Skip to content

SSL Certificates

Overview

Cito issues Lets Encrypt certificates for all sites it knows about, and will automatically renew them without requiring any user involvement.

If you're creating a new site using the psnew script, Cito will automatically attempt to issue an SSL certificate when you create the site. This may, however, fail- if your domain doesn't point to the Cito server yet, Let's Encrypt won't be able to validate it.

Cito will automatically attempt to issue a certificate on a daily basis (at 02:00) for any sites that don't already have them.

Renewals

Renewals are automatic and are run via a cron task at 02:00 each night.

Manually issuing a certificate

If you want to manually issue a certificate, run the following command, substituting <domain> for your domain name:

certbot --non-interactive --agree-tos --register-unsafely-without-email --nginx -d <domain> -d www.<domain> --quiet

Bringing your own certificate

If you have your own certificate you can use this with Cito. You'll need the SSL certificate and a matching private key - contact your SSL provider if you're unsure how to generate this.

You can then update your nginx configuration file (/etc/nginx/conf.d/<username>.conf) with the path to your certificate and key. The lines to modify are:

ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/certificate_key;

We recommend storing your cert and key in /etc/ssl/certs and /etc/ssl/private respectively.

You can then run nginx -t to verify your configuration is correct, and systemctl reload nginx to reload and apply the certificate.

Warning

We strongly advise you use Lets Encrypt with Cito for automatic certificate renewal and management.