp.com
good luck :)

Reply
allen September 26, 2014

tried the forum, doesn't have anything on adding StartSSL to the VestaCP panel.

Reply
willamsphp February 21, 2015
Reply
  • talaikistadas August 15, 2016

    You should read the whole question first as the talk about adding SSL to Vesta admin, and not the domain hosted on Vesta.

allanice001 April 25, 2016

Placed the new certificates in /usr/local/vesta/ssl/ and reboot or restart nginx and httpd

I'm using letsencrypt certificates on my vestacp admin panel, a lot less hassle to get / renew them.

Reply
  • aneeshjoseph August 21, 2016

    Correct :)

    1. Overwrite existing certificate in /usr/local/vesta/ssl/ with new certificate. Keep old file name for new certificate.
    2. /etc/init.d/vesta restart OR service vesta restart
sam927752 June 9, 2017
Reply
Have another answer? Share your knowledge.