April 19, 2022 . 6 MIN READ
Reference: https://www.blogmehow.com/how-to-manually-install-ssl-on-serverpilot-free-plan-1331/
March 14, 2016 By Shalin TJ 14 Comments
I’m a huge fan of ServerPilot and recommend it to several of my clientele. Quite recently, I decided to use ServerPilot for one of our in-house test website. We hosted this website on Digital Ocean and now wanted to add an SSL to it. And that’s where I got stuck. To add SSL to a server via ServerPilot, you need to upgrade to their Coach plan. Had this been a production website, we would have been ok to spend $15 a month and upgrade to the Coach plan. But this being a test and in-house website, I felt the cost is too steep for this purpose. So, I started to think is there a way to manually install SSL on ServerPilot (needless to say, without breaking any existing setup). Surprisingly, it’s not that difficult to manually install SSL on ServerPilot. Also, many thanks to Drew Bindon for lending me a helping hand with the SSL installation.
In this tutorial, let me show you a step-by-step process to install SSL on ServerPilot Free Plan. The actual SSL installation and configuration on ServerPilot will take less than 10 minutes.
A quick caveat. I request you to use this method only if you are short on budgets or have some real constraints making it impossible to upgrade to ServerPilot’s Coach plan. ServerPilot is an excellent product and their Coach plan is definitely worth it if you consider the fact that it saves you from all the server configuration, security, maintenance as well as optimisation headaches; and that’s how the company too makes money.
Skillsets required: Basic familiarity with Terminal / Bash.
Ensure that you are logged in to the server as root. First, navigate to the etc/nginx-spand create a certs/yourdomain.com (do not forget to replace yourdomain.com with your domain).
| cd /etc/nginx-sp | |
| mkdir certs/yourdomain.com | |
| cd certs/yourdomain.com |
view rawserverpilot-navigate-to-nginx-sp-directory.sh hosted with by GitHub
Generate a CSR on your server. You can refer this article from the ServerPilot team itself on how to generate CSR (refer Method Two: Using the Command Line). Essentially, it involves the following commands:
| umask 077 && touch ssl.key | |
| openssl req -new -newkey RSA:2048 -nodes -keyout ssl.key -out ssl.csr |
view rawcreate-csr.sh hosted with by GitHub
You will now have 2 files inside the certs folder:
Go ahead and buy an SSL certificate. I buy mine from SSLs.com – they are affordable as well as pretty straight-forward. Typically, I buy the PositiveSSL that costs $8.95 per year.
Money-Saving Tip: Use coupon code 3.88deal to get this certificate only for $3.88
Once bought, complete the certificate issuance process and you will get the following 4 files in your inbox:
So, these are the files that Comodo SSL sends to you. If you have bought SSL from any other SSL provider, they might send some other set of files but essentially it includes:
For the purpose of this guide, I’m assuming that you now have 4 files.
2.2 Open a new file in your text editor and paste the whole of the text / strings from the following 3 files in the same sequence:
I suggest you save this new file as yourdomain_com_ca-bundle-ssl-trusted.crt.
Fire up your favorite FTP and upload the files you have ready as per Step 2. With this, the certs/yourdomain.com directory will now have the following files:
ServerPilot stores each of the your apps inside the Nginx virtual hosts directory. Navigate to etc/nginx-sp/vhosts.d directory.
| 1 | cd etc/nginx-sp/vhosts.d |
You will notice a file and a directory named yourserverpilotappname.conf and yourserverpilotappname.d, respectively.
Now, you can definitely edit yourserverpilotappname.conf to configure the SSL but if ServerPilot re-writes those files, you will lose the changes you made (and effectively breaking your SSL site). Do note that ServerPilot does not add any SSL configuration by default. So, it’s time to create a new file ssl.conf to configure the SSL for your website.
| 1 | nano ssl.conf |
Now, copy paste the below mentioned code inside ssl.conf carefully, considering the following:
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name yourdomain.com www.yourdomain.com; | |
| ssl on; | |
| # ssl certificates | |
| ssl_certificate /etc/nginx-sp/certs/yourdomain.com/yourdomain_com.crt; | |
| ssl_certificate_key /etc/nginx-sp/certs/yourdomain.com/ssl.key; | |
| #SSL Optimization | |
| ssl_session_timeout 10m; | |
| ssl_session_cache shared:SSL:20m; | |
| ssl_session_tickets off; | |
| # modern configuration | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’; | |
| # OCSP stapling | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # verify chain of trust of OCSP response | |
| ssl_trusted_certificate /etc/nginx-sp/certs/yourdomain.com/yourdomain_com_ca-bundle-ssl-trusted.crt; | |
| #root directory and logfiles | |
| root /srv/users/serverpilot/apps/yourserverpilotappname/public; | |
| access_log /srv/users/serverpilot/log/yourserverpilotappname/yourserverpilotappname_nginx.access.log main; | |
| error_log /srv/users/serverpilot/log/yourserverpilotappname/yourserverpilotappname_nginx.error.log; | |
| #proxyset | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-SSL on; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| #includes | |
| include /etc/nginx-sp/vhosts.d/yourserverpilotappname.d/*.nonssl_conf; | |
| include /etc/nginx-sp/vhosts.d/yourserverpilotappname.d/*.conf; | |
| } |
view raw serverpilot-nginx-ssl.conf hosted with by GitHub
Save and close the file. In nano, you run the following commands:
| 1
2 |
Ctrl+O
Ctrl+X |
Now, it’s time to test the Nginx configuration and see if everything’s working correctly (it’s an optional step but recommend)
| 1 | nginx-sp -t |
If everything’s good, you will see the following 2 outputs:
| 1
2 |
nginx: the configuration file /etc/nginx-sp/nginx.conf syntax is ok
nginx: configuration file /etc/nginx-sp/nginx.conf test is successful |
Lastly, restart the Nginx server with the following command:
| 1 | service nginx-sp restart |
You are all set! Just one final step left.
Option 1: If it’s a WordPress site:
Install the free Really Simple SSL WordPress plugin. What this plugin really does is redirect the incoming http requests to https (anyone typing http://yourdomain.com is redirected to http://yourdomain.com ). Also it automatically changes the Site URL and Home URL of your site to https. And lastly, internal http URLs on your webpages are replaces with https (images, internal links, etc.)
Option 2: If yours is not a WordPress site
5.1: SSL Server Test from Qualys SSL Labs (click here to visit the link)
First check that your loading correctly (without any weird issues). Now, visit the above mentioned Qualys SSL Labs link to check the SSL rating of your website.
5.2: Click here to check if Http/2 is enabled on your server.
Visit the above mentioned link to check whether http/2 is enabled on your server.
That’s it. You just saved $15 a month and your site runs on SSL. Do let me know if you have any queries in regards to this guide.
