Jesin's Blog

Welcome to the Portal of Technology

  • Facebook
  • GitHub
  • RSS
  • Twitter
  • Home
  • Categories
    • Domains
    • Linux
    • Networking
    • PHP
    • Virtualization
    • Web Design
    • Web Servers
    • Windows
  • WordPress Plugins
    • Custom Error Pages
    • HTTP Digest Authentication
    • Mailgun Email Validator
  • Toolbox
    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool
  • About Me
  • Contact Me
  • Sitemap
Home ›
Linux ›
How to setup SSL certificates on a free ServerPilot plan

How to setup SSL certificates on a free ServerPilot plan

April 11, 2016 Linux, Web Servers Jesin A 2 Comments

https icon

Installing SSL certificates on ServerPilot requires a paid plan. But thanks to the amount of customizability offered by ServerPilot’s config files we can configure SSL certificates on the free plan.

Create a directory for each domain’s SSL certificate files.

sudo mkdir /etc/ssl/example.com

Generate a private key in this directory.

sudo openssl genrsa -out /etc/ssl/example.com/private.key 2048
sudo chmod 600 /etc/ssl/example.com/private.key

Create a Certificate Signing Request (CSR).

sudo openssl req -new -sha256 -key /etc/ssl/example.com/private.key -out /etc/ssl/example.com/CSR

Use this CSR to obtain an SSL certificate from a certificate authority like StartSSL, Comodo, RapidSSL.

Place the CA’s root and intermediate certificates inside the /etc/ssl/example.com/ directory in a file named ca_bundle.crt. The order should be from the intermediate certificate to the root. Here’s an example for Comodo:

sudo bash -c 'cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > /etc/ssl/example.com/ca_bundle.crt'

So the ca_bundle.crt file will contain:

-----BEGIN CERTIFICATE-----
<Contents of COMODORSADomainValidationSecureServerCA.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Contents of COMODORSAAddTrustCA.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Contents of AddTrustExternalCARoot.crt>
-----END CERTIFICATE-----

Create another file named unified.crt. Place the contents of your domain’s SSL certificate in this file along with the intermediate/root certificates.

sudo bash -c 'cat ca_bundle.crt >> /etc/ssl/example.com/unified.crt'

So the final unified.crt file contains:

-----BEGIN CERTIFICATE-----
<Contents of example_com.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Contents of COMODORSADomainValidationSecureServerCA.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Contents of COMODORSAAddTrustCA.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Contents of AddTrustExternalCARoot.crt>
-----END CERTIFICATE-----

Create an Nginx configuration file in /etc/nginx-sp/vhosts.d/example.d/ssl.conf withe following contents. Be sure to modify the highlighted lines with your domain name.

listen  443 ssl http2;

ssl_certificate         /etc/ssl/example.com/unified.crt;
ssl_certificate_key     /etc/ssl/example.com/private.key;
ssl_session_cache       shared:SSL:20m;
ssl_session_timeout     10m;

ssl_prefer_server_ciphers       on;
ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                     ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

ssl_stapling            on;
ssl_stapling_verify     on;
ssl_trusted_certificate /etc/ssl/example.com/ca_bundle.crt;
resolver                8.8.8.8 8.8.4.4;

set $ssl_status off;

if ($scheme = "https") {
        set $ssl_status on;
}

proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl $ssl_status;

This configuration enables Perfect Forward Secrecy by disabling insecure protocols and ciphers. It also enables HTTP/2 and OCSP stapling to improve SSL performance.

Perform a configuration test to check for conf file errors:

sudo service nginx-sp configtest

If everything is OK reload Nginx:

sudo service nginx-sp reload

Test how well your SSL setup scores using Qualys SSL test.

You can also hire me to configure this for you. 🙂

Related posts:

linode logoHow to configure Linode Longview on ServerPilot linux category thumbnailHow to setup an unmanaged Debian server php category thumbnailCreating a PHP MySQL Login Page Script linux category thumbnailConfigure BIND DNS Split View Default ThumbnailBlocking Google Analytics and Statcounter

Tags: serverpilot, ssl

Comments

  1. pepelucho says

    May 11, 2016 at 7:47 pm

    thanks man for the guide…was +useful

    Reply
  2. SampaioPT says

    October 26, 2016 at 5:02 pm

    Thank you so much Jesin A. You saved my day!
    I owe you a beer! 🙂

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get a wealth of information delivered to your inbox. Subscribe and never miss a single article.

  • Tutorials and howtos
  • Code, scripts and commands
  • Online Tools

* No spam, unsubscribe anytime

Hire Me

  • SSL installation and hardening (A+ on Qualys SSL test)
  • Apache & Nginx configuration
  • Email deliverability improvement (10/10 on Mail Tester & MailGenius)
  • WordPress customization, optimization and migration
  • and much more…

    Tools

    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool

    Nav

    • Home
    • About Me
    • Contact Me
    • Privacy Policy
    • Sitemap
    Vultr SSD VPS

    Creative Commons License
    Jesin's Blog by Jesin A is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
    Based on a work at websistent.com.