Skip to main content

Overview

Cito issues Lets Encrypt certificates for all sites it knows about, and will automatically renew them without requiring any user involvement. This includes domain aliases. Cito will automatically attempt to issue an SSL certificate when you create (or rename) a site, or add an alias. We are only able to validate certificates for domains that point to the server- i.e. are live on Cito. If a site does not point to the IP of your Cito server, we will not be able to validate it. If you are using a CDN service or proxy such as Cloudflare, we will not issue a certificate, as these services handle SSL themselves.

Renewals

Cito will automatically attempt to issue a certificate every few minutes for domains that do not have them. Only domains that resolve to the server will be issued certificates. Renewals are processed nightly at 02:05.

How certificates are shared

Certificate are issued on a per-account basis, which means each site and it’s aliases share a cert. Domains that do not point to the server (including the primary domain) will not block the issuance of other domains under the same site. This means, for example, that even if the main domain for a site does not point to the server, we will be able to issue a cert for its aliases.

Manually issuing a certificate

If you’ve recently pointed a domain name to the server but the renewal cron hasn’t yet run, you can force a reissue by running: 
/.ps/scripts/certmon.sh
We strongly advise against running certbot commands directly. This can have unexpected results.

Bringing your own certificate

If you have your own certificate you can use this with Cito. You’ll need the SSL certificate and a matching private key - contact your SSL provider if you’re unsure how to generate this. You can then update your nginx configuration file (/etc/nginx/conf.d/<username>.conf) with the path to your certificate and key. The lines to modify are: 
ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/certificate_key;
We recommend storing your cert and key in /etc/ssl/certs and /etc/ssl/private respectively. You can then run nginx -t to verify your configuration is correct, and systemctl reload nginx to reload and apply the certificate.
We strongly advise you use Lets Encrypt with Cito for automatic certificate renewal and management. You cannot use Aliases with a custom SSL certificate.

Wildcard certificates

Contact support if you wish to use a wildcard certificate with Cito- this requires a manual configuration change in Nginx and so must be done manually. We can help you issue a wildcard certificate and configure it on your chosen domain. We will provide a DNS TXT record which you can use to validate domain ownership.