SSL Configuration

Configure SSL/TLS certificates for secure HTTPS connections to your PteroCA panel.

Overview

SSL (Secure Sockets Layer) / TLS (Transport Layer Security) encrypts communications between your users and the PteroCA panel. This is essential for production environments to:

Encrypt sensitive data (passwords, payment information)
Prevent man-in-the-middle attacks
Build user trust
Comply with security standards (PCI-DSS, etc.)
Enable modern browser features

Quick Start with Let's Encrypt

The easiest way to get SSL certificates is using Let's Encrypt with Certbot.

Install Certbot

sudo apt update
sudo apt install -y certbot python3-certbot-nginx

Obtain Certificate

sudo certbot --nginx -d panel.example.com

Certbot will:

Verify domain ownership
Obtain SSL certificate
Automatically configure NGINX
Set up auto-renewal

For detailed web server setup, see Web Server Configuration.

Manual SSL Configuration

If you have an existing SSL certificate from another provider:

NGINX Configuration

server {
    listen 443 ssl http2;
    server_name panel.example.com;
    root /var/www/pteroca/public;

    # SSL Certificate paths
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;

    # SSL Session
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /path/to/chain.pem;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # PHP and Location blocks
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name panel.example.com;
    return 301 https://$host$request_uri;
}

Apache Configuration

<VirtualHost *:443>
    ServerName panel.example.com
    DocumentRoot /var/www/pteroca/public

    # SSL Configuration
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/privkey.pem
    SSLCertificateChainFile /path/to/chain.pem

    # SSL Protocols and Ciphers
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # Directory configuration
    <Directory /var/www/pteroca/public>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

# HTTP to HTTPS redirect
<VirtualHost *:80>
    ServerName panel.example.com
    Redirect permanent / https://panel.example.com/
</VirtualHost>

SSL Certificate Providers

Let's Encrypt (Free)

Pros:

Completely free
Automated renewal
Trusted by all browsers
Easy setup with Certbot

Cons:

90-day validity (but auto-renews)
Rate limits apply

Best for: Most installations, especially personal/small business

Commercial Providers

Popular commercial certificate authorities:

Sectigo (formerly Comodo)
DigiCert
GlobalSign
GoDaddy

Pros:

Longer validity (1-2 years)
Extended Validation (EV) options
Warranties included
Priority support

Cons:

Annual cost
Manual renewal process

Best for: Enterprise environments, companies needing EV certificates

Wildcard Certificates

Secure multiple subdomains with one certificate:

# Let's Encrypt wildcard (requires DNS validation)
sudo certbot certonly --dns-cloudflare \
     -d example.com \
     -d *.example.com

Covers:

example.com
panel.example.com
api.example.com
*.example.com

Certificate Auto-Renewal

Verify Certbot Renewal

Certbot sets up automatic renewal. Test it:

sudo certbot renew --dry-run

Manual Renewal

If needed, manually renew:

sudo certbot renew

Renewal Hooks

Run commands after renewal:

# Create renewal hook
sudo nano /etc/letsencrypt/renewal-hooks/post/restart-nginx.sh

#!/bin/bash
systemctl reload nginx

# Make executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/restart-nginx.sh

SSL Best Practices

Use Strong Protocols

# Only TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;

Configure Strong Ciphers

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;

Enable HSTS

# Force HTTPS for 1 year
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Enable OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Testing SSL Configuration

SSL Labs Test

Test your SSL configuration:

Visit https://www.ssllabs.com/ssltest/
Enter your domain
Wait for analysis
Aim for A+ rating

Command Line Testing

# Test SSL/TLS versions
openssl s_client -connect panel.example.com:443 -tls1_2

# Check certificate
openssl s_client -connect panel.example.com:443 -showcerts

# Verify certificate chain
openssl verify -CAfile /path/to/chain.pem /path/to/cert.pem

Browser Testing

Visit https://yourdomain.com
Click padlock icon
Verify:
- Valid certificate
- Correct domain
- Trusted CA
- No mixed content warnings

