ServerPilot Manual SSL Setup Guide

Posted on by WP Slick

How to manually set up an SSL Certificate on a ServerPilot standard account.

Initial setup and create CSR

Firstly, login to your server as root and navigate to ‘nginx-sp’:

cd /etc
cd /nginx-sp

Create 2 new folders – certs and a folder for your domain
The first is ‘certs’ – create it and navigate to it:

mkdir certs
cd certs

then create a folder for your domain – mkdir [yourdomain], and navigate to it too:

mkdir yourdomain.com
cd yourdomain.com

Now you’ll need to create a Certificate Signing Request (CSR) – there are a number of ways to do this, but this should work in most circumstances:

umask 077 && touch ssl.key
openssl req -new -newkey RSA:2048 -nodes -keyout ssl.key -out ssl.csr

There will now be 2 new files within the ‘certs/[yourdomain.com]’ folder – ssl.csr and ssl.key

You’ll need the ‘ssl.csr’ file for purchasing your SSL certificate – I’d recommend you now download both of these files and store them locally for use later.

Purchase SSL Certificate

I usually buy my SSL certificates from Namecheap (from around $9.00 per year before any discounts) – I’ll be explaining the process relating to the Comodo PositiveSSL certificates they sell, but this guide should be mostly applicable to any vendor.

Once you’ve purchased your Comodo PositiveSSL certificate, you’ll need to activate it – this is where you’ll require the CSR file.

Find your certificate in the control panel, and click on ‘manage’ and then ‘activate’ to begin the activation process.

On the initial activation page, you’ll be asked to upload or paste your CSR file – I usually open the file locally and paste the contents in to the box provided at Namecheap.

Once the CSR details have been accepted, you’ll need to confirm and add a few more details.

After all the details have been entered, Comodo will need to verify your order and website – this can be accomplished in 3 ways – via email, DNS TXT record or by uploading a file to the website.

When the website has been verified, the new SSL Certificate will be emailed to the address you’ve chosen – you’ll receive a zipped file that contains 2 files – [yourdomain].crt and [yourdomain].ca-bundle

Before continuing, you’ll need to combine these files so that there are no issues with the SSL chain – in simple terms, open both files and paste the contents of [yourdomain].ca-bundle at the end of [yourdomain].crt – save [yourdomain].crt and you’re all set for the next stage!

Upload the SSL Certificates

Open your SFTP client, and navigate to the certs/yourdomain.com folder you created earlier.

Upload the [yourdomain].crt and [yourdomain].ca-bundle to the certs/yourdomain.com folder.

You should now have 4 files in the folder – ssl.key, ssl.csr, [yourdomain].crt and [yourdomain].ca-bundle

The certificate files are now in place, and you’re ready to continue with configuring your website for SSL.

Updating your server config for SSL

With Serverpilot, each of your websites is stored within its own app – we need to navigate to the Nginx virtual host for the website we need:

cd /etc
cd /nginx-sp
cd /vhosts.d

We should check that you’ve arrived in the correct folder – type the ‘dir’ command and hit enter:

dir

You’ll hopefully see a number of files, with two that are named [yourdomainappname].conf and [yourdomainappname].d – these are managed by Serverpilot and are periodically updated, so it’s better if we create and edit a new file for our SSL purposes:

nano ssl.conf

The nano command opens a simple text editor, and creates the ssl.conf file we’ll need. We now need to paste the config necessary for the SSL configuration.

Below is the configuration text we’ll use – there are a few details we’ll need to edit for this to work.

copy and paste the text below in to the nano text editor:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl on;
# ssl certificates
ssl_certificate /etc/nginx-sp/certs/yourdomain.com/yourdomain_com.crt;
ssl_certificate_key /etc/nginx-sp/certs/yourdomain.com/ssl.key;
#SSL Optimization
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response
ssl_trusted_certificate /etc/nginx-sp/certs/yourdomain.com/yourdomain_com.ca-bundle;
#root directory and logfiles
root /srv/users/serverpilot/apps/yourserverpilotappname/public;
access_log /srv/users/serverpilot/log/yourserverpilotappname/yourserverpilotappname_nginx.access.log main;
error_log /srv/users/serverpilot/log/yourserverpilotappname/yourserverpilotappname_nginx.error.log;
#proxyset
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
#includes
include /etc/nginx-sp/vhosts.d/yourserverpilotappname.d/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/yourserverpilotappname.d/*.conf;
}

SSL Config
Enter your FQDN (fully qualified domain name - do not include http:// or https://, or www) - for example, example.com
Enter your CRT file name - for example, yourdomain_com.crt
Enter your CRT Bundle file name - for example, yourdomain_com.ca-bundle
Enter your ServerPilot App Name

Once you’ve finished editing the config, save and close the file in Nano:

To Save

Ctrl+O

Then press enter/return

To Exit Nano

Ctrl+X

Testing and Activating the SSL

So now we’ll test that everything is working on the server – use the following command:

nginx-sp -t

If the SSL config is correct, you’ll receive the following message:

nginx: the configuration file /etc/nginx-sp/nginx.conf syntax is ok
nginx: configuration file /etc/nginx-sp/nginx.conf test is successful

If not, or you receive an error, go back to Nano, check your config, and run the command again!

If everything has worked, it’s time to restart Nginx – use the following command:

service nginx-sp restart

Yay! Your website should now be running on SSL and visiting it via https should work correctly!

Checking it’s all working

There are a few more steps you should go through now to make sure that SSL is working for all visitors, and there are no configuration errors.

The first step is check if the SSL setup is correctly installed via a couple of diagnostic tools – visit the following sites and enter your website URL (including https://)

1. https://www.digicert.com/help/
2. https://www.ssllabs.com/ssltest/

You’ll also want to check if http/2 is running correctly:

1. https://tools.keycdn.com/http2-test

If all tests pass, your SSL Certificate is correctly set up, and your website is running on http/2.

Additional WordPress tweaks for SSL

The easy way

The simplest to make sure that WordPress is correctly set up for SSL is to use the plugin Really Simple SSL – this does everything for your site.

Doing it manually

If you’d prefer not to add yet another plugin to your WordPress site, you can do it all manually. This involves editing a few files and changing any hard links that you have set up on your posts and pages. If you have a large website, this can take a long time, but may be worth it.

You’ll need to firstly edit the .htaccess file, and add the following lines:

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://[yourdomain.com]/$1 [R=301,L]

Then, edit your wp-config.php file and replace/add the following lines:

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
   $_SERVER['HTTPS']='on';

That should be everything – if you have questions, leave a comment!