SSL Certificates (Certbot)

CtrlOps simplifies the process of securing your web applications with free SSL certificates from Let's Encrypt. It automates the installation of dependencies, domain discovery within Nginx configs, and the issuance/renewal lifecycle.

Domain Discovery

CtrlOps identifies possible SSL domains by parsing your Nginx sites-enabled configurations. It specifically looks for the server_name directive:

grep -r "server_name" /etc/nginx/sites-enabled/

This ensures that only domains correctly pointed to your server are offered for SSL issuance.

Automation Flow

When you trigger an SSL request for a specific domain, CtrlOps executes the following logic chain:

1. Automatic Dependency Management

If Certbot is not found on your system, CtrlOps automatically attempts to install it and its Nginx integration:

sudo apt update
sudo apt install -y certbot python3-certbot-nginx

2. Issuing a Certificate

CtrlOps uses the Nginx plugin to handle the ACME challenge automatically. This method doesn't require stopping your web server:

sudo certbot --nginx -d yourdomain.com --non-interactive --agree-tos --email your@email.com

3. Verification & Reloading

Once the challenge is successful, Let's Encrypt issues the certificate files to /etc/letsencrypt/live/yourdomain.com/. Certbot then automatically updates your Nginx configuration to point to these files and reloads the service.

Manual Commands

While CtrlOps handles this via the UI, you can perform these actions manually through the AI Terminal if needed:

SSL Best Practices

• Auto-Renewal: Certbot installs a cron job or systemd timer by default. CtrlOps monitors this to ensure your certificates never expire.
• CAA Records: Ensure your DNS provider doesn't have CAA records that block Let's Encrypt.
• Port 80/443: The Let's Encrypt challenge requires Port 80 to be open for the HTTP-01 challenge, even if your site only serves traffic on 443.