Troubleshooting

Certificate Not Trusted

Error: "NET::ERR_CERT_AUTHORITY_INVALID"

Solutions:

Verify certificate chain is complete
```
sudo certbot certificates
```
Check certificate paths in NGINX/Apache
```
sudo nginx -t
```
Renew certificate if expired
```
sudo certbot renew
```

Mixed Content Warnings

Error: "This page contains insecure content"

Cause: HTTP resources loaded on HTTPS page

Solutions:

Update site URL in PteroCA
- Admin Panel → Settings → General
- Ensure Site URL uses https://
Check for HTTP resources
- Open browser console (F12)
- Look for HTTP:// requests
- Update to HTTPS:// or relative URLs

Enable HSTS

add_header Strict-Transport-Security "max-age=31536000" always;

Certificate Renewal Fails

Error: Certbot renewal failed

Common Causes:

Port 80/443 blocked

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Web server not running
```
sudo systemctl status nginx
```
Domain DNS changed
- Verify domain still points to server
- Check with dig panel.example.com
Rate limit reached
- Let's Encrypt has rate limits
- Wait before retrying
- See https://letsencrypt.org/docs/rate-limits/

Redirect Loop

Symptom: Page keeps redirecting

Cause: Proxy configuration issue

Solutions:

Check trusted proxies - See Trusted Proxies

Verify X-Forwarded-Proto header

proxy_set_header X-Forwarded-Proto $scheme;

Security Headers

Add these headers for enhanced security:

# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;

# Prevent MIME sniffing
add_header X-Content-Type-Options "nosniff" always;

# Enable XSS protection
add_header X-XSS-Protection "1; mode=block" always;

# Referrer policy
add_header Referrer-Policy "no-referrer-when-downgrade" always;

# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;

Advanced Configuration

Certificate for Pterodactyl Panel

Both PteroCA and Pterodactyl should use SSL:

# Separate certificates
sudo certbot --nginx -d panel.example.com  # PteroCA
sudo certbot --nginx -d ptero.example.com  # Pterodactyl

Wildcard Certificate

# Requires DNS validation
sudo certbot certonly \
     --manual \
     --preferred-challenges dns \
     -d *.example.com \
     -d example.com

Follow prompts to add DNS TXT record for validation.

Certificate Backup

Backup your certificates regularly:

# Backup Let's Encrypt certificates
sudo tar -czf letsencrypt-backup.tar.gz /etc/letsencrypt

# Restore
sudo tar -xzf letsencrypt-backup.tar.gz -C /

Monitoring

Certificate Expiration

Monitor certificate expiration:

# Check expiration date
echo | openssl s_client -servername panel.example.com -connect panel.example.com:443 2>/dev/null | openssl x509 -noout -dates

Set Up Alerts

Use monitoring services:

SSL Labs Monitoring - Email alerts
Uptime Robot - Free monitoring
Nagios/Icinga - Self-hosted monitoring

Web Server Configuration - Basic SSL setup with Certbot
CSRF Protection - Additional security measures
Trusted Proxies - Proxy configuration
Troubleshooting - Common issues

PreviousSecurity NextCSRF Protection

Last updated 1 day ago

Overview

Quick Start with Let's Encrypt

Install Certbot

Obtain Certificate

Manual SSL Configuration

NGINX Configuration

Apache Configuration

SSL Certificate Providers

Let's Encrypt (Free)

Commercial Providers

Wildcard Certificates

Certificate Auto-Renewal

Verify Certbot Renewal

Manual Renewal

Renewal Hooks

SSL Best Practices

Use Strong Protocols

Configure Strong Ciphers

Enable HSTS

Enable OCSP Stapling

Testing SSL Configuration

SSL Labs Test

Command Line Testing

Browser Testing

Troubleshooting

Certificate Not Trusted

Mixed Content Warnings

Certificate Renewal Fails

Redirect Loop

Security Headers

Advanced Configuration

Certificate for Pterodactyl Panel

Wildcard Certificate

Certificate Backup

Monitoring

Certificate Expiration

Set Up Alerts

Related Guides