SSL Configuration
TractStack automatically handles SSL certificate management using Let’s Encrypt, with support for both automated and manual verification methods.
Automated SSL (Cloudflare DNS)
Section titled “Automated SSL (Cloudflare DNS)”The simplest approach uses Cloudflare’s DNS API for automatic certificate issuance and renewal.
Setup Cloudflare API
Section titled “Setup Cloudflare API”-
Get API Token from Cloudflare dashboard:
- Go to Cloudflare API Tokens
- Create token with
Zone:DNS:Editpermissions - Scope to your specific domain zone
-
Create credentials file:
sudo mkdir -p /root/.secrets/certbotsudo nano /root/.secrets/certbot/cloudflare.ini- Add your API token:
dns_cloudflare_api_token = YOUR_API_TOKEN_HERE- Secure the file:
sudo chmod 600 /root/.secrets/certbot/cloudflare.iniInstallation with Cloudflare
Section titled “Installation with Cloudflare”With credentials in place, run the installer:
curl -fsSL https://get.tractstack.com | bash -s -- --prod --domain=yourdomain.comThe installer will:
- Detect Cloudflare credentials
- Automatically request wildcard certificates
- Configure automatic renewal
- Set up nginx with SSL
Manual DNS Verification
Section titled “Manual DNS Verification”For other DNS providers, use manual verification during installation.
Installation Process
Section titled “Installation Process”Run the installer without Cloudflare credentials:
curl -fsSL https://get.tractstack.com | bash -s -- --prod --domain=yourdomain.comDNS Verification Steps
Section titled “DNS Verification Steps”The installer will pause and display TXT records to add:
Please add the following TXT record to your DNS:_acme-challenge.yourdomain.com TXT "abc123def456..."_acme-challenge.yourdomain.com TXT "xyz789uvw012..."
For wildcard certificate, also add:_acme-challenge.yourdomain.com TXT "wildcard-token..."Adding DNS Records
Section titled “Adding DNS Records”For Cloudflare (manual):
- Go to DNS settings in Cloudflare dashboard
- Add TXT records as shown
- Wait 1-2 minutes for propagation
For other providers:
- Access your DNS management panel
- Add the TXT records exactly as displayed
- Wait for DNS propagation (can take 5-15 minutes)
Verify DNS Propagation
Section titled “Verify DNS Propagation”Check that records are visible:
dig _acme-challenge.yourdomain.com TXTnslookup -type=TXT _acme-challenge.yourdomain.comComplete Verification
Section titled “Complete Verification”Once DNS records are added:
- Return to the installer terminal
- Press Enter to continue
- Let’s Encrypt will verify the records
- Certificates will be issued and installed
Certificate Types
Section titled “Certificate Types”Single Domain Certificate
Section titled “Single Domain Certificate”Covers only the specified domain:
yourdomain.com
Wildcard Certificate
Section titled “Wildcard Certificate”Covers the domain and all subdomains:
yourdomain.com*.yourdomain.comwww.yourdomain.comblog.yourdomain.comapi.yourdomain.com
Multi-tenant installations automatically request wildcard certificates.
