Using LetsEncrypt With Serverpilot

Serverpilot Logo

If you need to quickly set up a blank server or don't have much experience with systems administration then you can't really go wrong with serverpilot. The free plan covers everything you really need to set the server up and keep it updated but it has one large drawback in that you need to upgrade to a paid plan to install and manage free SSL certificates.

Obviously, the company needs to make some money to keep running and a paid plan also gets you other features like monitoring, but if you just want to install a certificate and don't need the other extras then you can use the following method.

The basic steps we are going to take are:

  1. Install the official LetsEncrypt client Certbot.
  2. Use Certbot to generate a certificate for a domain name.
  3. Configure NGINX to use the generated certificate.
  4. Set up a cron job to automatically renew the certificates.

1. Installing Certbot on Serverpilot

Serverpilot comes with Git pre-installed so we can just clone the Certbot repository into a folder with the following command:

sudo git clone https://github.com/certbot/certbot /opt/certbot

The first time we run a command asking it to do anything it will download all the packages it needs in order to install the certificates. Certbot creates its own environment to make it as compatible with as many systems as possible (As I understand it), so the first command may take a little time.

Move into the certbot directory with:

cd /opt/certbot

That's it :) Time to install a certificate.

2. Generating a Certificate for an Existing Domain

As Serverpilot has a unique folder structure compared to a standard Ubuntu install, we can't use any of the auto commands, we need to use the --webroot flag to tell Certbot where the web accessible folder is for the domain that we want to generate the certificate for.

Certbot needs to know where the web root for the domain is as it is used to verify that the domain name points to your server. It creates a folder in the root named .well-known and creates a verification file with information sent from the LetsEncrypt API. For this reason, the domain name needs to be pointing to the server before you try to obtain a certificate and the .well-known folder should not be blocked by any .htaccess rules.

With the free Serverpilot tier, all domains are installed under:

/srv/users/serverpilot/apps/APP_NAME/public

so you need to replace APP_NAME in the following command to match the name of the app we are installing the certificate for.

We also need to specify each domain that we want a certificate for, so if you want the domain to be accessible on both www and without www then you need to specify both the main domain and the subdomain to get 2 certificates. Change the command to the name of your domain and then run it:

./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/APP_NAME/public -d domainname.com -d www.domainname.com

After Certbot downloads everything it needs you will be asked for an email address which is used for notifications about expiring certificates. Enter your address and then you should see a message that the certificates have been installed.

3. Configure NGINX to Use the Certificate

To be able to use the certificates, we need to create a configuration file for NGINX so that it knows where to find the certificates for the domain and how they should be used.

Move to the folder where the config files are stored:

cd /etc/nginx-sp/vhosts.d

then take a look at the folder contents with

sudo ls

for each domain installed on the server you should see one configuration file and one folder for additional configurations both using the name of the app:

appname.conf
appname.d

We need to create a new configuration file of the same name with .ssl appended to the end of the app name. So if the app name is 'appname' as the above example, we would need to create appname.ssl.conf with:

sudo nano appname.ssl.conf

The following configuration file tells NGINX where to find the certificates for the domain and enables http/2 with some strong encryption methods:

First, search and replace APP_NAME with the name of your app and domainname.com with your domain. Make sure you add all the subdomains that you generated certificates for after server_name.

You can paste into the console with a right mouse click after copying the contents to the clipboard.

After pasting the content into the console, close the editor with ctrl + x and confirm that you want to save the file.

Restart NGINX with the following to load the new configuration files:

sudo service nginx-sp restart

If all went well, you should now be able to access your domain using https.

4. Automatically Renewing Certificates

LetsEncrypt certificates only last for 3 months at a time so it wouldn't be fun to have to remember to update them manually. Luckily Certbot comes with a command which will check for certificates that are coming up to their expiry date and will automatically renew them. It checks for certificates that need to be renewed in less than 30 days, so if we run the command once a week it gives us 4 attempts should anything fail at the time. If anything is wrong, you will also get an email from LetsEncrypt about the upcoming expiration.

We can create a cron job to run as root once a week on a Sunday to check for expiration with the following:

sudo nano /etc/cron.d/certrenewal

Copy the following into the editor:

MAILTO=me@mydomain
#runs every Sunday at 8am
0 8 * * 0 root cd /opt/certbot; ./certbot-auto renew --post-hook "service nginx-sp restart"

If you want to receive email notifications when the job runs, change the email address to your own. If not, you can remove that line.

The --post-hook flag is very important as it restarts NGINX after a new cert has been installed, without it we would have new certificates but they wouldn't be loaded so it may look like the certificates are all valid but the site will not be accessible through a secure connection.

Restart the cron service to load the new file:

sudo service cron restart

Done

You should now have a working certificate that will auto-renew.

You can test that http/2 is working here.

And you can see all your sites assets loading at the same time at webpagetest.org.

If you need to install any more certificates, just follow steps 2 and 3 again and don't forget to restart NGINX after installing.