How to setup & install HTTPS / SSL Certificate

What is SSL?

SSL stands for Secure Socket Layer. It is a protocol to secure the exchanges on a website. If your website or web application is secured by a SSL certificate, the exchanges on your website are secured and, for example, a user who signs up cannot have his password stolen by a hacker who tries to intercept the exchanges on your website.

If your website has SSL enabled that means you can access to it through a “https” connection. To try, just enter “https://your-domain.com” in your browser. If it shows a padlock symbol in the address bar, just before your domain name, that means your website has SSL enabled.

SSL can be enabled on your website or your web application by adding a SSL certificate on your hosting. In this article we are going to show you how to do that for your Siberian. Note that, if you are using a SAE you can add a SSL certificate your own way by using the SSL certificate options offered by your hosting provider. However if you have a Multi-Apps Edition or a Platform Edition, due to the fact you can have some clients using their own domain name for their apps or for their admin panel (in case of resellers for PE owners), we strongly advise you to use the process below.

Why you MUST use SSL?

From January 2017 the 1st, Chrome, which is one of the most used browser, will mark the sites that use authentication and/or credit card transactions with a “non-secured” flag in the address bar.

Here is what they say:

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

In addition, Apple, and so it concerns the native applications, will reject and remove from sales any application that is not running under a HTTPS connection. That means you have to use RIGHT NOW a SSL certificate on your Siberian and publish an update of your application on the App Store.

SSL and Siberian

From Siberian 4.8.0 we have introduced Let’s Encrypt as our SSL Certificates provider.

Siberian will manage your certificates and their renewal automatically from the cron scheduler after the initial setup is done.

We also provide four API’s to push the generated certificates to the following common Admin panels, Plesk 12+, cPanel, VestaCP, and DirectAdmin.

Before starting this process, be sure to have your Siberian updated to the latest version.

Initial Setup

First go into Backoffice > Settings > Advanced > Configuration

You will likely see this section, for now your HTTPS is disabled, and you have no issued certificates from let’s encrypt.

Let’s jump to the next step.

What do I need in order to setup & generate my SSL Certificates ?

I have a hosting panel (Plesk 12+, cPanel, VestaCP, and DirectAdmin)

You will see that Let’s Encrypt API is set on staging* (test) by default, set it to production.

letsencrypt-staging

  • Get your admin* username, password & hostname
  • Select your panel type in the list

  • Fill-in the required information

Host must be in the form:

Plesk: https://mydomain.com:8443/

cPanel: https://mydomain.com:2083/

VestaCP: https://mydomain.com:8083/

DirectAdmin: ssl://mydomain.com:2222/

  • If your webspace name created on your hosting panel, doesn’t match your domain name, then specify it in the field “Web space“. For example, you created a webspace called “siberian”, but your domain name is myapps.domain.com, then you will have to enter “siberian” in the field “Web space“.
  • Switch “Use HTTPS” to yes
    • switch-https-yes
  • Then 
  • Wait for the page to reload, and click on 

Note: Do NOT refresh or quit the page until it’s done.

  • If the request is successful you should now see your certificate in the “Issued certificates” below

  • It’s done ! Siberian pushed your certificate to your hosting panel and will check periodically with the cron scheduler if your certificates need to be renewed.
    • For the Platform Edition, every-time a new White Label domain is setup, the certificate will be updated to match with the new domain.

*note: the admin account is generally required in order to use the API.

For cPanel users it happens sometimes that the certificate is renewed but not uploaded in the panel. You have to perform a manual action:

  • download your renewed certificates by clicking on them:
  • Open them in a text editor (not Word, preferably)
  • Then, enter in your cPanel
  • Search for SSL and enter in this SSL section
  • Click on “Manage SSL sites”
  • Select your domain
  • Copy and paste your certificates in the appropriate sections:
    • The cert.pem in the “Certificate” field
    • The privkey.pem in the “Private Key” field
    • The fullchain.pem in the “Certificate Authority Bundle” field
  • Click on “Install certificate” and you’re done.

I don't have a hosting panel (or it's not supported)

  • First select “Unknown – Self-managed”

unknown-self-managed

  • Switch “Use HTTPS” to yes

switch-https-yes

  • Then 
  • Wait for the page to reload, and click on 
  • If the request is successful you should now see your certificate in the “Issued certificates” below. Click on  to check the paths:

  • Setup your web-server with your new certificates, some examples below:
    • Nginx: In your virtual host add the following lines
      [...]
      listen 443;
      
      ssl on;
      ssl_certificate /path/to/your/certificate/cert.pem;
      ssl_certificate_key /path/to/your/certificate/private.pem;
      [...]

      Apache: In your virtual host add the following lines

      [...]
      <VirtualHost *:443>
      
      SSLEngine on
      SSLCertificateFile /path/to/your/certificate/cert.pem
      SSLCertificateKeyFile /path/to/your/certificate/private.pem
      SSLCertificateChainFile /path/to/your/certificate/chain.pem
      [...]
  • [Recommended] Next you will have to setup a root incron job , which will watch the certificate file “/path/to/your/certificate/cert.pem” changes to call your server to reload.
    1. For Debian, Ubuntu, etc…
      1. apt-get install incron
    2. For Fedora, Red Hat, CentOS, etc…
      1. yum install incron
    3. Setup your job “incrontab -u root -e” add the following line /path/to/your/certificate/cert.pem IN_MODIFY /usr/bin/reload-web-server.sh
      1. Example script for /usr/bin/reload-web-server.sh
        • #!/bin/bash
          service httpd reload
      2. Don’t forget to chmod +x /usr/bin/reload-web-server.sh the script
    4. Start the service “service incrond start” or “/etc/init.d/incrond start”
    5. Now each time your certificate is renewed or modified (cf: new domains registered) your web-server will be reloaded to serve the new file.

I already have my own certificates and want to use them

Thus it’s not a recommended way to setup your Siberian SSL, you can setup your existing certificates by giving Siberian their path or by uploading them.

  • For the Platform Edition, every-time a new White Label domain is setup, you will have to renew your certificate by adding the new domains to the Subject Alternative Names of your certificate, otherwise your whitelabels won’t work with HTTPS.
  1. First you need to expand the upload section by clicking on the title or “+”
    • expand-upload
  2. You’ll then have access to this new form.
    • upload-form
      We highly recommend to provide existing paths to your certificates rather than uploading them manually, if you want to upload certificates jump to the next section #upload-my-certificates.You will have to fill in the main domain name in “hostname” and provide your certificates path.The certificates path must be the same already setup in your server virtual host, this way Siberian always have the latest certificate.
  3. Now click on upload and you’re done.

Upload my certificates

  1. Below you can see the upload form
    • want-to-upload
      In this form you also have to fill in the main domain name in “hostname”, but this time you have to upload your existing certificates files.
  2. You can now click on upload and you’re done.

Note: when uploading certificates rather than giving Siberian the path, you will have to upload them again each time they are renewed

Was this article helpful?

Related Articles