Setting up a Custom SSL

4 min read

In some cases, you may want to run a custom non Let’s Encrypt based SSL. This article will walk you through how to do this on GridPane.

Important

  1. Custom SSLs are not supported by GridPane. If you've purchased an SSL and would like us to set it up for you please contact us for a quote.
  2. Once you completed your setup, do NOT use our SSL toggles as this will interfere with your custom SSL and may cause issues on your live website.

Getting Started

To set up your custom SSL you will need to SSH into your server. Please see the following articles to get started:

Step 0. Toggle the SSL on to get a Let’s Encrypt SSL

Provisioning a Let’s Encrypt SSL certificate helps get the proper Nginx vhost and changes your URL structure from HTTP to HTTPS.

Step 1. Create the SSL folder

First, you need to create the folder where your certificates are going to be stored with the following command, replacing “site.url” with your domain name:

mkdir /etc/nginx/ssl/site.url

For example:

mkdir /etc/nginx/ssl/gridpane.com

Step 2. Edit your virtual host file and add your custom SSL

You will need to edit your virtual host removing the /etc/letsencrypt lines and replace these 2 lines:

ssl_certificate /etc/letsencrypt/live/site.url/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.url/privkey.pem;

Above are the two files paths where you need add your custom SSL to.

With these two lines (switching out site.url for your domain name):

ssl_certificate /etc/nginx/ssl/{site.url}/cert.pem
ssl_certificate_key /etc/nginx/ssl/{site.url}/key.pem

Your virtual server can be found here:

/etc/nginx/sites-available/site.url

Converting crt and key files

If your custom certificates are in crt format, you will need to convert them with the following (replacing “site.url” with your domain):

openssl x509 -in /path/to/cert.crt -out /etc/nginx/ssl/site.url/cert.pem

And if you have a .key files you will need to convert it with the following (replacing “site.url” with your domain):

openssl rsa -in /path/to/key.key -out /etc/nginx/ssl/site.url/key.pem

Step 3. GPOSCP Stapling

You may see GPOSCP related warnings when reloading Nginx. For example:

Jan 01 01:01:00 servername gpocsp[22675]: 140173244732544:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/root/gridenv/acme-wildcard-configs/site.url/site.url/ca.cer','r')

The GPOCSP function checks for the .cer file to find the OCSP responder URL based on whether it is on the certbot path or the ACME path based on the file path.

/etc/nginx/ssl/site.url/cert.pem is the file path for the installation of ACME certs, while the original .cer file lives in the path in the error.

If you have installed your own custom certs and the GPOCSP function can’t find the original .cer file when it looks and is throwing this error, you will need to put the .cer files on that path to stop the error as they may prevent the stapling of other domains on the server. 

For this example it would look as follows, but with “site.url” being replaced with your domain name:

/gridenv/acme-wildcard-configs/site.url/site.url/ca.cer

Step 4. Check and reload Nginx

For your changes to take effect you will first need to reload Nginx. Before you can do that you will need to check the Nginx syntax for errors.

Check for Syntax Errors

Check for syntax errors with

nginx-t

If there are any errors it will let you know. These will need to be fixed before reloading Nginx. This is very important.

If the syntax is OK then reload Nginx with:

gp ngx reload

Congratulations, your custom SSL is now all set. Head over to your website to check it out. You may need to run a search and replace to change any HTTP links to HTTPS. You can learn how to do this with this guide:

How to search and replace in a WordPress database

Important

As expressed at the beginning of this article, after making these changes please do NOT use our SSL toggles, otherwise, you will have to repeat the above process.