In this post you will learn how to install Free SSL certificate (Let’s Encrypt) on your ServerPilot Free plan.
Before I start with this tutorial I just want to say that ServerPilot is great, and I approve everything they do but one: charging $10/month for SSL. I wouldn’t mind that if we’re talking about some paid certificate, but they are providing you with Let’s Encrypt, which is free for everyone. I only approve paying a one-time fee for the setup, but not $10/month.
Anyhow, let’s start: To install Let’s Encrypt on your ServerPilot Free Plan you’ll need to start the terminal to ssh to the server.
Make sure you have root access
type:
sudo su root
Then run this command to clone the reposity:
sudo git clone https://github.com/certbot/certbot
The repository will be cloned to “certbot” folder, therefore we need to navigate to it before going any fruther:
cd certbot
At this point you will tell the certbot to generate certificate for your domain:
./certbot-auto certonly --webroot --webroot-path /srv/users/serverpilot/apps/yourappname/public --renew-by-default --email youremail@domain.com --text --agree-tos -d yourdomain.com
To add additional subdomains, just add at the end -d subdomain.domain.com
At this point your new SSL is ready to be used, all you need to do now is to edit your ssl configuration file:
cd /etc/nginx-sp/vhosts.d
then edit it inside console window by using:
sudo nano appname.ssl.conf
..or you can use FileZilla and navigate there, edit the .conf file normally, using an GUI editor like notepad or notepad++.
Put this inside, but make sure to add correct paths:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
ssl on;
# letsencrypt certificates
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
#SSL Optimization
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response
ssl_trusted_certificate /etc/letsencrypt/.../chain.pem;
#root directory and logfiles
root /srv/users/serverpilot/apps/..../public;
access_log /srv/users/serverpilot/log/.../appname_nginx.access.log main;
error_log /srv/users/serverpilot/log/.../appname_nginx.error.log;
#proxyset
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
#includes
include /etc/nginx-sp/vhosts.d/appname.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/appname.d/*.conf;
}service nginx-sp restart
Voila! Your website is running on https. Try it out.
Oh! When the time comes to renew all your certificates, just run this:
– navigate to “certbot” folder:
cd certbot
Then renew the certificates:
./certbot-auto renew
Cheers
