Free SSL on ServerPilot Free Plan

Edited on: 20th March, 2018.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG)

175
lets encrypt

In this post you will learn how to install Free SSL certificate (Let’s Encrypt) on your ServerPilot Free plan.

Before I start with this tutorial I just want to say that ServerPilot is great, and I approve everything they do but one: charging $10/month for SSL. I wouldn’t mind that if we’re talking about some paid certificate, but they are providing you with Let’s Encrypt, which is free for everyone. I only approve paying a one-time fee for the setup, but not $10/month.

Anyhow, let’s start: To install Let’s Encrypt on your ServerPilot Free Plan you’ll need to start the terminal to ssh to the server.
Make sure you have root access
type:
sudo su root
Then run this command to clone the reposity:
sudo git clone https://github.com/certbot/certbot
The repository will be cloned to “certbot” folder, therefore we need to navigate to it before going any fruther:
cd certbot

At this point you will tell the certbot to generate certificate for your domain:
./certbot-auto certonly --webroot --webroot-path /srv/users/serverpilot/apps/yourappname/public --renew-by-default --email youremail@domain.com --text --agree-tos -d yourdomain.com
To add additional subdomains, just add at the end -d subdomain.domain.com
At this point your new SSL is ready to be used, all you need to do now is to edit your ssl configuration file:
cd /etc/nginx-sp/vhosts.d
then edit it inside console window by using:
sudo nano appname.ssl.conf
..or you can use FileZilla and navigate there, edit the .conf file normally, using an GUI editor like notepad or notepad++.
Put this inside, but make sure to add correct paths:


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com;
 
    ssl on;
 
    # letsencrypt certificates
    ssl_certificate      /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/domain.com/privkey.pem;
 
        #SSL Optimization
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:20m;
    ssl_session_tickets off;
 
        # modern configuration
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
 
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 
 
        # OCSP stapling 
        ssl_stapling on; 
        ssl_stapling_verify on; 
 
        # verify chain of trust of OCSP response 
        ssl_trusted_certificate /etc/letsencrypt/.../chain.pem;
 
        #root directory and logfiles 
        root /srv/users/serverpilot/apps/..../public; 
 
        
 
        access_log /srv/users/serverpilot/log/.../appname_nginx.access.log main; 
        error_log /srv/users/serverpilot/log/.../appname_nginx.error.log; 
 
        #proxyset 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-SSL on; 
        proxy_set_header X-Forwarded-Proto $scheme; 
 
        #includes 
        include /etc/nginx-sp/vhosts.d/appname.d/*.nonssl_conf; 
        include /etc/nginx-sp/vhosts.d/appname.d/*.conf; 
}

service nginx-sp restart

Voila! Your website is running on https. Try it out.

Oh! When the time comes to renew all your certificates, just run this:
– navigate to “certbot” folder:
cd certbot

Then renew the certificates:
./certbot-auto renew

Cheers

LEAVE A REPLY

Please enter your comment!
Please enter your name here