# SSL Certificates' FAQ

# How to enable SSL certificate for a domain

There is a button on the domains page "Issue SSL-certificate". When you press it, the certificate will be issued within 30 minutes.

Button is avaliable only when the domain has an active A-record with server's IP and responds without HTTPS (Column State - Connected)

Issuing SSL-certificate is available only for approved installations beginning with version 2.12 (Maintenance -> Status -> Installation method)

# How to enable SSL certificate for a domain from server command line

You can install SSL certificate for your domain with the following command:

cd /root
curl keitaro.io/enable-ssl.sh > run; bash run -D domain.com

Important! Make sure the domain has an active a-record with the server's ip.

# How to install SSL for several domains at once

cd /root
curl keitaro.io/enable-ssl.sh > run; bash run -D domain.com,domain2.com,domain3.com

The script will not work if the server was not configured by the script of single-click installation.

Important! Make sure the domain has an active a-record with the server's ip.

# How to enable auto redirect from http to https

Add the following lines to /etc/nginx/conf.d/local/keitaro/server.inc file:

set $need_redirect "";
if ($http_x_forwarded_proto != 'https') { set $need_redirect "yes"; }
if ($scheme = 'http') { set $need_redirect "${need_redirect}-yes"; }
if ($server_name ~ '[a-z]') { set $need_redirect "${need_redirect}-yes"; }
if ($need_redirect = "yes-yes-yes") { return 301 https://$server_name$request_uri; }

This can be done by executing the following command:

cat >> /etc/nginx/conf.d/local/keitaro/server.inc <<'END'
set $need_redirect "";
if ($http_x_forwarded_proto != 'https') { set $need_redirect "yes"; }
if ($scheme = 'http') { set $need_redirect "${need_redirect}-yes"; }
if ($server_name ~ '[a-z]') { set $need_redirect "${need_redirect}-yes"; }
if ($need_redirect = "yes-yes-yes") { return 301 https://$server_name$request_uri; }
END

In case you get an error bash: /etc/nginx/conf.d/local/keitaro/server.inc: No such file or directory there's no such a file. Then you need to upgrade server's configuration.

Important! After you make any changes to the config file first of all check the config with the command:

nginx -t

And only after the check restart nginx:

service nginx restart

# How to enable SSL for a domain with CloudFlare

You need to enable SSL on CloudFlare if the domain is integrated with CloudFlare.

# Error: Unknown error during the installation

Run a command:

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --install-only
mv -f certbot-auto /usr/bin/certbot

Put “y” in Is this ok [y/d/N]: query.

Try to run the SSL installation process again.

# SSL Certificate is issued but is shown as invalid in a browser

If you issued certificates for more than 100 domains, delete the old and unnecessary domains. Run the following command:

export domains="domain1.com domain2.com domain3.com"
for domain in $domains; do echo Deleting $domain; rm -f /etc/nginx/conf.d/$domain.conf; certbot delete --cert-name $domain; done

# The certificate isn't issued, enable-ssl scriot shows unknown error

Update certbot utility:

curl -sSL https://dl.eff.org/certbot-auto > certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --install-only
mv certbot-auto /usr/bin/certbot-2

# Delete SSL certificates

In case, when you need to remove SSL certificate from domain of your site, you can use our special script which will delete SSL certificate and domain. Script will take domain name as parameter. To delete ssl certificate, you can use following command:

curl https://raw.githubusercontent.com/apliteni/centos_provision/current/scripts/delete-ssl.sh > delete-ssl; bash delete-ssl domain.com

Where domain.com is the name of your domain, which you want to revoke and delete it's certificate. All certificates and their files, their keys, and configuration files of nginx of selected domain will be deleted (located in /etc/nginx/conf.d/).

# CA key file validation check

There could be cases when you are issuing SSL certificate on a parked domain in your tracker, and such domain still wont work after certificate was issued (even if it was success) & SSL certificate validation (such as SSL labs for example) showing error “certificate name mis match”. That means that domain name on which SSL certificate was issued, has conflict in the chain of keys (in pem keys) of the certificate of the other domain which was issued previously (paid certificates, manually self-issued certificates and etc.).

Specifically, when checking certificate name - it will be showing domain name of the problem certificate with which such domain has conflic. In such case, you need to delete all the keys and certificates of such domain from a server, and also delete all the nginx configuration files related to this domain. You can do so easily with our Delete SSL certification files command, but first of all you need to check which CA key file is causing conflict. To do so, you need to check which CA name is linked to the key file.

openssl verify -verbose -x509_strict -CAfile key_file_name.pem

Which will show you:

key_file_name.pem : CN = problemcertificate.ru
error 20 at 0 depth lookup:unable to get local issuer certificate

Which means that our SSL certificate wasn't checked by local domain issuer, since Certificate Name (CN) of such file “unable to get local issuer certificate”. To fix this issue, you need to delete SSL certificates and key files of such problem domain & nginx config, then restart nginx. After that, all your domain should be working with https.

Last Updated: 6/24/2020, 4:45:24 AM