Certificate Management
Section titled “Certificate Management”Certificate Locations
Section titled “Certificate Locations”Certificates are stored at:
/home/t8k/etc/letsencrypt/live/yourdomain.com/├── cert.pem # Certificate├── chain.pem # Certificate chain├── fullchain.pem # Certificate + chain└── privkey.pem # Private keyAutomatic Renewal
Section titled “Automatic Renewal”Certificates auto-renew via systemd timer:
# Check renewal statussudo -u t8k /home/t8k/certbot_venv/bin/certbot certificates
# View renewal timersudo systemctl status certbot-renew.timer
# Test renewal (dry run)sudo -u t8k /home/t8k/certbot_venv/bin/certbot renew --dry-runManual Renewal
Section titled “Manual Renewal”Force certificate renewal if needed:
sudo -u t8k /home/t8k/certbot_venv/bin/certbot renew --force-renewalsudo systemctl reload nginxnginx SSL Configuration
Section titled “nginx SSL Configuration”TractStack automatically configures nginx with modern SSL settings:
Security Headers
Section titled “Security Headers”# Strong SSL configurationssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
# Security headersadd_header Strict-Transport-Security "max-age=63072000" always;add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;HTTP to HTTPS Redirect
Section titled “HTTP to HTTPS Redirect”server { listen 80; server_name yourdomain.com *.yourdomain.com; return 301 https://$server_name$request_uri;}Certificate References
Section titled “Certificate References”ssl_certificate /home/t8k/etc/letsencrypt/live/yourdomain.com/fullchain.pem;ssl_certificate_key /home/t8k/etc/letsencrypt/live/yourdomain.com/privkey.pem;Troubleshooting SSL
Section titled “Troubleshooting SSL”Certificate Request Failed
Section titled “Certificate Request Failed”DNS not propagated:
# Check DNS recordsdig _acme-challenge.yourdomain.com TXT
# Wait longer for propagation# Try again in 5-10 minutesRate limits exceeded:
# Let's Encrypt has rate limits# Wait an hour and try again# Use staging environment for testing:sudo -u t8k /home/t8k/certbot_venv/bin/certbot certonly --stagingnginx SSL Errors
Section titled “nginx SSL Errors”Certificate file not found:
# Check certificate files existsudo ls -la /home/t8k/etc/letsencrypt/live/yourdomain.com/
# Check nginx configurationsudo nginx -tMixed content warnings:
# Ensure all resources use HTTPS# Check browser console for HTTP resources# Update any hardcoded HTTP URLsCertificate Renewal Issues
Section titled “Certificate Renewal Issues”Renewal fails:
# Check renewal logssudo -u t8k /home/t8k/certbot_venv/bin/certbot renew --dry-run
# Manual renewal with verbose outputsudo -u t8k /home/t8k/certbot_venv/bin/certbot renew -vnginx reload fails:
# Test nginx configurationsudo nginx -t
# Check for syntax errorssudo systemctl status nginxCustom SSL Certificates
Section titled “Custom SSL Certificates”For enterprise or custom certificates:
Install Custom Certificate
Section titled “Install Custom Certificate”- Place certificate files:
sudo mkdir -p /home/t8k/etc/ssl/sudo cp yourdomain.crt /home/t8k/etc/ssl/sudo cp yourdomain.key /home/t8k/etc/ssl/sudo chown -R t8k:t8k /home/t8k/etc/ssl/- Update nginx configuration:
sudo nano /etc/nginx/sites-enabled/t8k-main.conf- Modify SSL paths:
ssl_certificate /home/t8k/etc/ssl/yourdomain.crt;ssl_certificate_key /home/t8k/etc/ssl/yourdomain.key;- Test and reload:
sudo nginx -tsudo systemctl reload nginxSecurity Best Practices
Section titled “Security Best Practices”SSL Test
Section titled “SSL Test”Verify SSL configuration:
- SSL Labs Test
- Should achieve A+ rating
Certificate Monitoring
Section titled “Certificate Monitoring”Monitor certificate expiration:
# Check expiration datesecho | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
# Set up monitoring alerts# Many services available: UptimeRobot, Pingdom, etc.Backup Certificates
Section titled “Backup Certificates”# Backup certificate directorysudo -u t8k tar -czf /home/t8k/backups/ssl-$(date +%Y%m%d).tar.gz \ /home/t8k/etc/letsencrypt/Multi-Domain Setup
Section titled “Multi-Domain Setup”For multiple domains on one server:
Additional Certificates
Section titled “Additional Certificates”# Request additional certificatesudo -u t8k bash -c "source /home/t8k/certbot_venv/bin/activate && \ certbot certonly --manual --preferred-challenges dns \ --config-dir /home/t8k/etc/letsencrypt \ -d anotherdomain.com -d *.anotherdomain.com"nginx Configuration
Section titled “nginx Configuration”Create separate server blocks for each domain with their respective certificates.
SSL configuration ensures secure connections to your TractStack site. For ongoing SSL management, see the Operations guide.