Skip to content

SSL Certificates

Overview

Cito issues Lets Encrypt certificates for all sites it knows about, and will automatically renew them without requiring any user involvement. This includes domain aliases.

Cito will automatically attempt to issue an SSL certificate when you create a site, or add an alias.

This may, however, fail- if your domain doesn't point to the Cito server yet, Let's Encrypt won't be able to validate it.

Renewals

Cito will automatically attempt to issue a certificate every hour for domains that do not have them. Only domains that resolve to the server will be issued certificates.

Renewals are processed nightly at 02:05.

Manually issuing a certificate

If you've recently pointed a domain name to the server but the renewal cron hasn't yet run, you can force a reissue by running:

/.ps/scripts/certmon.sh

If you want to manually issue a certificate, run the following command, substituting <domain> for your domain name:

certbot --non-interactive --agree-tos --register-unsafely-without-email --nginx -d <domain> -d www.<domain> --quiet

This script should include any aliases.

Bringing your own certificate

If you have your own certificate you can use this with Cito. You'll need the SSL certificate and a matching private key - contact your SSL provider if you're unsure how to generate this.

You can then update your nginx configuration file (/etc/nginx/conf.d/<username>.conf) with the path to your certificate and key. The lines to modify are:

ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/certificate_key;

We recommend storing your cert and key in /etc/ssl/certs and /etc/ssl/private respectively.

You can then run nginx -t to verify your configuration is correct, and systemctl reload nginx to reload and apply the certificate.

Warning

We strongly advise you use Lets Encrypt with Cito for automatic certificate renewal and management.

Wildcard certificates

To issue a wildcard certificate you need to use DNS for verification. This must be done manually via the CLI.

The following command will prompt you to add a DNS TXT record to your site's DNS before continuing.

certbot certonly --manual --preferred-challenges=dns --agree-tos -d *.mydomain.co.uk

Follow the instructions when prompted. Once this is done, you can then add the cert to your nginx config using the "Bringing your own certificate" instructions above.

You also need to add a post-renewal hook to the Lets Encrypt configuration. Add the following line to the [renewal_params] section in /etc/letsencrypt/renewal/<domain>.conf

renew_hook = systemctl reload nginx