How to setup & install HTTPS / SSL Certificate

What is SSL?

SSL stands for Secure Socket Layer. It is a protocol to secure the exchanges on a website. If your website or web application is secured by a SSL certificate, the exchanges on your website are secured and, for example, a user who signs up cannot have his password stolen by a hacker who tries to intercept the exchanges on your website.

If your website has SSL enabled that means you can access to it through a “https” connection. To try, just enter “https://your-domain.com” in your browser. If it shows a padlock symbol in the address bar, just before your domain name, that means your website has SSL enabled.

SSL can be enabled on your website or your web application by adding a SSL certificate on your hosting. In this article we are going to show you how to do that for your Siberian. Note that, if you are using a SAE you can add a SSL certificate your own way by using the SSL certificate options offered by your hosting provider. However if you have a Multi-Apps Edition or a Platform Edition, due to the fact you can have some clients using their own domain name for their apps or for their admin panel (in case of resellers for PE owners), we strongly advise you to use the process below.

Why you MUST use SSL?

From January 2017 the 1st, Chrome, which is one of the most used browser, will mark the sites that use authentication and/or credit card transactions with a “non-secured” flag in the address bar.

Here is what they say:

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

In addition, Apple, and so it concerns the native applications, will reject and remove from sales any application that is not running under a HTTPS connection. That means you have to use RIGHT NOW a SSL certificate on your Siberian and publish an update of your application on the App Store.

SSL and Siberian

From Siberian 4.8.0 we have introduced Let’s Encrypt as our SSL Certificates provider.

Siberian will manage your certificates and their renewal automatically from the cron scheduler after the initial setup is done.

We also provide four API’s to push the generated certificates to the following common Admin panels, Plesk 12+, cPanel, VestaCP, and DirectAdmin.

Before starting this process, be sure to have your Siberian updated to the latest version.

Initial Setup

First go into Backoffice > Settings > Advanced > Configuration

You will likely see this section, for now your HTTPS is disabled, and you have no issued certificates from let’s encrypt.

https-ssl-off

Let’s jump to the next step.

What do I need in order to setup & generate my SSL Certificates ?

 

If you have one of the supported Admin panels (Plesk 12+, cPanel, VestaCP, and DirectAdmin)

You will see that Let’s Encrypt API is set on staging* (test) by default, leave it on staging until every next step is working.

letsencrypt-staging

 

  1. Get your admin* username, password & hostname.
  2. Select your panel type in the list
    • select-panel-type
  3. Fill-in the required information
    • fill-credentials
      hostname
      must be in the form:

      • Plesk: https://mydomain.com:8443/
      • cPanel: https://mydomain.com:2083/
      • VestaCP: https://mydomain.com:8083/
      • DirectAdmin: ssl://mydomain.com:2222/
  4. Switch “Use HTTPS” to yes
    • switch-https-yes
  5. Then Save.
  6. After saving, you can proceed to the Certificate request, click on “Request”
    • request-certificate
  7. If the request is successful you should now see your certificate in the “Issued certificates” below
    • issued-certificates-panel
  8. After the following steps you are done, Siberian pushed your certificate to your Admin panel and will check periodically with the cron scheduler if your certificates needs to be renewed or re-generated, it’s also then synced with your Admin panel.
    • For the Platform Edition, every-time a new White Label domain is setup, the certificate will be updated to match with the new domain
  9. If all the previous steps were successful, you can now switch the Let’s Encrypt API to production, and hit the “Request” button a last time to get a production certificate.Important: when changing from Staging to Production, be sure to reload the page in HTTP and not in HTTPS: otherwise when generating the production you will get an error.

     

    • letsencrypt-staging

If you don’t have any of the supported Admin panel, please refer to the next section #setup-self-managed-server

*note: the admin account is generally required in order to use the API.

Setup self managed server

When setting up certificates from Siberian with a self-managed server (cf: without having an Admin Panel) please follow theses recommendations.

  1. First select “Unknown – Self-managed”
    • unknown-self-managed
  2. Switch “Use HTTPS” to yes
    • switch-https-yes
  3. Then Save
  4. After saving, you can proceed to the Certificate request, click on “Request”
    • request-certificate
  5. If the request is successful you should now see your certificate in the “Issued certificates” below
    • Information shown below are visible when toggling “info” you will likely require the two or three following paths to setup your virtual host (with apache or nginx)issued-certificates-managed
  6. Setup your web-server with your new certificate, some examples below:
    • Nginx: In your virtual host add the following lines
      [...]
      listen 443;
      
      ssl on;
      ssl_certificate /path/to/your/certificate/cert.pem;
      ssl_certificate_key /path/to/your/certificate/private.pem;
      [...]

      Apache: In your virtual host add the following lines

      [...]
      <VirtualHost *:443>
      
      SSLEngine on
      SSLCertificateFile /path/to/your/certificate/cert.pem
      SSLCertificateKeyFile /path/to/your/certificate/private.pem
      SSLCertificateChainFile /path/to/your/certificate/chain.pem
      [...]
  7. [Recommended] Next you will have to setup a root incron job , which will watch the certificate file “/path/to/your/certificate/cert.pem” changes to call your server to reload.
    1. For Debian, Ubuntu, etc…
      1. apt-get install incron
    2. For Fedora, Red Hat, CentOS, etc…
      1. yum install incron
    3. Setup your job “incrontab -u root -e” add the following line /path/to/your/certificate/cert.pem IN_MODIFY /usr/bin/reload-web-server.sh
      1. Example script for /usr/bin/reload-web-server.sh
        • #!/bin/bash
          service httpd reload
      2. Don’t forget to chmod +x /usr/bin/reload-web-server.sh the script
    4. Start the service “service incrond start” or “/etc/init.d/incrond start”
    5. Now each time your certificate is renewed or modified (cf: new domains registered) your web-server will be reloaded to serve the new file.

I already have my own certificates and want to use them !

Thus it’s not a recommend way to setup your Siberian SSL, you can setup your existing certificates by giving Siberian their path or by uploading them.

  • For the Platform Edition, every-time a new White Label domain is setup, you will have to renew your certificate by adding the new domains to the Subject Alternative Names of your certificate, otherwise your whitelabels won’t work with HTTPS.
  1. First you need to expand the upload section by clicking on the title or “+”
    • expand-upload
  2. You’ll then have access to this new form.
    • upload-form
      We highly recommend to provide existing paths to your certificates rather than uploading them manually, if you want to upload certificates jump to the next section #upload-my-certificates.You will have to fill in the main domain name in “hostname” and provide your certificates path.The certificates path must be the same already setup in your server virtual host, this way Siberian always have the latest certificate.
  3. Now click on upload and you’re done.

Upload my certificates

  1. Below you can see the upload form
    • want-to-upload
      In this form you also have to fill in the main domain name in “hostname”, but this time you have to upload your existing certificates files.
  2. You can now click on upload and you’re done.

Note: when uploading certificates rather than giving Siberian the path, you will have to upload them again each time they are renewed

Was this article helpful?

Related Articles