Skip to content

Instantly share code, notes, and snippets.

@arjenblokzijl
Last active July 25, 2018 20:36
Show Gist options
  • Save arjenblokzijl/175eb731584cc6cfb7bf to your computer and use it in GitHub Desktop.
Save arjenblokzijl/175eb731584cc6cfb7bf to your computer and use it in GitHub Desktop.
How To Add SSL to ServerPilot nginx

How To Add SSL to ServerPilot nginx

Requirements

  1. Domain (i.e. example.com)
  2. Subdomain(s): (i.e. www.example.com)
  3. Username
  4. App name

Create the Certificate

  1. Stop nginx service nginx-sp stop
  2. Create certificate ./letsencrypt-auto certonly --standalone -d YOURDOMAIN.COM -d WWW.YOURDOMAIN.COM

It should say:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem. Your
   cert will expire on 2016-06-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
  1. Start nginx service nginx-sp start

Add certificate to host

  1. cd /etc/nginx-sp/vhosts.d
  2. vi YOURAPPNAME.ssl.conf
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name  YOURDOMAIN.COM www.YOURDOMAIN.COM;

	ssl on;

	# letsencrypt certificates
	ssl_certificate      /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem;
	ssl_certificate_key  /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem;

	#SSL Optimization
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:20m;
	ssl_session_tickets off;

	# modern configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	# verify chain of trust of OCSP response
	ssl_trusted_certificate /etc/letsencrypt/live/YOURDOMAIN.COM/chain.pem;
	#root directory and logfiles
	root /srv/users/YOURUSERNAME/apps/YOURAPPNAME/public;

	access_log /srv/users/YOURUSERNAME/log/YOURAPPNAME/YOURAPPNAME_nginx.access.log main;
	error_log /srv/users/YOURUSERNAME/log/YOURAPPNAME/YOURAPPNAME_nginx.error.log;

	#proxyset
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-SSL on;
	proxy_set_header X-Forwarded-Proto $scheme;

	#includes
	include /etc/nginx-sp/vhosts.d/YOURAPPNAME.d/*.nonssl_conf;
	include /etc/nginx-sp/vhosts.d/YOURAPPNAME.d/*.conf;
}
  1. service nginx-sp restart

Auto update through cronjob

  1. @monthly /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /srv/users/YOURUSERNAME/apps/YOURAPPNAME/public -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment