SSL Certificates
Overview
Cito issues Lets Encrypt certificates for all sites it knows about, and will automatically renew them without requiring any user involvement.
If you're creating a new site using the psnew
script, Cito will automatically attempt to issue an SSL certificate when you create the site.
This may, however, fail- if your domain doesn't point to the Cito server yet, Let's Encrypt won't be able to validate it.
Cito will automatically attempt to issue a certificate on a daily basis (at 02:00) for any sites that don't already have them.
Renewals
Renewals are automatic and are run via a cron task at 02:00 each night.
Manually issuing a certificate
If you want to manually issue a certificate, run the following command, substituting <domain>
for your domain name:
certbot --non-interactive --agree-tos --register-unsafely-without-email --nginx -d <domain> -d www.<domain> --quiet
Bringing your own certificate
If you have your own certificate you can use this with Cito. You'll need the SSL certificate and a matching private key - contact your SSL provider if you're unsure how to generate this.
You can then update your nginx configuration file (/etc/nginx/conf.d/<username>.conf
) with the path to your certificate and key. The lines to modify are:
ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/certificate_key;
We recommend storing your cert and key in /etc/ssl/certs
and /etc/ssl/private
respectively.
You can then run nginx -t
to verify your configuration is correct, and systemctl reload nginx
to reload and apply the certificate.
Warning
We strongly advise you use Lets Encrypt with Cito for automatic certificate renewal and management.