Using your own SSL certificates

This article will show you how to generate and configure custom SSL certificates for domains you've added. You'll need to execute some commands via SSH to use this software. There is a separate guide on how to connect to your slot via SSH. Commands are kept as simple as possible and in most cases will simply need to be copied and pasted into the terminal window (then executed by pressing the Enter key).

This guide also assumes you're using nginx - please switch to nginx if you haven't already done so. It also assumes you have gone through the steps to configure your custom domain.

Generating the certificates

This guide uses sslforfree.com to generate the certificates. THat service itself uses Let's Encrypt as a Certificate Authority. Running a Let's Encrypt certificate generator on your slot (thereby doing away with the additional dependency of sslforfree.com is currently impossible as it requires root access.

Once you've navigated to sslforfree.com, put the domain to be protected in the field and click on Create Free SSL Certificate.

You'll then need to go through a verification procedure. Make sure you read the details on the page (and know that you'll be agreeing to the Let's Encrypt service agreement by continuing), then click on Manual Verification. Click the button which appears, Manually Verify Domain.

A 7-step list of instructions will appear, but to summarise them:

  • Create the required directories
  • Upload the file to the newly-created acme-challenge
  • Verify by clicking the link provided under step 5.

To create the directories, you can run the following (where domain is replaced by the domain directory you created when setting up the custom domain):

mkdir -p ~/www/domain/public_html/.well-known/acme-challenge

You can upload then file using an FTP program before going back to the sslforfree website and clicking the link they provide under their step 5.

Once all this has been done, click on Download SSL Certificate. The files will be generated - if you scroll down you can download them by clicking the button, Download All SSL Certificate Files. You can then upload the zip file to your slot and extract it with:

unzip ~/sslforfree.zip -d ~/certs

If you're going to have multiple certificates and keys for multiple domains you can rename the files to make things easier. The rest of this guide will assume you've not renamed the files.

Configuring the nginx config

You'll need a custom config in ~/.nginx/conf.d/ for your domain in order to add the custom SSL details. Here is an example copy you can modify and paste in:

server {
  listen      8080;
  listen      8181 ssl;
  ssl         on;
  ssl_certificate     home_path/certs/certificate.crt;
  ssl_certificate_key  home_path/certs/private.key;
  server_name example.com *.example.com;
  root        server_root
  index       index.html index.php;

  autoindex            on;
  autoindex_exact_size off;
  autoindex_localtime  on;

  # Pass files that end in .php to PHP
  location ~ .php$ {
      fastcgi_read_timeout 1h;
      fastcgi_send_timeout 10m;

      include      /etc/nginx/fastcgi.conf;
      fastcgi_pass unix: nginx_socket;
  }

  # Deny access to anything starting with .ht
  location ~ /.ht {
      deny  all;
  }

  # Wordpress in the www root
  #
  #location / {
  #        try_files $uri $uri/ /index.php?$args;
  #}

  # Wordpress in a subdirectory
  #
  #location /wordpress {
  #        try_files $uri $uri/ /wordpress/index.php?$args;
  #}
}

Make the following replacements to the variables in the above config:

home_path
The result of the command echo $HOME
example.com
Your custom domain name
server_root
The result of the command ls -d ~/www/example.com/public_html
nginx_socket
The result of the command ls ~/.nginx/php/socket

Once you're done hold ctrl + x to save. Press y to confirm.

Finally reload the nginx configs with the following command:

/usr/sbin/nginx -s reload -c ~/.nginx/nginx.conf

    listen              8181 ssl;
    ssl                 on;
    ssl_certificate     path-to-home/certs/certificate.crt;
    ssl_certificate_key  path-to-home/certs/private.key;

Replace path-to-home in the above config with the actual path to your home directory. You can find this with:

echo $HOME

Setting up the port forwarding

As in the warning at the top of the article, the Feral set up means that port forwarding needs to be set up to make sure everything works correctly. The upshot of this is that your domain will be accessible with a port number in it, rathter than just the clean URL. In other words, it'd be https://domain.com:15161 rather than plain old https://domain.com. There is currently no way to get around this.

The process for setting up the port forwarding is the same as with Plex, run the following command after changing port to the port you wish to access your domain on:

mkdir -p ~/.config/feral/ns/forwarding/tcp && echo 8181 > ~/.config/feral/ns/forwarding/tcp/port

Every five minutes the system will scan your slot and create the forwarded port for you. Once done, you'll be able to access your domain using https://domain:port, where domainis your custom domain and port is the port you specified to be forwarded to port 8181.