Setting up a Custom SSL
In some cases, you may want to run a custom non Let’s Encrypt based SSL. This article will walk you through how to do this on GridPane.
Important
- Custom SSLs are not supported by GridPane. If you've purchased an SSL and would like us to set it up for you please contact us for a quote.
- Once you completed your setup, do NOT use our SSL toggles as this will interfere with your custom SSL and may cause issues on your live website.
Getting Started
To set up your custom SSL you will need to SSH into your server. Please see the following articles to get started:
Generate your SSH Key:
Generate SSH Key on Windows with Putty
Generate SSH Key on Windows with Windows Subsystem for Linux
Generate SSH Key on Windows with Windows CMD/PowerShell
Add your SSH Key to GridPane:
Add/Remove an SSH Key to/from an Active GridPane Server
Connect to your server:
Step 0. Toggle the SSL on to get a Let’s Encrypt SSL
Provisioning a Let’s Encrypt SSL certificate helps get the proper Nginx vhost and changes your URL structure from HTTP to HTTPS.
Step 1. Create the SSL folder
First, you need to create the folder where your certificates are going to be stored with the following command, replacing “site.url” with your domain name:
mkdir /etc/nginx/ssl/site.url
For example:
mkdir /etc/nginx/ssl/gridpane.com
Step 2. Edit your virtual host file and add your custom SSL
You will need to edit your virtual host removing the /etc/letsencrypt lines and replace these 2 lines:
ssl_certificate /etc/letsencrypt/live/site.url/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.url/privkey.pem;
Above are the two files paths where you need add your custom SSL to.
With these two lines (switching out site.url for your domain name):
ssl_certificate /etc/nginx/ssl/{site.url}/cert.pem ssl_certificate_key /etc/nginx/ssl/{site.url}/key.pem
Your virtual server can be found here:
/etc/nginx/sites-available/site.url
Converting crt and key files
If your custom certificates are in crt format, you will need to convert them with the following (replacing “site.url” with your domain):
openssl x509 -in /path/to/cert.crt -out /etc/nginx/ssl/site.url/cert.pem
And if you have a .key files you will need to convert it with the following (replacing “site.url” with your domain):
openssl rsa -in /path/to/key.key -out /etc/nginx/ssl/site.url/key.pem
Step 3. GPOSCP Stapling
You may see GPOSCP related warnings when reloading Nginx. For example:
Jan 01 01:01:00 servername gpocsp[22675]: 140173244732544:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/root/gridenv/acme-wildcard-configs/site.url/site.url/ca.cer','r')
The GPOCSP function checks for the .cer file to find the OCSP responder URL based on whether it is on the certbot path or the ACME path based on the file path.
/etc/nginx/ssl/site.url/cert.pem
is the file path for the installation of ACME certs, while the original .cer file lives in the path in the error.
If you have installed your own custom certs and the GPOCSP function can’t find the original .cer file when it looks and is throwing this error, you will need to put the .cer files on that path to stop the error as they may prevent the stapling of other domains on the server.
For this example it would look as follows, but with “site.url” being replaced with your domain name:
/gridenv/acme-wildcard-configs/site.url/site.url/ca.cer
Step 4. Check and reload Nginx
For your changes to take effect you will first need to reload Nginx. Before you can do that you will need to check the Nginx syntax for errors.
Check for Syntax Errors
Check for syntax errors with
nginx-t
If there are any errors it will let you know. These will need to be fixed before reloading Nginx. This is very important.
If the syntax is OK then reload Nginx with:
gp ngx reload
Congratulations, your custom SSL is now all set. Head over to your website to check it out. You may need to run a search and replace to change any HTTP links to HTTPS. You can learn how to do this with this guide:
Important
As expressed at the beginning of this article, after making these changes please do NOT use our SSL toggles, otherwise, you will have to repeat the above process.