StartSSL on VestaCP admin panel

September 23, 2014 13k views

I'm new to Vesta / VPS. I understand how to add StartSSL to my domains (through the vesta panel) but how do I add it to my VestaCP install? I'm currently using Debian 7 x64.

For example if i go to the IP https://xx.xx.xx.xx:8083 it shows a self signed cert with a google chrome warning page.

How do I use StartSSL for the vesta side so when my clients log in to vesta they do not see the warning page?

I am using the free StartSSL.

5 Answers

You'll need to manually edit the Nginx config file for the Vesta admin server (the control panel is run from a second instance of Nginx running on port 8083).

  1. if you don't already have one, I recommend first adding a site to your admin account that matches the hostname of your server (i.e. Not only will this give you a standard homepage for normal traffic to your server's hostname (that you can later redirect to port 8083 so that you don't have to remember if), but it also lets you use Vesta's GUI to configure your certificate.
  2. Create the CSR and private key for your cert as you normally would and use the CSR to generate a cert with StartSSL.
  3. When you receive your cert from StartSSL, paste it and the StartSSL intermediate certs into the domain settings as you normally would.
  4. Test your site at (without the 8083 on the end) and make sure everything works.
  5. As root, create a directory where you'll place the certificate. I use /etc/ssl.local, but the location isn't important:

sudo mkdir /etc/ssl.local

  1. Inside this directory, use your favorite text editor (vi, nano, etc.) to create two files:


  1. Paste the contents of the Vesta certificate fields into the files as follows:
    a. Copy the "SSL Key" contnets into the .key file
    b. Copy the "SSL Certificate" contents, followed by the "SSL Certificate Authority/Intermediate" contents into the .crt file

  2. As a safety precaution, set the permissions so that only root can see these files:

chmod 711 /etc/ssl.local
chmod 600 /etc/ssl.local/*

  1. Edit the /usr/local/vesta/nginx/conf/nginx.conf file. Find the lines that start "sslcertificate" and "sslcertificate_key" (around line 90) and edit them as follows:

ssl_certificate /etc/ssl.local/
ssl_certificate_key /etc/local/

  1. Restart the Vesta services and open the admin console in your browser.

service vesta restart

  1. Click on the lock icon to inspect the certificate and you should see your StartSSL cert. If not, try refreshing cache.

tried the forum, doesn't have anything on adding StartSSL to the VestaCP panel.

  • You should read the whole question first as the talk about adding SSL to Vesta admin, and not the domain hosted on Vesta.

Placed the new certificates in /usr/local/vesta/ssl/ and reboot or restart nginx and httpd

I'm using letsencrypt certificates on my vestacp admin panel, a lot less hassle to get / renew them.

  • Correct :)

    1. Overwrite existing certificate in /usr/local/vesta/ssl/ with new certificate. Keep old file name for new certificate.
    2. /etc/init.d/vesta restart OR service vesta restart
Have another answer? Share your knowledge.