Installing SSL certificates on ServerPilot requires a paid plan. But thanks to the amount of customizability offered by ServerPilot’s config files we can configure SSL certificates on the free plan.
Create a directory for each domain’s SSL certificate files.
sudo mkdir /etc/ssl/example.com
Generate a private key in this directory.
sudo openssl genrsa -out /etc/ssl/example.com/private.key 2048 sudo chmod 600 /etc/ssl/example.com/private.key
Create a Certificate Signing Request (CSR).
sudo openssl req -new -sha256 -key /etc/ssl/example.com/private.key -out /etc/ssl/example.com/CSR
Use this CSR to obtain an SSL certificate from a certificate authority like StartSSL, Comodo, RapidSSL.
Place the CA’s root and intermediate certificates inside the /etc/ssl/example.com/ directory in a file named ca_bundle.crt. The order should be from the intermediate certificate to the root. Here’s an example for Comodo:
sudo bash -c 'cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > /etc/ssl/example.com/ca_bundle.crt'
So the ca_bundle.crt file will contain:
-----BEGIN CERTIFICATE----- <Contents of COMODORSADomainValidationSecureServerCA.crt> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Contents of COMODORSAAddTrustCA.crt> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Contents of AddTrustExternalCARoot.crt> -----END CERTIFICATE-----
Create another file named unified.crt. Place the contents of your domain’s SSL certificate in this file along with the intermediate/root certificates.
sudo bash -c 'cat ca_bundle.crt >> /etc/ssl/example.com/unified.crt'
So the final unified.crt file contains:
-----BEGIN CERTIFICATE----- <Contents of example_com.crt> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Contents of COMODORSADomainValidationSecureServerCA.crt> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Contents of COMODORSAAddTrustCA.crt> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Contents of AddTrustExternalCARoot.crt> -----END CERTIFICATE-----
Create an Nginx configuration file in /etc/nginx-sp/vhosts.d/example.d/ssl.conf withe following contents. Be sure to modify the highlighted lines with your domain name.
listen 443 ssl http2;
ssl_certificate /etc/ssl/example.com/unified.crt;
ssl_certificate_key /etc/ssl/example.com/private.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/example.com/ca_bundle.crt;
resolver 8.8.8.8 8.8.4.4;
set $ssl_status off;
if ($scheme = "https") {
set $ssl_status on;
}
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl $ssl_status;
This configuration enables Perfect Forward Secrecy by disabling insecure protocols and ciphers. It also enables HTTP/2 and OCSP stapling to improve SSL performance.
Perform a configuration test to check for conf file errors:
sudo service nginx-sp configtest
If everything is OK reload Nginx:
sudo service nginx-sp reload
Test how well your SSL setup scores using Qualys SSL test.
You can also hire me to configure this for you. 🙂
thanks man for the guide…was +useful
Thank you so much Jesin A. You saved my day!
I owe you a beer! 🙂